SecurSentry
← All notes
Security questionnaires

A Prospect Just Sent You a Security Questionnaire. Now What?

A prospect is ready to sign — but they need a completed security questionnaire first. Here is exactly what to do, in order, starting today.

The short version

You open the email on a Tuesday morning. A deal you have worked on for weeks is close, and the prospect’s procurement team has just sent over a security questionnaire before they will sign. Seventy-three questions about firewalls, data handling, access controls, encryption and incident response. Some you vaguely recognise. Others might as well be in a foreign language. The deadline is ten days away.

If this sounds familiar, you are not alone, and you are not as far behind as you feel. Understanding how to answer a security questionnaire is a learnable, practical skill. This guide walks you through it, step by step.

What is a security questionnaire, and why do prospects send them?

A security questionnaire is a structured set of questions a company sends to a supplier to assess how well that supplier protects data, systems and people.

In plain terms: your prospect wants to know whether working with you creates risk for them. Their insurer, compliance team or customers may require it. Sending a supplier security questionnaire is now standard practice in the UK across financial services, healthcare and professional services, and it is spreading fast to businesses of every size.

There are broadly two types:

Both ask broadly the same things. The specific wording varies; the underlying concerns do not.

Why do SMEs struggle with security questionnaires?

Most SMEs do not fail questionnaires because they are insecure. They struggle because their security information is scattered, undocumented and never had to be explained before.

Three patterns come up again and again:

  1. They do not know what they already have in place. The controls exist. Someone set up multi-factor authentication (a second login step beyond a password), someone chose a reputable cloud provider, someone wrote a password policy. But no one has pulled it into a coherent picture.
  2. The information lives in too many places. One person knows the backup schedule, another manages the firewall, the HR lead owns the training records. A questionnaire demands one joined-up answer.
  3. They have never had to articulate their security posture before. “We are pretty careful” is not an answer. Translating real-world practice into the specific, evidenced language a questionnaire expects is a skill most SMEs have never needed.

This is the gap to close, and it is not necessarily a gap in your actual security.

How to answer a security questionnaire: a step-by-step approach

To answer a security questionnaire, read it through once, mark what you can answer confidently, list your genuine gaps, then close the quick ones and flag the rest honestly.

Step 1: Read the whole thing before you answer anything

Resist the urge to start filling in boxes from question one. Read the whole questionnaire first. It takes about 20 to 30 minutes and tells you a great deal: what the prospect actually cares about, which sections are mandatory, and whether later questions inform earlier answers.

Step 2: Flag what you can answer confidently right now

Go back through and mark every question where you already know the honest, accurate answer. These are usually more numerous than you expect. Tick them off and set them aside. This reduces the problem to a manageable list.

Step 3: Identify your genuine gaps

What remains is harder — questions where the honest answer is “we do not currently do this” or “I am not sure.” Write each one down. A clear-eyed gap list is enormously useful; vague dread is not.

Step 4: Decide what to address now versus acknowledge honestly

Not every gap needs to be closed before you submit. Prioritise:

Operational controls take real time and need a named owner: rolling out MFA across a team, conducting access reviews, running a test of your incident response plan. Budget for that honestly rather than claiming they are complete when they are not.

Step 5: Be accurate. This matters legally and commercially.

A prospect who discovers six months in that your answer to “Do you encrypt data at rest?” was optimistic rather than accurate will not be a client for long. Depending on your contract terms, you may also face consequences beyond losing the deal. Honesty about gaps, framed as a plan rather than an apology, is both ethically right and strategically smarter.

Saying you are secure versus actually being secure

Saying you are secure means ticking a box; actually being secure means the control truly exists. Only the second protects your business when something goes wrong.

The first might win you the deal today. The second wins you the deal and means your business is genuinely better protected. That matters when an incident happens, when an insurer investigates a claim, or when a larger partner runs a more rigorous audit next year.

“The real return on answering a security questionnaire properly is not the signature. It is the posture you build on the way there.”

Every control you implement to answer a question honestly is a control that protects your business. The questionnaire becomes a practical security improvement, not just a hurdle.

What happens next time?

Businesses with a structured compliance programme answer future questionnaires significantly faster because the evidence already exists. It is a matter of retrieving it, not rebuilding it.

This is the compounding benefit of taking questionnaires seriously. The work you do this time becomes reusable: documenting your backup policy, writing up your access control process, gathering evidence that your team completed security training. The next questionnaire, whether from a customer, your insurer or a framework like Cyber Essentials, starts from a far better position.

The organising principle

A security questionnaire is not a test you pass or fail. It is a structured request for evidence that you take security seriously. Your job is to gather what you have, fix the gaps you can, and be honest about the rest. That is it.

SecurSentry is built to walk UK SMEs through a security questionnaire question by question. It maps each one to the controls your business needs, guides you as you implement them, and helps you draft accurate, evidence-backed answers, so you become genuinely more secure as you answer. It is launching soon. Join the waitlist to be first to know.


This article is intended as practical guidance for general information purposes. It does not constitute legal or professional compliance advice. If you have specific contractual, regulatory or legal obligations, please seek qualified professional guidance.

Frequently asked questions

How long does it take to answer a security questionnaire as an SME?

It depends on the length and how organised your security information already is. A shorter bespoke questionnaire from a prospect might take a few hours if your policies and records are in one place, or several days if you need to track down information and fill genuine gaps. The more structured your compliance evidence, the faster each future questionnaire becomes.

What happens if I answer a security questionnaire inaccurately?

Inaccurate answers can void contracts, trigger liability clauses, and seriously damage trust with the client if the truth emerges later — which it often does during audits or incidents. Always mark gaps honestly as 'not yet implemented' or 'in progress' rather than overstating what you have in place.

What is the difference between a bespoke and a standard security questionnaire?

A bespoke questionnaire is one your prospect or partner has written themselves, tailored to their own risk appetite. A standard questionnaire follows a published format — such as CAIQ (Cloud Security Alliance) or SIG (Standardised Information Gathering) — used widely across industries. Both ask broadly similar things; standard ones are more predictable once you have seen them before.

Do I need to be certified to answer a security questionnaire?

No — certification is not a prerequisite for completing a questionnaire. That said, holding a recognised certification such as Cyber Essentials means you already have documented evidence for many common questions, which makes answering faster and more credible. A questionnaire can itself be a useful prompt to start working towards certification.

Written by The SecurSentry Team

We write plain-English notes on security and compliance for small businesses — the things we wish someone had explained to us. Read more notes →

More from the blog

Cyber Essentials

How to Choose a Cyber Essentials Certification Body

4 Jul 2026 · 6 min
Cyber Essentials

What Cyber Essentials Plus Actually Costs

1 Jul 2026 · 6 min
SME security

The UK Small Business Compliance Journey: Cyber Essentials, GDPR and Security Questionnaires

29 Jun 2026 · 8 min

Be first to know when we launch.

Leave your email and we'll let you know the moment SecurSentry is ready. One email — no newsletters, no spam.

Just one email, at launch. We never share your data. Privacy policy.

You're on the list — we'll be in touch at launch.