‹‹ Back

10 questions a CISO should ask their SaaS suppliers

TPRM 10 questionns pour vos fournisseurs

Our dependence on service providers and SaaS applications increases every year: HR, payroll, project management, business processes... Third-party risks directly threaten business operations. The approach is now fairly well established for CISOs. For all new suppliers, it is necessary to control the level of security.

But how can we efficiently assess the cyber maturity of suppliers?

The security questionnaire is systematically used as an evaluation method because it seems “free,” since a simple Excel sheet can do the job. But there are many upstream steps: contacting suppliers, defining the right questions, challenging the answers, analyzing evidence... These are time-consuming tasks, manageable only for 20 or 30 suppliers.

Intuitively, and to go faster, some extract controls from ISO to create a security questionnaire. It feels reassuring but misses a crucial point: who will evaluate the relevance of the answers and their alignment with the project? Who will have the time to review 90 security points for 100, 200, or 300 suppliers?

This article provides insights on the topic and lists the 10 essential questions that a CISO must ask a SaaS provider. They fall within a TPRM (Third-Party Risk Management) approach.

Industrializing TPRM due diligence

Industrializing security questionnaires within a TPRM approach is essential if you want to scale. Under NIS2, it has become mandatory to extend maturity assessments to cover 100 to 300 suppliers depending on the organization.

There are several components to this industrialization, including:

  • Identifying the suppliers of your organization
  • Performing a “tiering” of those suppliers
  • Defining evaluation mechanisms based on tiering
  • Securing budget and resources

Industrializing security questionnaires

Information gathering on maturity must be structured and simplified to maintain the ability to distribute questionnaires to many suppliers:

  • Define a questionnaire management process
  • Limit the number of questions
  • Focus efforts on essentials and verifiable controls

Standardization produces usable (“machine-readable”) responses, feeds dashboards (completion rates, delays, residual risks), and enables factual prioritization of action plans focused on the highest-impact gaps.

The supplier experience is also improved through stable templates, clear instructions on evidence format, and the ability to reuse validated responses—accelerating completion and reducing friction. Your suppliers will thank you!

CISO: The 10 essential questions to ask for a SaaS application

For each question, we share the following points:

  • Why it matters
  • Expected good answer
  • Warning signs
  • Evidence to request

1. Governance: Have you implemented an IS Security Policy (ISSP) and conducted a risk analysis on your IS or service?

  • Why it matters: Without governance, there’s no prioritization or accountability. Incidents last longer.
  • Expected good answer: Formalized governance, up-to-date RACI (Responsible, Accountable, Consulted, Informed), active security committee. Annual risk analysis aligned with ISO/IEC 27005.
  • Warning signs: Unclear roles, no risk review, unpublished security policy.
  • Evidence to request: Signed security policy, RACI matrix, committee minutes, risk register and action plans.

2. Access management: Have you implemented SSO across your applications and services?

  • Why it matters: SSO (Single Sign-On) reduces password-related attacks and centralizes rights.
  • Expected good answer: IAM (Identity and Access Management) integration with your IdP. Automated provisioning (SCIM). Instant revocation.
  • Warning signs: Permanent local accounts, no connection logging, partial MFA.
  • Evidence to request: SSO architecture diagram, deprovisioning procedure, authentication log excerpts, SCIM configuration.

3. Privileged access: Do your administrators always connect, internally and to services, with at least a second authentication factor and via a VPN for online services?

  • Why it matters: Admin accounts are top targets. Uncontrolled remote access broadens the attack surface.
  • Expected good answer: Strong MFA (Multi-Factor Authentication) for all admins. Admin access via bastion or restricted VPN. PAM (Privileged Access Management) and JIT (Just-In-Time) elevation.
  • Warning signs: Unprotected “break-glass” accounts, permanent super-admins, internet-exposed access without filtering.
  • Evidence to request: List of admin roles, MFA policy, PAM logs, emergency accounts, IP origin controls.

4. Vulnerability management: Have you implemented vulnerability tracking and management to quickly deploy patches (especially for critical vulnerabilities)?

