A security questionnaire is a list of questions a customer sends to check how you protect their data before they sign with you. This guide explains why you keep getting them, what they ask, and how to answer honestly without grinding your deal to a halt.
A security questionnaire is a list of questions a prospective customer sends to check how you handle and protect their data before they buy from you. It usually arrives by email as a spreadsheet, sometimes through a portal, and it asks in a hundred different ways one underlying question: if we hand you our information, will you look after it? For the full step-by-step on responding, read a prospect just sent you a security questionnaire, now what?
You keep getting them because most mid-size and enterprise buyers are required, by their own policies or their regulators, to assess every supplier that touches their data. So each new deal can set off its own questionnaire. The good news hiding in that is that the questions overlap heavily between buyers, which is why the work you do for one largely carries over to the next.
The timing is what makes them sting. The questionnaire tends to land late in the sales cycle, after the conversations have gone well and the price is agreed, just before anyone signs. That’s why a stalled response is quietly one of the most common reasons an SME pipeline slows down or disappears. We dig into that in why security questionnaires are killing deals.
However long or short the questionnaire, the questions cluster into the same handful of topics. Spot the topic and a scary-looking question gets a lot smaller. Our worked examples show real questions in each of these areas alongside an honest answer.
Some buyers send a standard format. The SIG (Standardised Information Gathering, from Shared Assessments) is a broad third-party risk set covering 21 risk domains grouped under four control areas. The CAIQ (Consensus Assessments Initiative Questionnaire, from the Cloud Security Alliance) is a yes/no set for cloud providers. Others write their own spreadsheet. They look different, but they ask the same underlying things — we explain each format here.
Here is the load-bearing point. Because the topics overlap so much, the same small set of facts about your business answers most questions across every format you will ever be sent. The reuse is in the underlying security work, not in copy-pasting last time’s replies. Put the real measures in place once, write them down in one place, and most answers write themselves honestly.
That also takes the pressure off the document you might not have. A missing SOC 2 report, for instance, is rarely the real blocker for a UK buyer. They are usually looking for evidence that you take security seriously, and a recognised UK certification plus honest, evidenced answers often satisfies the same concern. We cover that case in a customer sent you a questionnaire and you have no SOC 2.
Whatever you do, answer honestly. Mark a genuine gap as 'in progress' with a rough plan and a date rather than overstating what you have. Buyers respect transparency, and inaccurate answers can void contracts and create real liability if the truth comes out later, which it tends to during an audit or an incident.
Start wherever your question is. Each guide is a short, plain-English read, and they build on each other as you go.
Understand the ask
Answer with confidence
The step-by-step on responding well: read it through first, prioritise, and answer honestly without guessing.
The three ways a questionnaire quietly loses a deal, and what a prepared business does differently to keep the sale moving.
Most of what a buyer asks about is the everyday security work you would do anyway. Put it in place once and write it down, and the same evidence answers the next questionnaire and earns you a recognised certificate too. We're building SecurSentry around exactly that.
It is a set of questions a prospective customer sends to check how you handle and protect their data before they buy from you. It usually covers access control, encryption, backups, incident response and the suppliers you rely on. Bigger buyers send one as a standard part of their procurement and third-party risk process.
Most mid-size and enterprise buyers are required, by their own policies or their regulators, to assess every supplier that touches their data. So each new deal can trigger its own questionnaire. The questions overlap heavily between buyers, which is why the work you do for one largely carries over to the next.
It depends almost entirely on preparation, not company size. For an unprepared business, a detailed questionnaire can take days or weeks of hunting for information across tools, inboxes and people. A business with its security measures documented in one place can often turn the same questionnaire around in a few hours.
Both are standardised questionnaire formats. The SIG (Standardised Information Gathering), from Shared Assessments, is a broad third-party risk set covering 21 risk domains grouped under four control areas, in shorter and fuller versions. The CAIQ (Consensus Assessments Initiative Questionnaire), from the Cloud Security Alliance, is a yes/no questionnaire for cloud providers that maps to the Cloud Controls Matrix. A buyer may send either, a custom spreadsheet, or their own shortened version.
No. Plenty of suppliers answer honestly by describing the controls they actually have in place. A certification like Cyber Essentials can save you answering some questions and reassure the buyer, but it is not a precondition for completing the form truthfully. A questionnaire can itself be a useful prompt to start working towards certification.