For technology vendors, data privacy and vendor security questionnaires are increasingly common. But they are also becoming longer, more complex, and more of a burden for the companies receiving them.
We’ve helped companies answer hundreds of security questions for their enterprise customers — sometimes as many as 400 in a single questionnaire. Here we will break down this topic for SaaS companies, starting with the basics in case this is the first one you’ve seen. If you’re looking for tips answering a questionnaire, jump down to the section “How to Respond to an InfoSec Questionnaire.”
Why You Got a Vendor Security Questionnaire
Technology companies often receive, or send, written assessments to verify their company data is protected by businesses they work with.
In 2016, the number of data breaches increased by 40%. This caused more companies to be more concerned about security. A number of security breaches were also caused by smaller third-party vendors. Because of this, many more companies are now sending and receiving questionnaires to record they have done due diligence on their technology vendors. Assessing the security of third-party vendors is often required by their own cybersecurity programs, government regulations such as GDPR, industry-specific regulations like SOX and NIST, and also cybersecurity insurance providers.
Vendor questionnaires are among the security trends where we’ve seen an increase in recent years and they only get more intense as SMBs and startups in the supply chain are targeted by cybercriminals.
So they need to ensure that you are compliant and secure. These questionnaires are especially common in the software service industry. That means established software companies, as well as SaaS startups, need to be ready to respond. Your enterprise customers want to know what risks they are accepting.
What is a Security Assessment Questionnaire for Vendors
These questionnaires are sent by clients or prospective customers to their technology vendors to evaluate security policies and procedures. They are used to probe the security program (or lack of one) and review the risks involved with using a company’s product or service.
Download our free Vendor Security Questionnaire Guide, a comprehensive .pdf ebook with examples of common security questions.
The title, structure, and length of these surveys vary widely. You might see them called a few different names, like a “Third-Party Assessment Questionnaire.” Or called a “Vendor Cybersecurity Assessment.” It could be a .pdf titled “IT Security Questionnaire” and attached to an email. But they could send you to it as a link to an online form you need to fill out.
Depending on the company, these questionnaires may cover different topics including, web applications, privacy policies, IT infrastructure, or physical datacenter security.
These are some additional topics you may find in one of these vendor security questionnaires:
- List of cybersecurity policies
- Organizational security
- Physical security
- Communication operations and management
- Incident response and management
- Security by design
- Access control
If a prospective client or existing customer sent you a security survey like this, your IT department could get it first. Or it might be in the sales teams’ inbox. We’ve heard before how a team member opens a new questionnaire from a top client (or big prospect), only to panic when they face hundreds of questions about security.
How to Respond to an InfoSec Questionnaire
Okay, so you have the questionnaire. What now?
Don’t panic. We’ve helped many vendors answer these vendor security questionnaires. So. How do you tackle this? How much time do you need? What resources do you need to respond to?
Below we’ll cover these five topics:
- What should you do first?
- What should you do if your company lacks certain security controls?
- Can you fill out a security questionnaire and reuse that for other customers?
- Can you use certification or compliance with a known framework in place of answering a security questionnaire?
- What tips and advice can prepare you for future questionnaires?
Depending on the length and scope, you may need to plan time from multiple team members to prepare your responses. It can be difficult and challenging. But more and more companies using technology from third-party vendors are scrutinizing the security of products and services they use.
While it will take time to answer the questionnaire, it will often take longer to become compliant if the vendor questionnaire exposed gaps in your security program. You should plan not only to answer the questionnaire but also to launch company initiatives addressing any issues it reveals.
1. First, Break Down the Questionnaire (And Then the Questions)
Before you try to answer anything, scan down the list of questions. How many questions are there? Does anything seem vague or need clarification? Do you know when they are expecting your response? Are there “not applicable” topics you can immediately identify?
If you can narrow down the number of questions and mark some with N/A right away, that will help you out. As a result, you might find some easy answers for topics that aren’t relevant to your product or service.
If you say N/A, they’ll likely want you to justify that and ask for further clarification.
Reference Your Risk Assessment
If possible, your company should have completed a risk assessment before you even answer any vendor security questionnaires. This will help you understand the risks that may be involved for you as a vendor or your clients, setting the scope for what you need to answer in security questionnaires and what isn’t applicable.
Initially, you want to see if you can reduce the scope of the questionnaire. You may be able to identify specific areas that would affect your customer’s data, ruling out multiple questions.
Perhaps you don’t store data locally. Or there might be reasons that physical or network security doesn’t apply to this engagement. Then you may be able to answer “NO” or “N/A” and offer a logical reason that you don’t have this policy.
Clarify the Questions
After weeding out any that are not applicable, you’ll need to turn your attention to the rest of the questions. If something seems vague, mark it and ask the customer for clarification.
While answering these questions, you’ll want to break them down. Let’s take this example security question that you might see as a vendor:
“Is there a Network Policy that has been approved by management, communicated to appropriate constituents, and an owner to maintain and review the policy?”
