For technology vendors, data privacy and security questionnaires are increasingly common. But they are also becoming longer, more complex, and more of a burden for the companies receiving them.
We’ve helped companies answer hundreds of security questions for their enterprise customers — sometimes as many as 400 in a single questionnaire. Here we will break down this topic for SaaS companies, starting with the basics in case this is the first one you’ve seen. If you’re looking for tips answering a questionnaire, jump down to the section “How to Respond to an InfoSec Questionnaire.”
Technology companies often receive, or send, written assessments to verify their company data is protected by businesses they work with.
In 2016, the number of data breaches increased by 40%. This caused more companies to be more concerned about security. A number of security breaches were also caused by smaller third-party vendors. Because of this, many more companies are now sending and receiving questionnaires to record they have done due diligence on their technology vendors. Assessing the security of third-party vendors is often required by their own cybersecurity programs, government regulations such as GDPR, industry-specific regulations like SOX and NIST, and also cybersecurity insurance providers.
Vendor questionnaires are among the security trends where we’ve seen an increase in recent years and they only get more intense as SMBs and startups in the supply chain are targeted by cybercriminals.
So they need to ensure that you are compliant and secure. These questionnaires are especially common in the software service industry. That means established software companies, as well as SaaS startups, need to be ready to respond. Your enterprise customers want to know what risks they are accepting.
These questionnaires are sent by clients or prospective customers to their technology vendors to evaluate security policies and procedures. They are used to probe the security program (or lack of one) and review the risks involved with using a company’s product or service.
If you want to see several security question examples, download our free ebook as a .pdf here: Why Cyber Security Questionnaires Are Making Or Breaking B2B Sales
The title, structure, and length of these surveys vary widely. You might see them called a few different names, like a “Third-Party Assessment Questionnaire.” Or called a “Vendor Cybersecurity Assessment.” It could be a .pdf titled “IT Security Questionnaire” and attached to an email. But they could send you to it as a link to an online form you need to fill out.
Depending on the company, these questionnaires may cover different topics including, web applications, privacy policies, IT infrastructure, or physical datacenter security.
These are some additional topics you may find in one of these security questionnaires:
If a prospective client or existing customer sent you a security survey like this, your IT department could get it first. Or it might be in the sales teams’ inbox. We’ve heard before how a team member opens a new questionnaire from a top client (or big prospect), only to panic when they face hundreds of questions about security.
Okay, so you have the questionnaire. What now?
Don’t panic. We’ve helped many vendors answer these security questionnaires. So. How do you tackle this? How much time do you need? What resources do you need to respond to?
Below we’ll cover these five topics:
Depending on the length and scope, you may need to plan time from multiple team members to prepare your responses. It can be difficult and challenging. But more and more companies using technology from third-party vendors are scrutinizing the security of products and services they use.
While it will take time to answer the questionnaire, it will often take longer to become compliant if the vendor questionnaire exposed gaps in your security program. You should plan not only to answer the questionnaire but also to launch company initiatives addressing any issues it reveals.
Before you try to answer anything, scan down the list of questions. How many questions are there? Does anything seem vague or need clarification? Do you know when they are expecting your response? Are there “not applicable” topics you can immediately identify?
If you can narrow down the number of questions and mark some with N/A right away, that will help you out. As a result, you might find some easy answers for topics that aren’t relevant to your product or service.
If you say N/A, they’ll likely want you to justify that and ask for further clarification.
If possible, your company should have completed a risk assessment before you even answer any vendor security questionnaires. This will help you understand the risks that may be involved for you as a vendor or your clients, setting the scope for what you need to answer in security questionnaires and what isn’t applicable.
Initially, you want to see if you can reduce the scope of the questionnaire. You may be able to identify specific areas that would affect your customer’s data, ruling out multiple questions.
Perhaps you don’t store data locally. Or there might be reasons that physical or network security doesn’t apply to this engagement. Then you may be able to answer “NO” or “N/A” and offer a logical reason that you don’t have this policy.
After weeding out any that are not applicable, you’ll need to turn your attention to the rest of the questions. If something seems vague, mark it and ask the customer for clarification.
While answering these questions, you’ll want to break them down. Let’s take this example security question that you might see as a vendor:
“Is there a Network Policy that has been approved by management, communicated to appropriate constituents, and an owner to maintain and review the policy?”
Yes (please attach the policy)
The question may look simple. But there are actually FIVE parts to this question:
If you don’t answer or don’t answer to their satisfaction, that can jeopardize your relationship with the customer or disqualify you from their list of software vendors. But breaking down a question into parts will help you to see which parts you have and identify any gaps.
You might be able to answer “YES” to everything. You might have comprehensive policies, procedures, a training program for employees, and a robust InfoSec program. If you are using an information security platform like Securicy, you’ll easily be able to report on your existing policies and demonstrate adherence to them. As well as map your security controls, which allows you to assess your own program against major frameworks like the CIS CSC and SOC 2.
But you may have to answer “NO” to items that you do not have covered. If you only have a handful of policies that don’t cover all these topics, you should look into updating your security policies.
If your company needs to upgrade a security program, you may be able to use policy templates or Securicy’s tools to generate and track your policies, implementation, and build your information security program.
You may be able to show a remediation plan which will bring your product or service up to your customers’ security standards within a set timeframe or by the time a new engagement starts.
This is especially important if you can’t reduce the scope of the questionnaire or complete a risk assessment ahead of time. Your remediation plan should show that you have a process to work through any gaps exposed by the questionnaire. This shows you are doing your due diligence and taking their concerns seriously.
You want to keep your customers in the loop about your security compliance. This open communication about how you plan on implementing security upgrades can go a long way to building trust. It also shows you are taking responsibility and moving in a positive direction.
You need to be honest about your level of security or you risk exposing yourself and business to serious consequences.
Don’t be dismissive. Take responsibility for any security gaps. And DON’T say any of these things that will set off alarm bells in the security team assessing you. If you are in the process of creating new policies and implementing security controls, ask the customer if you can complete the questionnaire after those new controls are in place.
Typically, you can’t reuse a security questionnaire. But that will depend on the customer. If it seems like it might be an option, you may want to ask first.
In most cases, they will have a customized questionnaire. If you offer the customer a generic, completed security questionnaire, you should expect that they will have additional follow-up questions. They may still ask you to answer the original questionnaire if it is a requirement of their own policies and procedures.
However, you should certainly keep any of your completed questionnaires on file. This will allow you to reference past answers and reuse the relevant parts for a new customer’s questionnaire. Companies will often find that answers change, so you will want to make sure you are offering the most updated information about any recent security upgrades.
Questionnaires will often have topics that overlap. Keep track of what security questions you’ve answered. You may even want to create a central repository of your responses to different questions about your policies and procedures for later.
Whether you can use a certification of compliance in place of a questionnaire will also depend on the customer and their questionnaire. Although holding a certification or proof of compliance will definitely show you are taking security procedures seriously.
However, they may still have questions that are not addressed by a certain framework or relate specifically to their business.
Compliance with a popular security framework will ultimately help you to answer the questionnaire. Many of the topics required for certification or compliance will be covered in the questionnaire, preparing you to address those sections.
If you have documentation about compliance with SOC 2, ISO27K, NIST, or CIS, that will give you an advantage while you respond to the questionnaire. These also provide outside support about your security measures. If you have a CIS report from a tool like Securicy, it is possible that they will even accept that in lieu of the questionnaire.
Some small businesses are most at home in Microsoft Word or spreadsheets. But with security policies and questionnaires becoming ever more complex, you’ll want to make sure your team looks at how you can optimize and streamline your processes.