SecurSentry
← All notes
Security questionnaires

A Customer Sent You a Security Questionnaire and You Have No SOC 2. Now What?

A customer wants assurances you do not have on paper — but a missing SOC 2 report is rarely the dealbreaker it feels like. Here is how to respond credibly.

The short version

You open the email and there it is. A customer you have courted for weeks is ready to move ahead, but their procurement team needs a completed security questionnaire first, and somewhere in it sits the question you have been dreading. “Please attach your current SOC 2 report.” You do not have one. You never have. A deal that felt won suddenly feels at risk over a document you do not possess.

Take a breath. Facing a security questionnaire without SOC 2 is one of the most common situations a growing UK business runs into, and far more workable than it first appears. A missing SOC 2 report is rarely the genuine blocker it seems. This guide walks you through what the buyer is actually asking for, what UK buyers often accept instead, and how to answer honestly. Done right, you can even turn the whole episode into a head-start.

First, do not panic — you have more than you think

A missing SOC 2 report does not mean you have nothing to show. Most of the controls such a report would describe already exist in your business; they have simply never been gathered in one place.

SOC 2 is a report describing how an organisation manages things like access control, system monitoring, encryption, backups, and incident response over time. Read that list again. You almost certainly do several already. You use multi-factor authentication (a second login step beyond a password), you back up your data, you chose reputable cloud providers, and someone responds when something goes wrong. None of that disappears because you lack a particular American report.

The challenge for most small UK suppliers is not an absence of security. It is that their security has never had to be explained. The practices live in different tools, people’s heads, the occasional email thread, and a questionnaire forces one joined-up account of it for the first time. That is a documentation gap, not necessarily a security gap, and a very fixable one. Our walkthrough on how to answer a security questionnaire covers the general method; this article is about the no-certification situation specifically.

What the buyer is really asking for

When a buyer asks for SOC 2, they are usually asking a simpler underlying question: “Can I trust this supplier with my data and systems?” There is more than one credible way to answer it.

Procurement teams often write “SOC 2” into a questionnaire because it is the shorthand they know, or because a template handed it to them. That exact report is rarely the only acceptable answer. What sits beneath the request is a concern about risk: their insurer, their own customers, or their compliance team needs reassurance that working with you will not expose them. That is the question to answer well.

It helps to know what SOC 2 actually is, so you can speak to it confidently rather than apologetically. It is an attestation report produced under the standards of the American Institute of Certified Public Accountants (AICPA), the US accountancy body, in which an independent examiner reports on a service organisation’s controls across criteria such as security, availability, confidentiality, and privacy. It is a US-origin report, not a UK certification, and something a buyer requests and reviews rather than a badge you hold.

SOC 2 IS NOT A UK CERTIFICATION

SOC 2 originates in American assurance practice; the UK has its own recognised schemes. Knowing this lets you answer the SOC 2 question without treating a missing US report as a personal failing. It often simply is not the right yardstick for a UK supplier.

So when the SOC 2 line appears, you are not stuck. You can explain what you do have, offer a recognised alternative where you have one, and answer the substance honestly. For many UK buyers, that is enough.

What UK buyers often accept instead of SOC 2

In the UK, buyers frequently accept Cyber Essentials, IASME Cyber Assurance, or honest and well-evidenced answers in place of a SOC 2 report, though no certification ever guarantees a specific buyer will be satisfied.

Here are the credible alternatives, roughly in order of how readily a UK supplier can reach them.

Cyber Essentials

Cyber Essentials is a UK government-backed certification, developed by the National Cyber Security Centre (NCSC) and delivered through the IASME Consortium. It covers five core technical control areas: firewalls, secure configuration, user access control, malware protection, and security update management. Between them, those answer many of the same questions a security questionnaire asks. It is achievable for small organisations and recognised across UK supply chains, with annual renewal. It will not satisfy every buyer, but a current certificate is a strong, widely-understood signal that you meet a recognised UK baseline.

IASME Cyber Assurance

IASME Cyber Assurance is a UK governance standard a step beyond Cyber Essentials. Where Cyber Essentials covers technical controls, it adds the governance wrapper around them: risk management, incident planning, supply chain oversight, staff awareness. For a buyer worried about how you manage security rather than which tools you run, it speaks directly to that concern, without the cost and complexity of a full enterprise standard such as ISO 27001.

Honest, well-evidenced answers

This is the one suppliers most often underrate. Even with no certification at all, a carefully answered questionnaire can be entirely persuasive, as long as each response is backed by a real policy, record, or clear description of what you do. A buyer reading “Yes, all staff use MFA; our access policy is attached; we review access quarterly” is reassured by the substance, certificate or not. Evidence is what assurance ultimately rests on.

A certification is shorthand for trust. But trust can also be earned the long way round, with honest answers and real evidence, and that route is open to you today.

A word of caution: do not promise that any certification guarantees acceptance. These alternatives commonly satisfy UK buyers and demonstrate genuine diligence. But where a buyer truly mandates SOC 2 specifically, ask them directly whether an alternative is acceptable. Often it is.