  • Why it matters: Patch timelines are crucial. CVEs must be handled according to severity.
  • Expected good answer: Asset inventory, CVSS prioritization, clear patching SLA (Service Level Agreement), recurring scans.
  • Warning signs: Missing inventory, “best effort” patching, unprioritized backlog.
  • Evidence to request: Patching policy, recent scan reports, MTTR metrics, closed ticket examples.

5. Development: Are production environments logically segregated, and are production data used in development?

  • Why it matters: Mixing dev/test/prod causes data leaks and incidents.
  • Expected good answer: Distinct environments, masked data in test, secrets managed in vaults. Code review and CI/CD with controls.
  • Warning signs: Direct production access from dev, plaintext keys, no peer review.
  • Evidence to request: Environment diagram, CI/CD policies, audit samples, controlled pipeline examples.

6. Data protection: Have you implemented data-at-rest encryption across all systems (workstations and servers)? Have you complied with GDPR requirements (declaration, hosting, etc.)?

  • Why it matters: Compliance and customer trust rely on these guarantees.
  • Expected good answer: GDPR (General Data Protection Regulation) compliance, DPA (Data Processing Agreement) in place, defined data location, encryption at rest and in transit.
  • Warning signs: Generic DPA, uncontrolled international transfers, unmanaged keys.
  • Evidence to request: Signed DPA, processing registry, DPIA if applicable, encryption attestation, subcontractor inventory.

7. Malicious code: Have you deployed an EDR on compatible devices?

  • Why it matters: Admin and support terminals expose the SaaS.
  • Expected good answer: EDR (Endpoint Detection and Response) deployed and monitored. Integrated into SIEM (Security Information and Event Management).
  • Warning signs: Partial coverage, unhandled alerts, no evasion tests.
  • Evidence to request: EDR coverage rate, response playbooks, alert samples, SIEM integration proof.

8. Continuity: What is the backup frequency of your critical services and what are your RTO/RPO?

  • Why it matters: Operational resilience is a contractual and regulatory imperative.
  • Expected good answer: Regular backups, restoration tests. Defined and realistic RTO (Recovery Time Objective) and RPO (Recovery Point Objective). Validated BCP/DRP (Business Continuity / Disaster Recovery).
  • Warning signs: “On-demand” backups, no tests, dependency on a single cloud.
  • Evidence to request: DR test reports, restoration metrics, resilience architecture diagram, crisis procedure excerpt.

9. Supply chain: Do you maintain an inventory and perform security checks on your suppliers?

  • Why it matters: Your subcontractors’ subcontractors inherit your requirements.
  • Expected good answer: Inventory of fourth parties, regular assessments, criticality criteria aligned with NIS2 and DORA.
  • Warning signs: Incomplete lists, hidden dependencies, no reversibility clause.
  • Evidence to request: Fourth-party registry, contract clauses, audit results, exit plan proof.

10. Audit: Do you perform internal or service pentests at least annually?

  • Why it matters: Technical evidence confirms operational reality, not just intent.
  • Expected good answer: Independent annual pentest, tracked remediation, external assessment such as Security Rating.
  • Warning signs: Outdated pentest, incomplete scope, no external validation.
  • Evidence to request: Recent pentest report, action plan with status, SOC 2 (System and Organization Controls 2) attestation.

Conclusion

As a CISO, structuring your requirements around these 10 questions accelerates due diligence. You’ll obtain comparable answers, verifiable evidence, and documented decisions.

Industrialize the approach with clear roles, a readable schedule, and appropriate tools. You’ll reduce third-party risk without hindering business performance.

FAQ

What evidence should you request from a critical supplier?
Signed policies, RACI, scan reports, recent pentest, ISO/IEC 27001 or SOC 2 certificates, DPA, log samples, DR test results.

How to align NIS2 and TPRM?
Map NIS2 requirements to TPRM controls: governance, incident management, continuity, supply chain. Set review cadence based on criticality.

What audit frequency for subcontractors?
At onboarding and annually for critical services. Every two years for non-critical ones. Exceptional review after incidents or major changes.

Article written by Gilles Favier - VP Product - Board of Cyber

Methodology | tprm

Enjoyed this article? Subscribe to our newsletter so you never miss a new post!

Subscribe
Newsletter
Legal notice
Manage cookies