Cybersecurity self-assessment questionnaires

What questions are included in a supply chain cybersecurity self-assessment questionnaire?

How do I complete a supply chain security survey?

By the end of this guide, you will know how to complete a supply chain security survey as we detail the why, how and who of completing a cybersecurity supplier survey. Most importantly, we will address what to do if you are not meeting the minimal supply chain security standards.

There is also a useful downloadable template: 'Cybersecurity self-assessment questionnaire template' to help you practice with your response. 

Guide contents:

• Questions included in a cybersecurity self-assessment questionnaire

• DOWNLOAD: Cybersecurity self-assessment questionnaire template

• Who should answer the questionnaire?

• How to complete a cybersecurity supplier survey

• What if we don’t meet all of the criteria?

• Why have I been sent a cybersecurity self-assessment questionnaire

• What happens after completing a cybersecurity self-assessment questionnaire?

• We can help

questions included in a cybersecurity self-assessment questionnaire

The questions you are expected to answer in a supply chain security survey will differ from one client or tender to another. This is because each supply chain and organisation has it's own individual risks. That said, the questionnaires we have completed on behalf of our clients have had consistent themes, as they aim to find out:

• Who is responsible for cybersecurity at your business.

• What’s your organisation’s culture and attitude toward cybersecurity – do you take it seriously?

• Processes and documentation you have in place.

• How you control access and use their information/assets. This includes IT systems and physical premises.

• If you meet the base level of cybersecurity for businesses recommended by GCHQ/NCSC including meeting or working towards Cyber Essentials accreditation.

• If you go above and beyond to proactively protect your organisation against cybersecurity threats, to meet higher cybersecurity certification IASME Governance.

Supply chain cybersecurity self-assessment survey questions

Here's a list of questions typically found in supply chain self-assessment security surveys. This is not a definitive list. Please bear in mind that the questions will be adapted, specific and proportionate to security of the client's business/supply chain. 

1. Who is responsible for cybersecurity in your organisation?
   
   
2. Do you have a chief information security officer (CISO)?
   
   
3. Do you regularly meet, across company departments, to discuss and monitor cybersecurity issues?
   
   
4. How do you protect customer information? Please be specific.
   
   
5. How are cybersecurity incidents reported?
   
   
6. Have you ever experienced a significant cybersecurity incident? Please define and describe the incident.
   
   
7. When was last time you had a cybersecurity assessment performed by a third-party organisation? What were the results?
   
   
8. What were the results of your most recent vulnerability assessment or penetration test?
   
   
9. Do you outsource any IT or IT security functions to third-party service providers? If so, who are they, what do they do, and what type of access do they have?
   
   
10. What types of cybersecurity policies do you have in place in your organisation today?
    
    
11. How frequently are your employees trained on your IT security policies, and do you use automated assessments?
    
    
12. Have you developed secure configurations for hardware and software?
    
    
13. How do you continuously assess and remediate your organisation's cyber vulnerabilities?
    
    
14. How do you assess the security of the software that you develop and acquire?
    
    
15. Do you have a data recovery capability? Including recovery from ransomware/crypto locking. Please provide specific details.
    
    
16. Do you have automated tools that continuously monitor to ensure malicious software is not deployed?
    
    
17. Describe the processes and tools you use to reduce and control administrative privileges.
    
    
18. Do you blacklist or whitelist communications?
    
    
19. What processes do you have in place to prevent the exfiltration of sensitive data, particularly sensitive customer data?
    
    
20. What types of physical protection do you have in place to prevent unauthorised access to data or infrastructure assets?
    
    
21. How do you manage remote access to your corporate network?
    
    
22. How do you monitor for unauthorized personnel, connections, devices, and software?
    
    
23. Describe the process you have in place to communicate to us security incidents affecting our data.
    
    

cybersecurity self-assessment questionnaire template

Download a free cybersecurity self-assessment questionnaire template, by clicking the download link below:

Who should answer a cybersecurity self-assessment questionnaire?

The individual/s completing the assessment should know your organisation's cybersecurity controls inside out. In a large corporate, the chief information security officer (CISO) answers and signs off cybersecurity self-assessment questionnaires. Chief information security officers have ‘hands-on’, technical experience, and an in-depth understanding of cybersecurity – consequentially, they are ideal to complete the survey.

If you outsource cybersecurity, then the IT company managing your cybersecurity should answer the security questions. It is important the survey is completed by individuals that fully understand the questions being asked, and ultimately have a technical understanding of cybersecurity.

While your security partner should complete the questionnaire, the self-assessment is signed off in-house by the individual that has overall responsibility of cybersecurity; be it the business owner, managing director, operations director or IT manager.

How to complete a cybersecurity supplier survey

Each business has unique processes, policies, security controls, IT infrastructure and technology stack. While the answers to a cybersecurity supplier survey need to be specific to your organisation, listed below are useful guidelines to help complete the exercise:

Include detail, be specific

Don’t be ambiguous. The survey is designed to encourage transparency and a collaborative approach to cybersecurity. Being clear and factual will help to build trust with your client or prospective client.

