post-img
Measuring/certifying security programs Risk management Measuring/certifying security programs Risk management

Security questionnaires 101: the basics

  • copy-link-icon

    Copy URL

  • linkedin-icon

Let’s talk about the dreaded security questionnaire — also known as a vendor assessment, third-party vendor assessment/questionnaire, or cloud security questionnaire. These are sent by your customers’ procurement departments and are used as part of their third-party vendor assessment program. They take time and effort to complete and are almost always placed in the lap of the CIO/CISO (or other IT lead), who has much more important things to do.

Are these questionnaires unique for each procurement department?

Yes. Unfortunately every procurement department has their own take on the security questions that they want to know the answers to. While the most popular are the SIG and SIG Lite, you may also see questionnaires come in a spreadsheet, or an online tool or portal.

Different organizations have different levels of third-party risk tolerance. As a result, some procurement departments may use the questionnaire as a check list item - they just want to see that their questionnaire has been completed. Others may look at the content for specific criteria that need to be in place in order to move your contract forward. In other organizations, an IT compliance team may perform a review of responses and ask probing follow-up questions about various responses. 

Questionnaires can range anywhere from 20 questions to upwards of 100 or more. The scope is intended to meet the needs of the product being purchased or service being delivered. For example, basic IT security questions will always be in scope, but if you handle private or confidential data, more questions may be asked. You may also be asked operational or information security governance type questions. 

Do I have to answer every question in the positive to win the deal?

Some questionnaires will ask for a yes-or-no or an exists-or-doesn't exist answer. Others will ask you to show that you have controls in process or partially in place. You don't have to answer everything in the positive to win a deal but it does help. 

How much detail should I provide? 

If your questionnaire requires explanations, you will want to provide enough information to succinctly answer the question, however you don't want to give too much away. Stick to the facts and be very truthful and succinct. If they want to know more about your response, they will ask. 

Typically, responding to questionnaires involves a team effort between sales and engineering, and the CTO (or head of engineering) is tasked with ensuring that the IT related answers are correct. The head of engineering has much more important things to do than to describe security controls over and over again. However, struggling through these should not be their role. Here is why...

The Strike Graph, time saving solution!

Like you, we have experienced the pain. This is why we built an AI to help us streamline the security questionnaire process and enable the head of engineering to delegate the completion of these down into operations. Our solution is based on Machine Learning Processing technology and utilizes your existing IT controls and associates these to answer each vendor assessment question. You send us the questions, and two business days later, we send you a Security Report that shows which controls satisfy each question. While we can’t answer each question directly in the spreadsheet or online tool, we do equip you with accurate responses. And save everyone time.

Keep up to date with Strike Graph.

The security landscape is ever changing. Sign up for our newsletter to make sure you stay abreast of the latest regulations and requirements.