The standard vendor questionnaire is a remarkable institutional artifact. It runs to roughly three hundred items. It is sent, mostly unread, to a vendor whose security team has answered the same questions for four other clients in the same quarter. It is returned, mostly unread, to a risk analyst who pastes it into a folder. And it is then cited, mostly unread, as the basis on which the institution has assessed the vendor's risk.
The artifact persists for a reason. It is defensible. An auditor who asks how the institution evaluated a critical vendor can be shown three hundred answered items, each cross-referenced to a control framework. The defensibility is genuine. The informativeness is mostly theatre.
The question questionnaires fail to ask
The structural problem with the questionnaire methodology is that it asks the vendor to attest to its own controls. The vendor is incentivized to answer favorably. The institution receiving the response has no efficient way to corroborate. The result is a body of evidence whose risk signal is dominated by the vendor's willingness to self-report, rather than by the underlying reality of its security posture.
A risk function that operates on questionnaire-derived evidence is, in practice, operating on a survey of vendor marketing.
The institution has not assessed the vendor. The institution has audited the vendor's willingness to answer questions favorably.
This is not a failure of any individual program. It is a structural feature of the methodology. Better questionnaires (longer, more granular, more cross-referenced) do not address the underlying issue. They aggravate it, by increasing the cost of administration without increasing the quality of the signal.
The evidence vendors already produce
The remedy begins from a different premise. Most vendors of consequence already produce, in the course of normal business, a body of evidence whose informativeness substantially exceeds anything a questionnaire can elicit. The institution's task is to acquire, evaluate, and interpret that evidence, not to ask the vendor to summarize it.
The relevant artifacts vary by vendor type. For a software-as-a-service provider, they typically include the SOC 2 Type II report, the most recent penetration test report, the ISO 27001 certificate and statement of applicability, the cyber insurance certificate, the GDPR or regional data-processing addendum, and (increasingly) an AI bill of materials and a software bill of materials. For a managed services provider, the list extends to operating procedures, business continuity test results, and sub-processor disclosures. For a critical infrastructure vendor, it includes NERC CIP attestations, regulatory inspection results, and supply-chain integrity evidence.
This evidence is informative because it is produced for a different purpose than the questionnaire. The SOC 2 report is produced for a third-party auditor whose reputation depends on its accuracy. The penetration test is produced by a firm whose value depends on finding what others have missed. The ISO certificate is produced under a process that the institution can examine independently. The signal-to-noise ratio of evidence so produced is, in practical terms, an order of magnitude higher than the signal-to-noise ratio of self-attested questionnaire responses.
A methodology that begins with artifacts
An evidence-driven assessment inverts the conventional order of operations. Rather than sending the questionnaire as the first act, the assessor begins by collecting the evidence the vendor already produces. The questionnaire, where it is used at all, is reserved for the residual questions the evidence does not answer.
In practice, the methodology proceeds in four phases.
Phase one: tiering and evidence specification
The institution classifies the vendor by inherent risk and specifies, in advance, which evidentiary artifacts are required at this tier. A tier-one vendor handling regulated data requires a different evidence pack than a tier-four vendor providing a marketing tool.
Phase two: evidence acquisition
The institution requests the specified evidence pack. The vendor provides what it has. Where evidence is missing (no recent penetration test, no ISO certificate) the absence is itself an assessment finding, recorded as such.
Phase three: structured evidence review
The acquired evidence is reviewed against a structured rubric. A SOC 2 report is examined for material exceptions in scoped trust services criteria. A penetration test is examined for unremediated critical findings. An ISO certificate is examined for the scope statement and for the date of last surveillance audit. The output is a control-by-control evidence map, with the source and the assessor's interpretation, recorded against the institution's framework.
Phase four: residual questioning
Only the questions the evidence has not answered are put to the vendor. In our experience this is typically between twenty and forty items, drawn from a shared library and customized to the vendor type. The questionnaire becomes a precision instrument rather than a defensive shotgun.
Cycle time, signal, and defensibility
The most immediate operating consequence of evidence-driven assessment is cycle time. A questionnaire-led assessment of a critical vendor typically requires eight to twelve weeks: time to send, time for the vendor to respond, time to follow up on unclear answers. An evidence-driven assessment of the same vendor typically completes in three to four weeks, because most of the evidence is acquired in the first ten days and analyzed in parallel.
The signal quality is higher because the underlying evidence is more informative. The defensibility is at least as strong, and frequently stronger, because the assessment output cites named artifacts produced by named third parties under named methodologies, rather than self-attested responses.
The transition path
Institutions that have operated on a questionnaire methodology for a decade or more occasionally treat the transition to evidence-driven assessment as a wholesale change. It need not be. The most successful transitions we have led begin with a single tier (typically tier one) and a defined population (typically the top fifty vendors by inherent risk), and extend the methodology outward only as the institution's operating capability and its vendor population's evidence maturity allow.
Within twelve months, the institution typically operates an evidence-driven methodology across its critical vendor population and a hybrid model for the long tail. Within twenty-four months, the questionnaire is retained only for tier-four vendors whose risk does not warrant the cost of a deeper evidentiary review.
A closing observation
The vendor risk assessment is one of the most expensive and least informative artifacts the contemporary risk function produces. The cost is paid in analyst hours, in vendor relationships, and in the institutional credibility of the program itself. The evidence-driven alternative is not novel. It is, in the institutions that have adopted it, simply better. The reason it has not become universal is institutional inertia, not methodological dispute.