Yes (please attach the policy)
The question may look simple. But there are actually FIVE parts to this question:
- Is there a policy?
- Was it approved by management?
- Was is communicated to your staff?
- Who is responsible for maintaining and reviewing the policy?
- Can they see a copy of this policy?
If you don’t answer or don’t answer to their satisfaction, that can jeopardize your relationship with the customer or disqualify you from their list of software vendors. But breaking down a question into parts will help you to see which parts you have and identify any gaps.
2. What To Do If Your Company Lacks Specific Security Controls
You might be able to answer “YES” to everything. You might have comprehensive policies, procedures, a training program for employees, and a robust InfoSec program. If you are using an information security platform like Carbide, you’ll easily be able to report on your existing policies and demonstrate adherence to them. As well as map your security controls, which allows you to assess your own program against major frameworks like the CIS CSC and SOC 2.
But you may have to answer “NO” to items that you do not have covered. If you only have a handful of policies that don’t cover all these topics, you should look into updating your security policies.
If your company needs to upgrade a security program, you may be able to use policy templates or Carbide’s tools to generate and track your policies, implement, and build your information security program.
Security Remediation Plans
You may be able to show a remediation plan which will bring your product or service up to your customers’ security standards within a set timeframe or by the time a new engagement starts.
This is especially important if you can’t reduce the scope of the questionnaire or complete a risk assessment ahead of time. Your remediation plan should show that you have a process to work through any gaps exposed by the questionnaire. This shows you are doing your due diligence and taking their concerns seriously.
You want to keep your customers in the loop about your security compliance. This open communication about how you plan on implementing security upgrades can go a long way to building trust. It also shows you are taking responsibility and moving in a positive direction.
You need to be honest about your level of security or you risk exposing yourself and business to serious consequences.
Don’t be dismissive. Take responsibility for any security gaps. And DON’T say any of these things that will set off alarm bells in the security team assessing you. If you are in the process of creating new policies and implementing security controls, ask the customer if you can complete the questionnaire after those new controls are in place.
3. How to Recycle Answers from Security Questionnaires
Typically, you can’t reuse a security questionnaire. But that will depend on the customer. If it seems like it might be an option, you may want to ask first.
In most cases, they will have a customized questionnaire. If you offer the customer a generic, completed security questionnaire, you should expect that they will have additional follow-up questions. They may still ask you to answer the original questionnaire if it is a requirement of their own policies and procedures.
However, you should certainly keep any of your completed questionnaires on file. This will allow you to reference past answers and reuse the relevant parts for a new customer’s questionnaire. Companies will often find that answers change, so you will want to make sure you are offering the most updated information about any recent security upgrades.
Questionnaires will often have topics that overlap. Keep track of what security questions you’ve answered. You may even want to create a central repository of your responses to different questions about your policies and procedures for later.
4. How Certification or Compliance with a Known Framework Helps with Security Questionnaires
Whether you can use a certification of compliance in place of a questionnaire will also depend on the customer and their questionnaire. Although holding a certification or proof of compliance will definitely show you are taking security procedures seriously.
However, they may still have questions that are not addressed by a certain framework or relate specifically to their business.
Compliance with a popular security framework will ultimately help you to answer the questionnaire. Many of the topics required for certification or compliance will be covered in the questionnaire, preparing you to address those sections.
If you have documentation about compliance with SOC 2, ISO 27001, NIST 800 171, or CIS, that will give you an advantage while you respond to the questionnaire. These also provide outside support for your security measures. If you have a CIS report from a tool like Carbide, it is possible that they will even accept that in lieu of the questionnaire.
5. Tips and Advice To Prepare For Future Questionnaires
- Keep it simple. If the question is straightforward and can be answered in a single sentence or a short paragraph, do that.
- Only provide the information required by the question. If the customer doesn’t ask, don’t overload them with information. More information can also create issues during the review process. The customer is responsible for asking for more details if they need them.
- Be self-aware of both your strengths and weaknesses. Don’t lie. Don’t overstate your security controls. And don’t give them excessive justifications or excuses for why you lack specific security controls.
- Involve the right people. Assign people from your team who know the answers to these questions. In some cases, this means taking time from a lead engineer or even a CTO. If you need to, divide the questions and spread the responsibility across several people.
- Take your time. It might take 8 hours. It might take 20 hours. We’ve heard stories about questionnaires that take days to complete. Or drag out for weeks while a vendor and customer go back and forth clarifying questions. You want to get it right, so don’t rush it.
- Keep the lines of communication open. Confirm you received the questionnaire. Share security documentation you have, such as reports from Carbide on your InfoSec program. Request more time to complete it if you sense it will be challenging for your team. Ask for clarification. And also look for outside resources to address lacking policies or increase your security compliance.
Conclusion: Prepare for Vendor Security Questionnaires and Streamline Your Process
Some small businesses are most at home in Microsoft Word or spreadsheets. But with security policies and questionnaires becoming ever more complex, you’ll want to make sure your team looks at how you can optimize and streamline your processes.