Vendor security questionnaire — the "before you sign" checklist

~3 min read · written by a working Icelandic sysadmin · structure and cross-links AI-assisted

Don't send a 100-question spreadsheet. Send these 8 questions. If a SaaS or hosting vendor gives vague answers here, you already know what their security culture looks like.

A companion to the Iceland defender handbook, and a sharper version of two of its lessons: the 72-hour Persónuvernd clock and the Strætó logging case. Acronyms below — MFA, SIEM, CVD — link out to the glossary on first mention.

1. Authentication & access

• Do you support SAML/SSO (Entra ID) natively? (If they charge an "SSO tax" by forcing you into an Enterprise tier just to get basic identity integration, factor that into the true cost.)
• Is phishing-resistant MFA mandated for your internal staff? (Your data is only as secure as the vendor's support portal. If their support team can be phished via SMS MFA, your tenant can be compromised.)

2. Logging & visibility (the Strætó rule)

• Are administrator actions and user sign-ins logged, and how long are they retained?
• Can we pull these logs automatically into our own SIEM? (If there's an incident, you need to be able to investigate it from your own centralised logs without waiting days for their support team to send a CSV file.)

3. Data sovereignty & compliance

• Where does the data physically reside, and who are your sub-processors? (If you are an Icelandic organisation, moving data to the US requires specific legal mechanisms. Knowing whether they rely on AWS us-east-1 or an EU data centre is critical for GDPR compliance.)
• Do you hold an ISO 27001 certification or a recent SOC 2 Type II report? (Don't just accept the badge on their website. Ask for the report to ensure the specific service you are buying is actually in scope, not just their corporate office.)

4. Incident response

• What is your SLA for notifying us of a security breach? (Icelandic law requires you to notify Persónuvernd within 72 hours of becoming aware of a breach. If your vendor's SLA for telling you is 5 days, you are mathematically guaranteed to fail compliance.)
• Do you have a published Coordinated Vulnerability Disclosure (CVD) policy or bug-bounty programme? (Vendors who make it easy for researchers to report flaws generally write safer code.)

Questions and corrections to news.1881.is — Sveinn reads these and updates.