(no title)

i.e. this is fine for a one shot review, but would be tough to operationalize...

Plus, keep in mind diagrams can be critical. If you're going to be sharing sensitive data with this vendor you're going to need to know and have documented how that data will flow, where it will persist, etc. Can be a lot easier to capture in a diagram than narrative format.

There is variety of other FOSS type stuff out there that is useful for anyone that needs more:

Vendor Security Alliance -- https://www.vendorsecurityalliance.org/downloadQuestionaire (disclaimer: I'm an advisor @VSA)

CSA CAIQ -- https://cloudsecurityalliance.org/artifacts/consensus-assess...

SIG --NM, looks like this is closed/member only now, but if you can track it down (SIG Lite/Full, Standard Information Gathering) its ridiculously comprehensive.

Google VSAQ -- https://github.com/google/vsaq

As someone who deals with both sides (asking the questions to vendors, and answering them for prospect customers) I can say they mostly all suck pretty hard... and that's probably why there's a whole ecosystem of vendors in this space nowadays.