SecurSentry
Topic hub

Security questionnaires: a plain-English guide for UK small businesses

A security questionnaire is a list of questions a customer sends to check how you protect their data before they sign with you. This guide explains why you keep getting them, what they ask, and how to answer honestly without grinding your deal to a halt.

Updated June 2026 4 guides in this hub ≈ 28 min to read it all

The short version

What is a security questionnaire, and why do you keep getting them?

A security questionnaire is a list of questions a prospective customer sends to check how you handle and protect their data before they buy from you. It usually arrives by email as a spreadsheet, sometimes through a portal, and it asks in a hundred different ways one underlying question: if we hand you our information, will you look after it? For the full step-by-step on responding, read a prospect just sent you a security questionnaire, now what?

You keep getting them because most mid-size and enterprise buyers are required, by their own policies or their regulators, to assess every supplier that touches their data. So each new deal can set off its own questionnaire. The good news hiding in that is that the questions overlap heavily between buyers, which is why the work you do for one largely carries over to the next.

The timing is what makes them sting. The questionnaire tends to land late in the sales cycle, after the conversations have gone well and the price is agreed, just before anyone signs. That’s why a stalled response is quietly one of the most common reasons an SME pipeline slows down or disappears. We dig into that in why security questionnaires are killing deals.

What they actually ask, in plain English

However long or short the questionnaire, the questions cluster into the same handful of topics. Spot the topic and a scary-looking question gets a lot smaller. Our worked examples show real questions in each of these areas alongside an honest answer.

Some buyers send a standard format. The SIG (Standardised Information Gathering, from Shared Assessments) is a broad third-party risk set covering 21 risk domains grouped under four control areas. The CAIQ (Consensus Assessments Initiative Questionnaire, from the Cloud Security Alliance) is a yes/no set for cloud providers. Others write their own spreadsheet. They look different, but they ask the same underlying things — we explain each format here.

The one thing that makes every questionnaire easier

Here is the load-bearing point. Because the topics overlap so much, the same small set of facts about your business answers most questions across every format you will ever be sent. The reuse is in the underlying security work, not in copy-pasting last time’s replies. Put the real measures in place once, write them down in one place, and most answers write themselves honestly.

That also takes the pressure off the document you might not have. A missing SOC 2 report, for instance, is rarely the real blocker for a UK buyer. They are usually looking for evidence that you take security seriously, and a recognised UK certification plus honest, evidenced answers often satisfies the same concern. We cover that case in a customer sent you a questionnaire and you have no SOC 2.

Whatever you do, answer honestly. Mark a genuine gap as 'in progress' with a rough plan and a date rather than overstating what you have. Buyers respect transparency, and inaccurate answers can void contracts and create real liability if the truth comes out later, which it tends to during an audit or an incident.

Everything on security questionnaires

Every guide, in one place

Start wherever your question is. Each guide is a short, plain-English read, and they build on each other as you go.

A questionnaire is a prompt to do the work once

Most of what a buyer asks about is the everyday security work you would do anyway. Put it in place once and write it down, and the same evidence answers the next questionnaire and earns you a recognised certificate too. We're building SecurSentry around exactly that.

Frequently asked questions

What is a security questionnaire?

It is a set of questions a prospective customer sends to check how you handle and protect their data before they buy from you. It usually covers access control, encryption, backups, incident response and the suppliers you rely on. Bigger buyers send one as a standard part of their procurement and third-party risk process.

Why do I keep getting security questionnaires?

Most mid-size and enterprise buyers are required, by their own policies or their regulators, to assess every supplier that touches their data. So each new deal can trigger its own questionnaire. The questions overlap heavily between buyers, which is why the work you do for one largely carries over to the next.

How long does a security questionnaire take to answer?

It depends almost entirely on preparation, not company size. For an unprepared business, a detailed questionnaire can take days or weeks of hunting for information across tools, inboxes and people. A business with its security measures documented in one place can often turn the same questionnaire around in a few hours.

What is the difference between the SIG and the CAIQ?

Both are standardised questionnaire formats. The SIG (Standardised Information Gathering), from Shared Assessments, is a broad third-party risk set covering 21 risk domains grouped under four control areas, in shorter and fuller versions. The CAIQ (Consensus Assessments Initiative Questionnaire), from the Cloud Security Alliance, is a yes/no questionnaire for cloud providers that maps to the Cloud Controls Matrix. A buyer may send either, a custom spreadsheet, or their own shortened version.

Do I need a certification to answer a security questionnaire?

No. Plenty of suppliers answer honestly by describing the controls they actually have in place. A certification like Cyber Essentials can save you answering some questions and reassure the buyer, but it is not a precondition for completing the form truthfully. A questionnaire can itself be a useful prompt to start working towards certification.

Be first to know when we launch.

Leave your email and we'll let you know the moment SecurSentry is ready. One email — no newsletters, no spam.

Just one email, at launch. We never share your data. Privacy policy.

You're on the list — we'll be in touch at launch.