edocr - SaaS security questionnaire

This is a SaaS Security Questionnaire Template designed by CyberUpgrade. It's intended to help organizations evaluate their software-as-a-service (SaaS) providers by addressing various aspects of cybersecurity. The questionnaire aligns with international cybersecurity standards and best practices such as DORA, ISO 27001, and NIS2. It covers topics like secure software development lifecycles, vulnerability management, testing protocols, application security, and third-party risk management. The purpose is to streamline and simplify the complex process of assessing and maintaining security standards for SaaS providers, ensuring compliance and minimizing third-party risks.

About Marius

AI and Cybersecurity enthusiast

Tag Cloud

Template
SaaS security questionnaire
template
Aligned with DORA, ISO 27001, NIS2, and industry best practices
www.cyberupgrade.net
1

□

,.+ $
('

TA==RTT=<=L;E;
TTR=9=9TRTAT=532?11?S2600J6?/O
/M;=T=LTM=
c^ a
□
[ VU□
0=9A==T00TM9TT=9
9=;TT;T=T;
r^ l gm
Un
T;T;;=TTAM9=;;9;=9
T;9T;TE;=TT9;9T;;T9T
;=ET;=TT=;
^ gm l
1;==9;TRT===R
=;TT=;==T2=99;=9;==MT
TAM9=T=;T;;=T
Ã.½n□□
+ □n
2M=TT9M=9T=TT=;TR
TAT=5T;=E;==6/;;O
T=;99=;=T;=
;RTT9=
Ä
00;TRA==T

□

□□□□
42 /.,(-*)(0*'-(1%$3#".*0+%&%!' 3.-(-#3
DHD%$3#".*0+%G'1*#*3@%&%!' 3.-(-#3
n b□ k\□ □ ]YdS h
_□□P□□Ph□\□O
n M□ \h□ □ \□K
n J \□ □ h □O
n Y□I□ □h k
\h\□ □O
n J □ □ Z □□□
P □ □P□N
DH%-'.z(0*'-%$3#".*0+%s'13@%&%s3@q'-@*p*1*0*3@
n bIh □I\Y\□ □ ]YS
h□O
n □I _ □□
□I□]

P□h P □SO
n ¬I□□ h\□ □
□h N
DH»%s*@²%±(-(,3z3-0
n b Ù□
J \□\Ù
□O
n J □□□\Ù□O
n b\ \ Ù]

PYèÄÖÖåPÃYÂÀP
èPÂMSN

□

□□□□
42 /3+)(&%$.#3!-$.&"&1$!.#(($0&,$-3!* '
HEI&D+J0#'$$&,-!$$(*(<&"&8(7#)!5*(<
g R □ ` X `VXP
g fX□\V ` X `VN

L L □L
V KO
HEH&,$-3!* '&nm)!$($..&"&j!)*(*(<
g R □
g □VLV□L□P
g R □V LX
□□L\ O
HE«&j$!+*() *#(&#!&%#0$&ª¨)(<$
g fX□ V\`□ X
\□X XP
g ¯ ` \\`O

□

□□□□
)/1*3%50&.-($121#$,"0.!3 +1#$4"& $%$-!'
m lj j□□Ui BU □W □jP
m MgKC^]A@@U@C]?\\ZUO^@QU>@OJJU=TQO< ;
m J□jD□□□9

UC^]□U@C]?\\Z □W □U
O^@J^F`i` P
m > j□E □□9

UTQO

□

□□□□
/#)(*%*)$"-%+!% -'),)$" .*!&
/#A)(*%*)8>*77 4!*% -'),)1*'0> ':
` c U□KN L□N □S
` _I□□I□□ □□□□□□F

N
□□IND□CR
/#l)(*%*)r+7 0+'!&),)q+->-!*% -'
` _I □□I F

N□ □N
CS
` zK □ □U L F

N
xwCR
/#¡)(*%*)r+%+'% -'),)( 7-7*>
` c □□Rµ □L□□ S
` _I□ U □F

N
□ □□ICR
/#/)$" .*!&),)8-'7+'%
` z□U□ ND□N□I
RÍUNI □S
` zIK UIK Ì□
□F

N□é □ □CR

□

□□□□
4302/-'(,&'%+&%'$0#0*$&1"'!0)$+%' &.
43I0DG"%<02/-'(,&'%+&%'$076$'6 $1
f e_ _ U UZT□ □Q
f O N□ □□□U□□U□
□ `□U□Z

KUK□□K □TP
43|0*$&1"'!0)$+%' &.0D"/&'"G,
f K□K□_□ □
□Q
f O □□ □` N
□U□Q
f _U □□ _□ □
_Z □N TP
43±0D"/«%'(& "/0#0´(&+¶0¤(/(«$¥$/&
f O UK □K□_ □
Z

K_TQ
f □ _□ □

43Ç0ÅÅ")0#0¿¶'$(&0´'"&$+& "/
f e_□ □□ □□ß Q
f UeÎ □Í ZeÎÍTà□□U
Ê□ ZàÊTP
www.cyberupgrade.net
8
SaaS security questionnaire template
6. Application Security
6.1 Secure Development Lifecycle (SDLC)
` Describe your SDLC. At which stages do you incorporate security
reviews or threat modelingO
` How do you ensure secure coding practices (e.g., code reviews, static/
dynamic analysis)?
6.2 Testing & Vulnerability Management
` Do you perform regular penetration tests or vulnerability assessmentsO
` How quickly do you address discovered vulnerabilitiesO
` Do you have a bug bounty or responsible disclosure program?
6.3 Third-Party & Open-Source Components
` What is your process for tracking and patching vulnerabilities in open-
source or third-party librariesO
` How do you evaluate and monitor the security posture of your critical
suppliers or partners?

