Security Audit Questionnaire

Download Now: EDRM-Security-Questionnaire-1.1.xlsx

The Security Audit Questionnaire was designed primarily to help evaluate the security capabilities of cloud providers and third parties offering electronic discovery or managed services.

The tool is also useful as a self-checklist for organizations testing the security capabilities of their own in-house systems.

Use the questionnaire to assess an organization’s strength in protecting data from destruction or unauthorized access, as well as compliance with data-related legislation such as:

  • Gramm Leach Bliley Act (GLBA)
  • PCI DSS (Payment card industry)
  • Sarbanes-Oxley Act
  • Security breach notification laws

The tool sets out 74 separate criteria under seven categories. Use it to assign the importance or weight of each of the criteria, so that you can emphasize key criteria that are mission-critical; or, downplay the criteria that are less important to your business. EDRM produced a webinar to help you determine how best to use the tool; view it here.

Areas addressed include:

  • Risk Management
  • Asset Security
  • Communications and networking security
  • Identity and Access Management
  • Security Operations
  • Software Development Security

Download the Excel file here: EDRM-Security-Questionnaire-1.1.xlsx

[Note: The Questionnaire was updated in April 2017 to correct a missing formula and remove references to HIPAA certification. This document will continue to be updated as needed. Suggestions for further edits are welcome at]

Related Resources:

The EDRM Security Audit Team

The EDRM Security Audit Team representing e-discovery providers, corporate legal, and law firms convened in August 2016 to discuss security and compliance requirements and create a plan for the Security Audit Questionnaire.  Amy Sellars, assistant general counsel, litigation support for Walmart Legal, and Julie Hackler, account executive at Avansic, led the team of 14 professionals with backgrounds in e-discovery, security, IT technologies, and litigation support in creating the tool. Over several months of collaborative effort, the team identified seven key security areas for audit, developed checklists and audit questions, and built and tested the questionnaire.  Following is a list of the EDRM team participants who participated in the project:

Julie Hackler, Account Executive, Avansic
Lance Waston, Chief Information Officer, Avansic
Beth Downing, Chief Operating Officer, Avansic
Amy Sellars, Assistant General Counsel, Litigation Support Group, Walmart Legal
Justin Hectus, Director of Information, Keesal, Young and Logan
Tom MacKenzie, Vice President of Data Privacy & Compliance, TCDI
Dean Van Dyke, Vice President, iBridge Global Services
Kris Kadlac, Paralegal, Richman Greer, PA
Andy Sokol, Director, CopyScan Technologies
Michael Cammack, Chief Information Officer, Nightowl Discovery
Lilith Bat-Leah, Director of ESI Solutions, Bluestarcs
Deanna Fleener, Director of Managed Services, LDiscovery
David Thomas, Enterprise Business Development Manager
Kit Bright, Sr. Coordinator Information Systems, Gibsons
Tom Gelbmann, Co-Founder, EDRM
George Socha, Co-Founder, EDRM, and Managing Director, BDO