A Prospect Just Sent You a Security Questionnaire. Now What?
A prospect is ready to sign — but they need a completed security questionnaire first. Here is exactly what to do, in order, starting today.
The short version
- Read before you react: Work through the entire questionnaire once before answering anything — you need the full picture before you can sensibly prioritise.
- Scattered information is the real problem: Most SMEs struggle not because they are insecure, but because what they do have in place is spread across tools, inboxes and people's heads.
- Honesty protects you: Inaccurate answers can void contracts and create legal liability — mark genuine gaps as in-progress or not applicable, and never guess.
- One questionnaire, lasting value: Every question you answer properly, and every control you implement as a result, makes the next questionnaire meaningfully faster.
You open the email on a Tuesday morning. A deal you have worked on for weeks is close, and the prospect’s procurement team has just sent over a security questionnaire before they will sign. Seventy-three questions about firewalls, data handling, access controls, encryption and incident response. Some you vaguely recognise. Others might as well be in a foreign language. The deadline is ten days away.
If this sounds familiar, you are not alone, and you are not as far behind as you feel. Understanding how to answer a security questionnaire is a learnable, practical skill. This guide walks you through it, step by step.
What is a security questionnaire, and why do prospects send them?
A security questionnaire is a structured set of questions a company sends to a supplier to assess how well that supplier protects data, systems and people.
In plain terms: your prospect wants to know whether working with you creates risk for them. Their insurer, compliance team or customers may require it. Sending a supplier security questionnaire is now standard practice in the UK across financial services, healthcare and professional services, and it is spreading fast to businesses of every size.
There are broadly two types:
- Bespoke questionnaires — written by the prospect themselves, shaped to their own risk appetite and contracts. Every one looks slightly different.
- Standard questionnaires — based on published formats such as CAIQ (from the Cloud Security Alliance) or SIG (Standardised Information Gathering). More predictable once you have encountered the format before.
Both ask broadly the same things. The specific wording varies; the underlying concerns do not.
Why do SMEs struggle with security questionnaires?
Most SMEs do not fail questionnaires because they are insecure. They struggle because their security information is scattered, undocumented and never had to be explained before.
Three patterns come up again and again:
- They do not know what they already have in place. The controls exist. Someone set up multi-factor authentication (a second login step beyond a password), someone chose a reputable cloud provider, someone wrote a password policy. But no one has pulled it into a coherent picture.
- The information lives in too many places. One person knows the backup schedule, another manages the firewall, the HR lead owns the training records. A questionnaire demands one joined-up answer.
- They have never had to articulate their security posture before. “We are pretty careful” is not an answer. Translating real-world practice into the specific, evidenced language a questionnaire expects is a skill most SMEs have never needed.
This is the gap to close, and it is not necessarily a gap in your actual security.
How to answer a security questionnaire: a step-by-step approach
To answer a security questionnaire, read it through once, mark what you can answer confidently, list your genuine gaps, then close the quick ones and flag the rest honestly.
Step 1: Read the whole thing before you answer anything
Resist the urge to start filling in boxes from question one. Read the whole questionnaire first. It takes about 20 to 30 minutes and tells you a great deal: what the prospect actually cares about, which sections are mandatory, and whether later questions inform earlier answers.
Step 2: Flag what you can answer confidently right now
Go back through and mark every question where you already know the honest, accurate answer. These are usually more numerous than you expect. Tick them off and set them aside. This reduces the problem to a manageable list.
Step 3: Identify your genuine gaps
What remains is harder — questions where the honest answer is “we do not currently do this” or “I am not sure.” Write each one down. A clear-eyed gap list is enormously useful; vague dread is not.
Step 4: Decide what to address now versus acknowledge honestly
Not every gap needs to be closed before you submit. Prioritise:
- Implement now. Quick wins such as a written password policy or a documented backup process. Many documents and policies can be drafted in a single focused session. Mark these as done.
- In progress. Controls you have started but not completed. Note them as such and, where the questionnaire allows it, include a target date. Prospects generally respect transparency more than silence.
- Not applicable. Some questions genuinely do not apply to your business model. Note why, briefly and factually.
Operational controls take real time and need a named owner: rolling out MFA across a team, conducting access reviews, running a test of your incident response plan. Budget for that honestly rather than claiming they are complete when they are not.
Step 5: Be accurate. This matters legally and commercially.
A prospect who discovers six months in that your answer to “Do you encrypt data at rest?” was optimistic rather than accurate will not be a client for long. Depending on your contract terms, you may also face consequences beyond losing the deal. Honesty about gaps, framed as a plan rather than an apology, is both ethically right and strategically smarter.
Saying you are secure versus actually being secure
Saying you are secure means ticking a box; actually being secure means the control truly exists. Only the second protects your business when something goes wrong.
The first might win you the deal today. The second wins you the deal and means your business is genuinely better protected. That matters when an incident happens, when an insurer investigates a claim, or when a larger partner runs a more rigorous audit next year.
“The real return on answering a security questionnaire properly is not the signature. It is the posture you build on the way there.”
Every control you implement to answer a question honestly is a control that protects your business. The questionnaire becomes a practical security improvement, not just a hurdle.
What happens next time?
Businesses with a structured compliance programme answer future questionnaires significantly faster because the evidence already exists. It is a matter of retrieving it, not rebuilding it.
This is the compounding benefit of taking questionnaires seriously. The work you do this time becomes reusable: documenting your backup policy, writing up your access control process, gathering evidence that your team completed security training. The next questionnaire, whether from a customer, your insurer or a framework like Cyber Essentials, starts from a far better position.
The organising principle
A security questionnaire is not a test you pass or fail. It is a structured request for evidence that you take security seriously. Your job is to gather what you have, fix the gaps you can, and be honest about the rest. That is it.
SecurSentry is built to walk UK SMEs through a security questionnaire question by question. It maps each one to the controls your business needs, guides you as you implement them, and helps you draft accurate, evidence-backed answers, so you become genuinely more secure as you answer. It is launching soon. Join the waitlist to be first to know.
This article is intended as practical guidance for general information purposes. It does not constitute legal or professional compliance advice. If you have specific contractual, regulatory or legal obligations, please seek qualified professional guidance.