What can you expect in a security questionnaire?

If you’ve dealt with security questionnaires before, you know they can contain hundreds of questions. As data privacy concerns grow and data breaches become more damaging, your customers will expect increasingly more robust security programs. For you, as a vendor, this means you’ll need to demonstrate practices your company has put in place to protect customers’ data against thousands of threat sources and hackers.

My goal in this article is to increase your security questionnaire “savviness”—and save you many, many hours—by showing you how to start building a reusable library of documents and answers. By the end of this post, I aim to increase your knowledge of types of questions and documents requested in a typical security questionnaire. Hopefully, with this extra bit of knowledge at your fingertips, you will be better equipped and feel more confident in dealing with security questions yourself (and perhaps not go looking for your friend in IT).

Below is a summary of types of questions and documents requested in a security questionnaire (and information you should always have handy in your content library):

Security compliance certificates (e.g. SOC2 or ISO)

Proof of security compliance certifications is the most commonly requested piece of information in a security questionnaire. These documents are a stamp (in fact a BIG STAMP) from an authoritative body (such as AICPA or ISO) stating that your company complies with industry best practices and objectives. The certificate itself is an answer to many questions in the security questionnaire, so definitely have yours handy in your content library.

These certificates are typically re-issued annually, so you should make sure you always have the latest one. If your organization has an IT Compliance team, ask them for the latest certifications. If there is no compliance team, then the Infosec team or designated CISO would be the best person to reach out to. If you’re looking for a streamlined way to manage your IT compliance, you might consider following in the footsteps of many successful organizations who hook their RFP response system up with an IT GRC tool like ControlMap.

Cybersecurity policies and policy documents

Policies establish the ground rules of cybersecurity in a company, consequently becoming the next most common set of security questions asked. These questions act as a tool for customers to assess IT security, data privacy, and business resiliency of vendors such as you.

Cybersecurity policy questions cover a comprehensive set of security areas and are often the most time-consuming. Here’s a sample of different policies you’ll likely be asked about:

  • Information security
  • Physical security
  • Application security
  • Infrastructure security
  • Network security

The Office of CISO maintains answers to policy questions, so that’s an excellent place to start. Assign cybersecurity questions to them. You may also want to get hold of the policy documents for your content library. Most of the time, snippets from policy documents serve as answers to items in the security questionnaire, but in other cases, you must attach the complete policy documents as a response.

I recommend that you at least aim to have the top 10 commonly requested policy documents in your RFP content library, along with answers to policy questions. The policies and the related documents are updated at different frequencies, so setting up an automated check-in with content owners—ensuring you always have the latest version on hand—will save you a lot of time in the long run.

Security procedures

The next set of commonly seen questions are about security procedures. These questions assess the security procedures put in place by vendors, such as you, to safeguard customer information, data, and systems. Most often, these include HR and IT operations procedures dealing with employees, information systems, and business resilience. Commonly requested procedures include:

  • Procedures for employee security awareness training
  • Procedures for patching, upgrading, and mitigating vulnerabilities on servers or desktops
  • Incident management procedures in case of a security breach or other incident
  • Disaster recovery and business continuity plan in case of prolonged downtime
  • Monitoring and tracking for malicious activity

Assign these questions to your IT Operations, HR Operations, and IT Compliance teams, as they own and operate these workflows and processes most regularly. Usually, procedures are stored in departmental wikis or document folders. To make sure all relevant content is stored in the same place, link to these folders or export documentation into your response Content Library.

IT risks and mitigation controls

The most important questions are related to the risk management practices of a vendor’s organization. Your customer has to accept the third-party risk they face, so they want to know what IT threats and vulnerabilities impact them the most and what you, as a vendor, are doing to mitigate those risks.

Top questions in the area of risk management include:

  • Submit a risk management plan
  • Identify the list of risks that could directly impact the customer’s data and information systems
  • Describe the risk assessment methodology
  • List security controls in place to mitigate the risks
  • List personnel/roles responsible for risk management

IT Compliance teams are responsible for IT risk management plans and maintaining a list of security controls that mitigate the risk—so reach out to them. Compliance teams regularly perform a risk assessment and update the security controls. Please ensure regular check-ins with the compliance team for latest and updated copies of all reports

Next steps for streamlining your security questionnaire response

I hope you feel a little bit wiser about how security questionnaires are organized. There could be many different ways to structure a questionnaire or a question, but it rarely falls outside of the categories discussed above.

If you’re dealing with multiple questionnaires at a time—and want to ensure each questionnaire is accurate and up-to-date—I’d recommend using RFP software to simplify your process. Many successful companies use RFP software to respond to security questionnaires, cutting down response time by over 50%.

See if RFP software makes sense for your workflow by scheduling a demo here.


Geeta is a customer success and implementation specialist at ControlMap, an Infosec Compliance platform that automates compliance tasks and makes it easier to be continuously compliant. Connect with Geetha on LinkedIn.

Related Post

Get the latest stories delivered straight to your inbox

Subscribe to our blog and never miss an important insight again.

Thank you for subscribing.

Something went wrong.