Use SMART principles

Leading from the previous point, consider using SMART objectives to answer the questions. This will ensure the right degree of detail, particularly when describing your future security goals:

• Specific
• Measurable
• Attainable
• Relevant
• Time-based

Simple structure

This isn’t a novel. Cybersecurity can be complex, therefore help the reader by structuring your answers to make it easy to digest. Use plain English, short sentences, bullet points and subheadings - whatever helps to communicate your answers in the simplest format.

Be honest

Build trust and develop a long-term relationship with your supply chain by answering honestly. Bear in mind that you could be audited in the future, so honesty is the best policy.

Evidence-based

Expect to provide evidence in your approach to security and in your ability to meet their minimum security requirements. You may be asked for further evidence as you progress through the bidding stages, so be prepared and keep up to date with reports and timetabled reviews.

Show future plans

Cybersecurity is a young, developing discipline. It’s widely accepted that smaller organisations are at the early adoption stage, and you will be allowed time to improve your security posture. Detail your plans for the future, but be prepared to provide timescales and plans that demonstrate how you intend to achieve them.
 

Demonstrate continuous improvement

It’s important to demonstrate a continuous improvement mentality. Cyber threats get more sophisticated over time, and so too must your cyber resilience. Small changes can yield significant improvements over time, and your organisation must demonstrate an appreciation for this, be it through regular meetings, reviews or planned improvements.

Security certification and qualifications you’re working towards

Include the security certification you have passed or are working towards, such as Cyber Essentials or IASME supply chain security certification. Remember to use SMART objectives to provide an indication of when you expect to pass the certification if you are working towards certification, and specify any renewal/reassessment dates.

Begin today!

It’s never too late to implement cybersecurity measures. First, ensure your organisation has a senior leader accountable for cybersecurity. Secondly, evaluate your existing security. A security audit carried by a reputable cybersecurity business will expose your security strengths and weaknesses. Next, put a plan together to continually improve your security, then regularly review.

Quick wins

If you don’t already include cybersecurity in your leadership meetings, then there’s no better time like the present. Add cybersecurity to the agenda and treat cybersecurity like you would finance, reviewing with the same frequency.

It is also possible to quickly turnaround and implement new security policies using a reputable, outsourced cybersecurity provider (prior to sending back the completed cybersecurity self-assessment questionnaire). Cybersecurity providers regularly draft cybersecurity policies, with the skillset to customise for your organisation.

Remember, the sooner you demonstrate security improvements, the better.

What if I don’t meet all of the security criteria?

If you are having trouble meeting some elements of the security criteria, don’t worry. Mention any sticking points or why you have not been able to pass certification such as Cyber Essentials. It’s important that the client requesting the questionnaire knows where you stand. This is an opportunity to explain why the letter of the scheme cannot be met and define the steps you are taking to manage these risks through, for example, compensating security measures.

It’s likely they will provide you with guidance – after all, it’s in their best interests. Large clients will aim to build partnerships with a shared cyber ethos, rather than dictate.

Why have I been sent a cybersecurity self-assessment questionnaire?

Until recently, very few UK businesses defined the minimum-security standards for their supply chain. Today, cybersecurity supply chain surveys are commonplace, either as part of a tender or part of ongoing supply chain security auditing. Businesses are making a conscientious effort to raise the baseline level of cybersecurity in their supply chain. 

But why? In recent years, cybercriminals have taken advantage of security weaknesses in supply chains. It doesn’t matter if you have the greatest cybersecurity, if a supply chain network can be infiltrated through 1st, 2nd or 3rd tier supplier’s poor cyber hygiene.

Supply chain cyberattacks can be catastrophic to the organisations entwined in the supply chain. A series of high-profile, damaging attacks have illustrated how attackers have both the intent and ability to exploit vulnerabilities in supply chain security. This trend is genuine and growing.

What happens after completing a cybersecurity self-assessment questionnaire?

The complexity of supply chains makes it difficult to influence the security of your suppliers. Cybersecurity self-assessment questionnaires are just one element of supply chain cybersecurity. Following the survey, clients aim to:

• Know who their suppliers are, i.e. your organisation, and build an understanding of the risks their supply chain poses.
• Know the full extent of their supply chain, including your sub-contractors.
• Once completed, decide the appropriate levels of protection you will be expected to reach, inform you of your level of responsibility, and encourage the adoption of cybersecurity best practices and continuous improvement.
• Actively share cyber best practices to raise your security standards.
• Ensure that security controls are passed down to your sub-contractors when necessary.
• Provide you with guidance and support when responding to incidents.

we can help

Implementing security measures takes time, but the long-term investment is worthwhile. Improving your overall resilience will reduce the number of business disruptions and the damage they cause. It will also demonstrate compliance with GDPR, the Data Protection Act. But most importantly, it may help you win new contracts, because of the trust you have gained through implementing cybersecurity measures.

Completing a cybersecurity self-assessment questionnaire can be difficult if you are not a cybersecurity expert, however, help is available.

Get in touch with our team if you need help with:

• Implementing proportional Cybersecurity
• Passing Cyber Essentials certification
• Responding to Cybersecurity self-assessment questionnaires
• Creating security policies for your business