Vendor Risk Assessment Questionnaire

Interskill Learning sometimes contract for data services with outside parties or service providers; of concern are those circumstances where service providers process or hold Interskill Learning data. While Interskill Learning has taken steps to help ensure that its data is protected, service providers must also exercise appropriate controls to minimize the risk of exposing the data to potential unauthorized access and loss. 

A security assessment is required in all instances where:

• Interskill Learning data is shared with a service provider
• A service provider captures data for subsequent use by Interskill Learning

If the vendor uses a third party such as Amazon Web Services or Microsoft Azure, the vendor will need to work with that third party to answer questions specific to how and where Interskill Learning data is accessed and/or stored.

Company Name

Name *

First

Last

Email *

Phone

Questionnaire Instructions

As an organization that follows the ISO 27001 standard for information security management, we want to ensure our vendors handle our information in the same way. 

There are two ways of answering this questionnaire;

1. If you hold a certification in ISO 27001 (or an equivalent security standard) simply provide a copy of your certificate along with the details of whoever runs your ISMS

2. If you don't yet hold certification then please complete the questions in the next section which are designed to evaluate your approach to information security. It draws on some of the key areas of ISO 27001. If you are able to answer the questions in this section confidently, you are likely well on the way to meeting the overall requirements.

Upload Certifications and Documents *

Click or drag files to this area to upload. You can upload up to 5 files.

Please use this to upload your certifications and/or policy documents.

Do you hold a current certification for ISO 27001 or a related security standard (eg NIST)? *Please SelectNOYES

If YES, please upload a copy above, having done so there is no need to complete further questions.

Questionnaire

Do you have a documented risk management approach?Please SelectNOYES

If yes, please upload the documented policy above. If no, please explain further.

Since you answered No above, please explain your risk management approach/procedures.

Do you have a defined information security policy? Please SelectNOYES

If yes, please upload the documented policy above. If no, please explain further.

Since you answered NO above, please explain your information security policies.

Do your policies cover the use of portable technology such as mobiles, tablets and laptops?Please SelectNOYES

If yes, please upload the documented policy above. If no, please explain further.

Since you answered NO above, please explain further.

Do your information security policies cover staff working from home?Please SelectNOYES

If no, please explain further.

Since you answered NO above, please explain further.

Do you conduct background (eg: criminal record, right to work etc) screening on new staff?Please SelectNOYES

If no, please explain further.

Since you answered NO above, please explain further.

Background Checks

Do staff sign a non-disclosure agreement as part of their contract?Please SelectNOYES

If no, please explain further.

Since you answered NO above, please explain further.

NDA

Do you conduct staff training on information security? If so, how often?Please SelectNOYES - YearlyYES - QuarterlyYES - MonthlyYES - WeeklyYES - Other

Are your information security processes enforced with disciplinary consequences?Please SelectNOYES

Do you have a policy around the acceptable use of IT? Please SelectNOYES

If yes, please upload the documented policy above. If no, please explain further.

Since you answered NO above, please explain further.

Acceptable Use Policy

Do you permit the use of removable media, such as USB sticks? If so, how is that monitored?Please SelectNOYES But Not MonitoredYES Monitored ManuallyYES Monitored Automatically

Do you have an access control policy?Please SelectNOYES

Do you restrict access to system admin accounts? Please SelectNOYES

How do you physically protect our data held in your premises and systems?

Do you have a documented change management process? Please SelectNOYES

Do you enforce malware protection on devices within your company?Please SelectNOYES

Do you back up the data you hold on our behalf? If so, how often is data backed up and how is it protected?

Do you conduct any network monitoring or scanning? Do you check for unknown devices connected to your WiFi?

Would any of our data ever be used on your test system, or for testing purposes?Please SelectNOYES

Do you use any third parties that would be processing our data on your behalf? How do you verify their approach to information security?

Do you track information security incidents and events?Please SelectNOYES

Do you operate a formal business continuity and disaster recovery plan? If so, when was it last tested?Please SelectNOYES - Not TestedYES - Tested YearlyYES - Tested QuarterlyYES - Tested MonthlyYES - Tested other time frames

Are all relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements documented?NOYES

Is any data you hold on our behalf transferred internationally?Please SelectNOYES

If YES, please list the countries our data would reside in and transfered to and from.

Privacy Policy/Terms & Conditions *

• I agree with Interskill Learning's terms and privacy policy.

Submit