How to answer honestly when you genuinely lack a control

When you genuinely do not have a control the questionnaire asks about, say so plainly, note what you are doing about it, and never overstate. An inaccurate answer can cost you far more than the gap itself.

Somewhere in the questionnaire you will hit a question where the honest answer is “we do not currently do this.” That is not a moment to bluff. It is a moment to be clear. For each genuine gap, choose the honest framing:

The reason this matters goes beyond etiquette. An inaccurate answer, claiming a control you do not have, can void a contract, trigger liability clauses, and destroy trust if the truth surfaces later. And it tends to surface, during an audit or after an incident. There is a real difference between saying you are secure and being secure. The first might win today’s deal, but only the second protects your business when something actually goes wrong or an insurer investigates a claim. A buyer almost always respects a candid “not yet, but here is our plan” over a confident answer that does not hold up. If a long questionnaire is genuinely putting a deal at risk, honesty plus a credible plan is what keeps the conversation alive.

Turning this questionnaire into a head-start for the next one

The work you do answering this questionnaire, gathering evidence, documenting controls, closing quick gaps, is reusable, so each future request starts from a far stronger position than this one.

Here is the good news hiding inside the stress. Everything you assemble to answer this questionnaire is an asset you keep: the password policy you finally write down, the access-review process you describe, the evidence your team completed training, the list of where your data lives. None of it has to be rebuilt next time. You can draft many of these documents in a single focused session. The operational habits behind them take longer, but only once.

A practical sequence to leave yourself better off:

  1. Write down what you already do. Turn the controls in your head into short, plain documents. This is the bulk of the value, and it moves quickly.
  2. Close the easy gaps. Where a missing control is a quick win, say a written backup process or a documented joiner/leaver routine, do it now and mark it done.
  3. Consider a recognised baseline. If buyers keep asking, working towards Cyber Essentials gives you a credible, reusable answer to many future questions at once.
  4. Keep the evidence in one place. A buyer-facing summary of your security posture, sometimes called a trust centre, turns repeated questionnaire pain into a link you can send.

Done this way, the questionnaire stops being a hurdle and becomes the moment your business genuinely levelled up. The next request, whether from a customer, an insurer, or a framework, starts from strength rather than dread.

The organising principle

A buyer asking for SOC 2 is really asking whether they can trust you with their data. You answer that with what you actually do, evidenced honestly, and where it helps, a recognised UK certification. The missing report is rarely the real obstacle. Scattered, undocumented security is.

SecurSentry is launching soon to help UK SMEs answer security questionnaires question by question. It maps each one to the controls your business actually needs, guides you as you close the gaps, and helps you draft honest, evidence-backed answers, so you become genuinely more secure as you respond. Join the waitlist to be first to know when we open.


This article is general information, not legal or compliance advice. If you have specific contractual, regulatory or certification obligations, please seek qualified professional guidance.

Frequently asked questions

Do I need SOC 2 to answer a security questionnaire?

No. SOC 2 is a US attestation report produced by an accredited examiner, not a prerequisite for completing a questionnaire. Many UK buyers do not require it at all, and those who ask about it will often accept a recognised alternative such as Cyber Essentials or honest, evidenced answers backed by your actual security practices.

What can I offer a customer instead of SOC 2 in the UK?

Common UK alternatives include Cyber Essentials (a government-backed certification covering five core technical controls) and IASME Cyber Assurance (a UK governance standard). Alongside or instead of a certification, clear and accurate answers supported by your real policies and records often address the same concern. No certification guarantees a specific buyer will accept it — but offering a recognised standard plus honest evidence is a strong, credible position.

What do I do if I genuinely lack a control the questionnaire asks about?

Say so plainly. Mark it as 'not yet in place' or 'in progress', and where you can, add what you are doing about it and a rough timeline. Buyers generally respect transparency far more than a vague or overstated answer. Never claim a control exists when it does not — inaccurate answers can void contracts and create liability.

Is SOC 2 the same as a UK certification?

No. SOC 2 is a report produced under American Institute of Certified Public Accountants (AICPA) standards — it is an attestation about your controls over an observation period, originating in the US. UK schemes such as Cyber Essentials and IASME Cyber Assurance are separate, UK-based certifications. They are not interchangeable, but they often answer the same underlying questions a buyer cares about.

Written by The SecurSentry Team

We write plain-English notes on security and compliance for small businesses — the things we wish someone had explained to us. Read more notes →

More from the blog

Cyber Essentials

How to Choose a Cyber Essentials Certification Body

4 Jul 2026 · 6 min
Cyber Essentials

What Cyber Essentials Plus Actually Costs

1 Jul 2026 · 6 min
SME security

The UK Small Business Compliance Journey: Cyber Essentials, GDPR and Security Questionnaires

29 Jun 2026 · 8 min

Be first to know when we launch.

Leave your email and we'll let you know the moment SecurSentry is ready. One email — no newsletters, no spam.

Just one email, at launch. We never share your data. Privacy policy.

You're on the list — we'll be in touch at launch.