How to Respond to a Customer Security Questionnaire

A vendor security questionnaire is a buyer's way of vetting your security before they trust you with their data. You answer it fastest, and most credibly, by assembling the policies and evidence you already have and answering every question honestly.

What a vendor security questionnaire is — and why you got one

A customer or prospect just sent you a long list of security questions because, before they let your company touch their data or plug into their systems, their procurement, security, or legal team has to assess the risk you represent. This is third-party (vendor) risk management, and questionnaires are its most common tool. If their data flows through you, your weaknesses become their weaknesses — so they ask before they sign.

You will usually see one of three formats. The SIG (Standardized Information Gathering questionnaire), maintained by Shared Assessments, is a large standardized question bank that comes in fuller and lighter tiers. The CAIQ (Consensus Assessments Initiative Questionnaire), from the Cloud Security Alliance, is geared toward cloud and SaaS providers. The third is a custom spreadsheet a company built itself, which can range from a dozen questions to several hundred. Receiving one is not a red flag about you — it is a routine, healthy step in a B2B sale, especially when you are selling into a larger or regulated buyer.

What these questionnaires typically ask

However it is branded, a security questionnaire tends to circle the same core areas. Knowing them in advance lets you prepare once and reuse your answers.

Expect questions on: written security policies and how often they are reviewed; access control and identity (least privilege, multi-factor authentication, joiner-mover-leaver processes); encryption of data in transit and at rest; incident response (do you have a plan, and how fast do you notify affected customers); business continuity and disaster recovery; data handling and retention (where data lives, how it is classified, how it is destroyed); subprocessors and fourth parties (the vendors you in turn rely on); employee security awareness training and background checks; secure development practices; and physical security.

Nearly every questionnaire also asks the headline question: do you hold a SOC 2 report or ISO/IEC 27001 certification? For many buyers that single line carries the most weight, because an independent attestation or certification is shorthand for "someone qualified already checked." We will come back to what to do if your honest answer is "not yet."

How to respond efficiently — and honestly

The fastest credible response is an assembly job, not a writing job. Pull together the documentation you already have — your information security policy, access control policy, incident response plan, data retention and disposal policy, your subprocessor list — and answer each question from what those documents and your actual practices say. When several questions map to one policy you have already written, the answers almost write themselves.

The non-negotiable rule is honesty. Never claim a control you do not actually operate. If you do not yet have a formal incident response plan, say so and describe what you do today; do not check "Yes" because it looks better. Questionnaire responses are often warranted in the contract that follows, so an inflated answer can become a breach of that contract — and the gap surfaces the moment something goes wrong. Where a control is partial or in progress, say exactly that: "Policy documented; rollout underway, target Q3." Buyers respect a precise, qualified answer far more than a flawless-looking one that collapses under a follow-up question. Attach evidence where you can — a policy excerpt, a recent penetration-test summary, a short security overview — so reviewers can verify rather than take your word for it.

When the real ask is "Do you have SOC 2 or ISO 27001?" and you don't yet

This is the question most likely to tempt an overclaim, so handle it plainly. If you do not yet hold a SOC 2 report or ISO 27001 certification, the right answer is the true one: "Not yet — here is where we are." Then give the buyer something concrete to evaluate.

State your real status and a realistic timeline ("We are in our SOC 2 readiness phase, targeting a Type I report this year, with a Type II observation period to follow"). A Type I report covers the design of your controls at a point in time; a Type II report covers how they operated over a period, typically three to twelve months. Share the security documentation you do have now — your policy set, the completed questionnaire itself, and any supporting artifacts such as a penetration-test summary or a security whitepaper. Many deals proceed on a documented, honest security posture plus a credible roadmap, sometimes with a contractual commitment to obtain the report by a certain date.

What documentation cannot do is substitute for the report. A SOC 2 report is issued by a licensed CPA firm after it examines your live controls; ISO 27001 certification is issued by an accredited body after auditing a working management system. No template, toolkit, or completed questionnaire makes you certified or attested. What it does is help you answer credibly today and give you a head start on the readiness work an audit later requires.

How a documented policy set makes every future questionnaire faster

The first questionnaire is painful largely because you are writing your security program and answering the questionnaire at the same time. Once your policies and procedures exist in a maintained set, that work is mostly done. Future questionnaires become a mapping exercise: this question points to that policy, this one to your access control standard, this one to your incident response plan. What took a frantic week starts taking an afternoon.

A documented policy set also keeps your answers consistent across buyers, which matters when two customers compare notes or when the same reviewer sees you twice. And it is the same foundation a SOC 2 or ISO 27001 effort starts from, so the readiness work you do for questionnaires is not throwaway — it compounds.

This is the same honesty principle viewed from the supply side. A questionnaire is not an audit, and documentation is not a certification; what good documentation buys you is the ability to answer accurately and quickly. If you are building that foundation from scratch, an editable policy toolkit — covering the access control, incident response, data handling, and continuity questions reviewers ask most — gives you a structured starting point you tailor to how your organization actually works, then keep current as your program matures.

Frequently asked questions

What is the difference between a SIG and a CAIQ?

Both are standardized vendor security questionnaires. The SIG (Standardized Information Gathering questionnaire) is maintained by Shared Assessments and is a broad question bank offered in fuller and lighter tiers across many industries. The CAIQ (Consensus Assessments Initiative Questionnaire) comes from the Cloud Security Alliance and is focused on cloud and SaaS providers. Many companies skip both and send a custom spreadsheet instead. The underlying topics — policies, access control, encryption, incident response, continuity, data handling, subprocessors — overlap heavily, so answers you prepare for one largely carry over to the others.

Do I have to answer every question on the questionnaire?

Answer everything you can, accurately. Where a question genuinely does not apply to your business, mark it Not Applicable and add a one-line reason rather than leaving it blank — blanks read as evasion. Where you do not operate a control, say so honestly rather than guessing or inflating. A precise, qualified answer ("in progress, target date X") is far better received than an unsupported "Yes" that fails under a follow-up question.

Can I answer a security questionnaire if I don't have SOC 2 or ISO 27001 yet?

Yes, and many vendors do. State your status truthfully, share the security policies and evidence you do have, and offer a realistic readiness timeline — buyers frequently proceed on a documented posture plus a credible roadmap. Be clear that you are not claiming an attestation or certification: a SOC 2 report comes only from a licensed CPA firm, and ISO 27001 certification only from an accredited body, after each audits your live program.

Will a policy toolkit make us SOC 2 compliant or certified?

No. A toolkit or any document set cannot make an organization compliant, certified, or attested. SOC 2 is an independent CPA firm's attestation and ISO 27001 is an accredited body's certification, each issued after auditing the controls you actually operate. What strong documentation does is give you accurate, consistent answers for security questionnaires now and a head start on the readiness work an audit later requires.

Is filling out a vendor security questionnaire the same as passing an audit?

No. A questionnaire is a self-reported assessment the buyer uses to gauge risk; an audit is an independent examiner verifying your controls against a standard and issuing a report or certificate. Documentation helps you answer a questionnaire credibly, but it is not a certification, and your answers are typically taken on trust (and sometimes warranted in the contract), which is exactly why every answer must be honest.

Related guides: SOC 2 · ISO/IEC 27001

Toolkits that help

← All articles