What is a security questionnaire for?
Many more organizations are requiring potential vendors to complete a security questionnaire as part of a
third-party risk assessment. These can sometimes include up to 400 questions – and often appear daunting at
first. But don’t worry – this is actually good news. Your potential customer is verifying that you are
adhering to industry best practices and regulatory requirements, in order to do business with you.
How to answer security questionnaires
The first step should be to create a process to answer this and future questionnaires in a timely fashion.
This will save you time in future by reducing sales friction. Don’t worry if you cannot answer all the
questions yourself. It’s very common to assemble a group of subject matter experts to help.
Typically, questionnaires have three choices for an answer – Yes, No or n/a, but you may also need to add a
supporting explanation in certain circumstances. However, a common mistake here is over-sharing too much
information that is not required. This is where it’s vital you understand what is important to the customer
and in scope
Some of the questions will take time to answer, and may involve some back and forth with the customer. This
process may take several hours or weeks if you have to implement new security controls in your organization.
Is it OK to answer no to a question?
How much additional explanation should I include?.
Do I need an NDA?
What is an answer library?
What are some tips for answering security questionnaires?
How can I get help if I’m not sure how to answer a question?