□
□□□□
431-((,''1)+0&%+21*1$#,0&"&/1 0.,!,0&
43D1->&C,0&"(&"+01 ,(C0"'!'
d c` `□`□ □□`□X

WNWMKLWNL□`JI
d UG □ H
43|1->&C+%"p&"+01*1m+2,yk',#1-((,''
d G □`□` □I
d □`□G□ □I
d □ □□H
43°1©%"²"2,.,#1-((,''1 0.,!,0&1«©-
d c``□□ □ □□
□I
d □□H
43¿1¹,''"+01 0.,!,0&
d `X□□W□`□ □
□W□ÍJI
d c`□G □□`à ÍH

□
□□□□
2.-/1++),+(-&1,)*1%),+-0-$,#)! ,*- "'1,"
2.=-/1++),+-0-&1,)*1%),+
\ [X XO□S

R□X□ □R□ R
N□ XHG
\ E □FD□ □□□G
\ AO □ □X□ □O□□F
2.o-k #j%)*f-&1,)*1%),+-0-c * #*)1,
\ AXO□{□ □O□
□G
\ E □□O □□F
2.-$,#)! ,*- "'1," -0-1*)#*)1,
\ AXO □FE □□□□G
\ [X□ □ □ □ □
OO□X□G
\ AXON¨D □ □F

□
□□□□
%10,2)+/'))0*&/#+/2+#.0$0-+)")#'!0 '(&'!.
%1A0,2)+/'))0*&/#+/2+#.0CB"//+/<0?,*C6
c U]^ □WRP □ J□[J
H
c b] □]□□WRP □□J ]□ □]
□G
%1p0-+)")#'!0 '(&'!.0?- 6
c b] □□

J[□J H
c b]□{z{ ^z □^{Pz{ ^P□
z □^ □□H
c y x□□□□ ^G
%1¦0 '°2/°"/(.0$0¥+<£0¢"+B" +B+#.
c U ]□ □ x^x □
□H
c b]□Âµ□□[G

□
□□□□
-5031.,'*(2/3%3#+"*4$+)!+ 2/3&!(4* ,
W VPP □ □ □@>□P
Z

= □= W : □PP □ □ Z

=□ =RR;8=
= 7 W 6 PL□□P ?
W >L□ □Z

=68>R=B<
□□@

□
□□□□
0031*)-($'1%1&/#'(.2!' ,1!-!+)")-
R >□ □CB G

F□ F
□□F□;:
R 8 B□□□6 □□C □
B:
R >5 □ □ □□□
□ □□9

□
□□□□
.-1/,*+)(%&#/,(")#(0/'/!&+ ("+$$0$)$&+
O PL L □ ?□ □G

F □
BF F54
O 7<□ □ 2 □□
□L< 4
O PL□□ □□2□□ □F
□F 3

□
□□□□
,$1-.+%(')+&#-"-0!) !/!*
J 4 □ =
J 4 ;□ 7 □□7□ □
□=
J 3□ □ □?□□2 □
□<

□
□□□□
/*40+))(&(2.,30-2%"'!.&,&(2.010 !$!!.%!#
U JZ HZ□ □B □O

>;<
W:??97R
U ; F □ Z □ R
U □

https://cyberupgrade.net/

http://www.cyberupgrade.net

https://cyberupgrade.net/security-questionnaires/

https://cyberupgrade.net/mastering-third-party-risk-management-under-dora/

https://cyberupgrade.net/blog/

□%"# # $#
!##
IN>D?A3>@FJ=@H<>D:>H9D74D<>>JMADE2C6M><=>H3M>DH3C1:D80/.DH2D
5C9JM>L7:7>4DC-D:N7@<,JH@:AD@74ED9H2H=>9>2:+D*>D479JM7-AD:N>4>D5NHMM>2=>4D
67:ND>LJ>@:74>DH2HM,:79>D41JJC@:)D>241@72=DAC1@DG>25C4A4:>9D@>9H724D
@>47M7>2:DH2K757>2:D.(D'1>4:7C22H7@>DH4474:H2:)D6>D
H1:C9H:>D1JD:CD&;BDC-D:N>D'1>4:7C22H7@>DJ@C5>44+
VUUSQPQTORU
gdohf_n^df`b`_]`k]hfdnf[[[c\qjipZlYpaXicmiWe
□
xu
>H@2DH3C1:DC1@DpiiZiWmmapiWamW
8C62MCHCCE
Ê747:DC1@DÁ¿Å½D-C@D9C@>D@>4C1@5>4
666+5A3>@1J=@H<>+2>:
ÌË