Qatar’s National Cyber Security Agency (NCSA) and its National Information Assurance (NIA) Standard put vendor-risk assessment on every cybersecurity programme’s roadmap. The control families are clear; translating them into a working vendor-risk questionnaire is the part that always takes longer than expected. This post is a walk-through of the questionnaire a Qatari regulated-sector organisation should be able to send to a new SaaS vendor, with answers mapped to NIA controls and the Qatar Central Bank (QCB) Cybersecurity Framework where it overlaps.
NIA in one page
The National Information Assurance Standard (currently v2.0) is the NCSA-issued baseline for government, semi-government, and critical-sector organisations in Qatar. It maps closely to ISO/IEC 27001 controls with Qatar-specific additions around third-party management, data classification, and breach notification. Vendor-risk sits primarily in the Third-Party Management family, with hooks into Information Security Policy (governance) and Incident Management for breach and continuity responsibilities. Banks layer the QCB Cybersecurity Framework on top.
The 18 questions, mapped
Governance & policy
- What is your information-security policy, and when was it last reviewed?
- Do you have a named Chief Information Security Officer or equivalent?
- What external certifications do you hold (ISO 27001, SOC 2, NIA alignment letter)?
Defence
- Describe your identity and access management — MFA, least-privilege, privileged-access review cadence.
- How is encryption handled at rest and in transit? Named algorithms and key-rotation policy.
- What is your vulnerability-management cadence? Patch SLA by severity.
- Describe your logging and monitoring — what you log, retention, SIEM integration.
- Penetration-testing cadence and scope. Can you share the most recent report under NDA?
Resilience & incident management
- Incident-response plan: trigger criteria, communication path, customer notification SLA.
- Business-continuity and disaster-recovery: RTO and RPO targets, last tested date.
- Backup strategy — location, frequency, encryption, test restore cadence.
Third-party management
- List of sub-processors with country of data processing.
- How are sub-processor changes communicated, and over what notice period?
- Do you flow down equivalent security obligations to your sub-processors?
- Data-residency posture — where is production data today, where is it going? In-country (Qatar) options available?
PDPPL crossover (Law No. 13 of 2016)
- Is your DPA PDPPL-aware? (See the eight-question DPA post.)
- What is your breach-notification window? PDPPL requires notification to NCSA without undue delay — from which event does your clock start?
- How do you handle data-subject-rights requests (access, rectification, erasure) under PDPPL Articles 3 and 4?
How to map answers to a risk score
Each question has a 0/1/2 scoring guide — 2 is a strong, documented answer with a link to evidence; 1 is a reasonable answer without evidence; 0 is missing or unsatisfactory. A vendor under 70% on the 36-point scale needs escalation; under 50% is a hard stop. This is a starting point, not policy — every CISO team should tune it against their own risk appetite and the sector regulator’s expectations (QCB has tighter thresholds for banks; MOPH for healthcare).
Automating the review routing
Once the responses come back, they should flow automatically into the GRC workflow: high-risk responses get escalated to the security review board; governance questions route to legal; defence and resilience to the SOC lead. Forms.qa’s webhook configuration plus a small routing rule in your GRC tool does this without a separate integration.
Download the template
We’ve packaged the 18 questions above as a Forms.qa template with bilingual labels, a pre-built 0/1/2 scoring column, and a webhook payload schema. You can apply it to your workspace in one click.