Available only in Switzerland

Schweizerform is currently available exclusively for users in Switzerland. Account creation from your region is restricted.
Schweizerform LogoSchweizerform
Back to templates
Business·Assessment

Vendor IT Security Questionnaire

Assess vendor information security posture with this professional Swiss-compliant questionnaire. Covers ISO 27001, SOC 2, sub-processors, breach history, penetration testing, and access controls per nFADP Art. 8 and GDPR Art. 28.

About this template

The Vendor IT Security Questionnaire enables Swiss organisations to systematically assess the information security posture of vendors and service providers before entering into or renewing a data processing relationship. It covers the key domains required by the Swiss nFADP Art. 8 (technical and organisational measures), GDPR Art. 28 (processor obligations), ISO/IEC 27001, and SOC 2 Type II. Use it as part of your third-party risk management programme.

  • Information security certifications: ISO 27001, SOC 2, BSI C5
  • Data handling and processing locations (Switzerland / EU / third countries)
  • Sub-processor list and notification obligations
  • History of security breaches and incident response
  • Penetration testing frequency and scope
  • Access control and identity management practices
  • Encryption standards for data in transit and at rest
  • Vendor security contact and responsible disclosure policy

Third-party risk under nFADP Art. 8

The Swiss nFADP requires data controllers to select processors that offer sufficient guarantees of technical and organisational security measures. Before engaging a vendor who processes personal data, you must conduct due diligence and document the outcome. This questionnaire provides the audit trail required for that due diligence.

How to use this template

1

Open the template

Click 'Use template' to create a copy in your dashboard.

2

Customise the risk scope

Add or remove questions to reflect the specific data categories and processing activities involved with each vendor.

3

Send to the vendor

Generate a secure link and send it to the vendor's security or compliance contact for completion.

4

Review responses

Compare vendor responses against your minimum security baseline and flag any gaps for remediation before contract signing.

5

Archive with the contract

Store the completed questionnaire alongside the vendor contract and DPA in your supplier risk register.

6

Schedule re-assessment

Set a reminder to re-issue the questionnaire annually or upon significant change to the vendor's services.

Vendor security assessment in the Swiss regulatory context

As Swiss businesses increasingly rely on cloud providers, SaaS platforms, and managed service providers to process sensitive personal and operational data, third-party information security risk has become one of the most significant compliance challenges of the decade. The Swiss nFADP, FINMA Circular 2023/1 on operational risks, and the NIS2-aligned guidance from the National Cyber Security Centre (NCSC, now BACS) all place obligations on organisations to assess and manage the security posture of their vendors.

ISO 27001 and SOC 2: what do certifications tell you?

ISO/IEC 27001 certification indicates that a vendor has implemented a documented Information Security Management System (ISMS) that has been independently audited against an internationally recognised standard. SOC 2 Type II (Service Organisation Control) is widely used by US and international cloud providers to demonstrate the operating effectiveness of controls over security, availability, processing integrity, confidentiality, and privacy over a defined audit period (typically 6-12 months). However, certifications are not a silver bullet: they cover the scope defined at the time of audit and may not include all systems used to process your data. Always request the actual certificate and review the scope statement.

Sub-processor chains and notification obligations

Many SaaS vendors rely on sub-processors — third parties they engage to help deliver the service — such as AWS, Azure, Google Cloud, Twilio, or specialist AI processing platforms. Under nFADP Art. 10a and GDPR Art. 28(2), a processor must obtain prior specific or general written authorisation from the controller before engaging a sub-processor, and must notify the controller of any changes. Your vendor questionnaire should require a complete sub-processor list and a commitment to prior notification of changes.

Data localisation and cross-border transfers

The nFADP imposes restrictions on the cross-border transfer of personal data to countries that do not ensure an adequate level of data protection (nFADP Art. 16). Switzerland maintains its own adequacy list, which is not identical to the EU list. Vendors who process data outside Switzerland or the EU/EEA must demonstrate an adequate legal basis for transfer, such as Swiss Standard Contractual Clauses (nFADP SCCs) or binding corporate rules. Data localisation in Swiss data centres is sometimes required for regulated industries such as healthcare and financial services.

Frequently asked questions

How often should the vendor security questionnaire be re-issued?

Best practice is annual re-assessment for all vendors with access to personal or sensitive data, and upon any significant change to the scope of services, ownership of the vendor, or following a reported security incident. Higher-risk vendors (those with access to large volumes of sensitive data or critical systems) should be assessed more frequently, potentially quarterly.

What is a minimum security baseline for vendor approval?

A typical minimum baseline for Swiss organisations includes: encryption of data in transit (TLS 1.2+) and at rest (AES-256 or equivalent); multi-factor authentication for admin access; ISO 27001 or SOC 2 Type II certification (or equivalent documented controls for smaller vendors); annual penetration testing; documented incident response plan; and a breach notification commitment of 72 hours or less (aligned with GDPR Art. 33 and nFADP notification requirements).