SERVICES
CASE STUDIES
LIBRARY
COMPANY
CONTACT US
Button switch
Services
Case Studies
Library
Company
Contact us
case study

Vendor Risk Assessment Questionnaire

In 2024, a BES vendor received a CIP-013 Supply Chain Risk Management questionnaire from a customer and engaged NST for support in providing accurate and complete responses. While the vendor maintained a robust cyber security program, the breadth and depth of the questionnaire exceeded their expectations, and they were worried that they may not be able to adequately address all requirements.

To adequately address controls across current and future questionnaires, NST and the vendor first selected a controls framework to serve as a baseline for their program. NST and the vendor agreed that a widely recognized, general-purpose cyber security framework would provide the best balance between specificity and repeatability, ultimately selecting ISO 27001, upon which the referenced questionnaire was based.

NST mapped the customer requests to this framework to ensure that the gap assessment was conducted directly and efficiently. In parallel, NST worked with the vendor to refine the scope and reduce their compliance footprint. Given the wide range of products and services in scope, this step was crucial to ensure the effort was both manageable and focused.

NST then conducted a review of the vendor’s cyber security program, including documentation, roles and responsibilities, as well as other service offerings. Since different services were applied to different controls, this analysis helped to draw the line between required controls and optional capabilities, further narrowing the scope of future assessments.

During the assessment, NST noticed that many gaps were not due to missing controls, but rather a lack of formal documentation and evidence. The vendor consistently engaged in best practices across the organization but failed to retain adequate documentation and evidence that could be provided to prospective customers.

NST recommended that the organization properly document the specific controls already being performed. NST developed specific and prioritized recommendations to improve documentation and record-keeping, as well as to introduce new controls which were likely to be required by future customers.

Following the gap assessment, the vendor gained clear visibility into their cybersecurity program. The additional documentation developed during this engagement gave them the tools necessary to respond to vendor risk assessments without breaking a sweat.

Continue reading
All Case studies
Button switch
Vendor Risk Assessment Questionnaire
A BES vendor received a CIP-013 Supply Chain Risk Management questionnaire. We assessed their cyber security program and helped them to define a plan to improve the quality of their responses.
Turning a New Leaf
A large rural cooperative had just finished an audit. They asked NST for a gap assessment, turning into a large-scale documentation overhaul before their next audit.

The Original
NERC CIP Team

Want to go above and beyond? Keep clicking.
Or just call NST today.
CONTACT US
You're one click away from meeting the best NERC CIP team in North America.
CONTACT US
SERVICES
NERC CIP COMPLIANCE
INFORMATION + CYBER SECURITY
RISK + REGULATORY SOLUTIONS
RESOURCES
CASE STUDIES
COMPANY
ABOUT US
OUR TEAM
© 2026 Network + Security Technologies. All rights reserved.
Terms of Use  -
Privacy Policy