From content to timing, confusion often surrounds the differences between a due diligence questionnaire (DDQ) and a security questionnaire. Read on to learn the nuances of each document to improve your responses and win that next deal.
What is a DDQ?
A DDQ stands for due diligence questionnaire. Organizations send them to mitigate risk before entering into an agreement with another company. It is a formal document designed to establish whether a vendor complies with industry and/or customer standards or needs, including how the vendor manages its own network and cybersecurity protocols.
Unlike an RFP, a DDQ is not as much about competitive evaluations. A DDQ is all about compliance and business practices.
What is a security questionnaire?
Much like it sounds, a security questionnaire is sent to potential vendors to determine whether their security protocol meets the issuer’s standards and legal requirements. Security questionnaires are technical and usually highly complex, however most questions are “yes” or “no” rather than narrative.
Note that neither DDQs nor security questionnaires are sales documents.
DDQs vs. Security Questionnaires
Now that you know the definition of a DDQ, let’s get into how security questionnaires are unique, along with a few similarities they share with DDQs.
Any organization can issue a DDQ, but we see them most in the financial services industry. Security questionnaires are primarily used by organizations operating in technology—either hardware or software.
Much like a DDQ, a security questionnaire will not be used as a method of evaluation between vendors. Although, if an organization throws an RFP (request for proposal) into the mix, then both questionnaires play a role in market comparison.
Because a security questionnaire is not a competitive evaluation, the issuer won’t spend time performing a security review with more than five potential vendors. It’s completely different from responding to an RFP, which may be sent out to tons of vendors to cast a wide net.
Usually, a security questionnaire comes from a security department (infosec, IT security, cloud security, etc.). While a DDQ will not necessarily come from that department—marketing, client services, or compliance teams frequently send these documents to responders.
Security questionnaires and DDQs typically show up early in the sales cycle. They may come in when an organization is trying to set you up as the vendor of choice or before it’s time to renew. Before you can become their new vendor, they need to make sure you’re compliant. If you’re an existing vendor, they might need to ensure you’re still compliant.
Even when you become their vendor partner, you might see a due diligence questionnaire again and again. Especially in the financial services industry, DDQs are sent to vendors annually—even quarterly—so make sure you’re up to speed on industry regulations.
A security questionnaire is predominantly an Excel spreadsheet. A DDQ could be a spreadsheet, but about 70% of the time, this questionnaire lives in a Word document.
Security questionnaires tend to be a standard set of questions, where you answer some variation of a yes/no answer in a drop down. You might need to add some commentary to back up your answer. While there will be some black or white questions in a DDQ, there is also room for interpretation and creating a narrative.
Succeeding with Security Questionnaires and DDQs
To knock content out of the park with security questionnaires and DDQs, naturally, the best technique is accuracy. With that top of mind, here are other tips to help you succeed as a responder.
You have a lot less room to knock this content out of the park. Your data is encrypted or it’s not. You either have the firewall or you don’t. It’s not about how you implement the firewall, it’s simply: Do you have the firewall set up?
Stick to the facts
Obviously, one thing you don’t want to do is lie. Let’s say you are asked if you check your disaster recovery plans every 60 days. If your process is checking disaster recovery plans once a year, don’t say “yes.” They will find out 60 days later when you don’t meet their requirements.
Time to completion
Time to completion is a really good thing to shoot for with security questionnaire responses. You’re usually still in an evaluation process where you might be the vendor of choice or you’re one of two choices.
Similar to an RFP response, there is more room for creativity with your DDQ content. However, don’t respond to a DDQ exactly as you would to an RFP. Before you respond, consult with the correct SMEs (subject matter experts).
Early stage advice
If you receive a DDQ in the early stages of the sales cycle, this document might be their vendor filtering method. DDQs are not the time for a sales pitch. Instead, consider showing your strengths with compelling and (most importantly) accurate narratives showing compliance.
Late stage advice
During the late stage of the cycle, your DDQ might be a recurring document you respond to with an existing client, or it could be in addition to a DDQ you’ve already answered. Get straight to the point and ensure accuracy to show you are still in compliance.
If due diligence questionnaires are a regular part of your sales process, response software for DDQs, such as RFPIO, makes answering them a whole lot easier. Your RFPIO Content Library can answer many of a DDQ’s questions with a few clicks.