Vendor Onboarding Checklist: 10 Security Questions You Must Ask Before Signing a Contract

Most companies spend weeks negotiating pricing, SLAs, and delivery timelines.

Then they sign the contract, give the vendor system access — and never once ask:

How secure are you, really?

That’s not a process gap.
That’s a liability.

This is where vendor onboarding becomes a cybersecurity decision — not just a procurement step.

Many organisations still onboard vendors with minimal due diligence — often limited to documentation and commercial checks, while security takes a back seat.

Here’s the hard truth:
By the time you discover a vendor’s security weakness, it’s usually because it has already impacted you.

So before you sign that next vendor contract, ask these questions — every single one.

Q1

Do you have a formal Information Security Program — and can we review it?

A vendor without a documented security framework is operating without structure. Look for defined policies, ownership, and a clear risk management approach. Hesitation to share is an early warning sign.

Q2

Are you SOC 2 Type II certified — or ISO 27001 compliant?
Certifications indicate that security controls have been independently assessed. While not foolproof, they reflect maturity and commitment to maintaining standards over time.

Q3

How do you encrypt data — in transit and at rest?
Understanding encryption practices is critical. Ask about standards, key management, and how data is handled in shared environments.

Q4

Who has access to our systems or data — and how is that access controlled?
You need clarity on role-based access, background verification practices, and how frequently access rights are reviewed. Access should always follow the principle of least privilege.

Q5

Have you experienced a security incident — and how was it handled?
What matters is not whether incidents occurred, but how effectively they were managed. Look for transparency, response speed, and corrective action.

Q6

What does your Incident Response plan look like — and how will you notify us?
Timely response is critical. Ensure they have a documented plan and a clear communication protocol. If it’s not contractually defined, it’s unreliable.

Q7

Do you work with sub-processors — and how are they evaluated?
Your vendor’s ecosystem becomes your risk surface. Ensure their third-party dependencies are assessed with the same level of scrutiny.

Q8

Do you conduct regular penetration testing?
Regular testing helps identify vulnerabilities proactively. Ask for summaries of recent assessments and how identified risks were addressed.

Q9

How will our data be handled at the end of the contract?
Data lifecycle management is often overlooked. Ensure there is a clear, documented process for secure deletion or return of data.

Q10

Do you have cyber insurance — and what does it cover?
Insurance doesn’t prevent incidents, but it indicates preparedness. Understand the scope of coverage and how it applies to potential risks.

One More Thing — And This Matters

Asking these questions at onboarding is only the beginning.

Security is not static.

Because onboarding is where risk enters — but monitoring is where it’s controlled.
Vendor environments evolve.
Risks change over time.

A vendor that meets your standards today may not meet them tomorrow — unless there is continuous oversight.

Security is not a checkbox at contract signing.
It’s an ongoing condition of the relationship — from onboarding to off boarding. 

A vendor that meets your standards today may not meet them tomorrow — unless you’re continuously monitoring and reassessing.

Because in today’s environment,
you don’t just manage vendors — you manage the risk they carry.

💬 Let’s discuss: In your experience, what is the biggest challenge in monitoring vendor security?