One of our clients that provides cloud services to the financial services community recently asked us to help them develop a strategy for dealing with the ever-increasing array of security questionnaires and requests for third-party attestation they are receiving. Our conversation initially followed the typical path of discussing the various third-party (e.g., SOC 2, Shared Assessment AUP, ISO 27001) and first-party (e.g., Shared Assessment SIG) attestation approaches. Where the conversation deviated from the norm was that this particular client was receiving a questionnaire that we were not yet familiar with—the AITEC DDQ.
Developed by the Alternative Investment Technology Executive Club (AITEC), the Due Diligence Questionnaire (DDQ) is a security questionnaire that can form the basis of its members’ Vendor Risk Management programs. This neat little program is an interesting alternative to the Shared Assessments SIG Lite/SIG approach that is becoming very popular, especially in the financial services community. The DDQ solicits input across 13 information security “domains.” Its 100+ questions and coverage make it relatively comparable to a SIG Lite assessment.
As this particular client is receiving both SIG and DDQ questionnaires, we opted to create a consolidated Excel workbook that mapped the two and made it easier to stay on top of their responses. As the client is just starting to move towards ISO 27001 certification, the mapping to ISO 27001 that is part of the SIG simplifies the process even further.
One suggestion to AITEC would be to include a SIG and/or ISO 27001 mapping to simplify the DDQ’s use, both by its members as well as the members’ vendors receiving the DDQ.