How to Survive Your First Security Questionnaire

Index

• Why You're Being Asked This
• The Format (and How to Handle It)
• What You Need to Cover
• What You Can Safely Postpone
• What You Should Not Ignore
• When to Bring in Help

Why You're Being Asked This

You're being invited to a procurement portal, asked to fill in a spreadsheet, or both. The company you're selling to needs to prove you're not going to be the reason they end up on the news. Either they handle sensitive data, serve regulated industries, or one of their clients does. You're in their supply chain now.

This is risk mitigation. It's standard for any B2B product handling data, infrastructure, or user identities.

The Format (and How to Handle It)

Most security questionnaires arrive in one of these forms:

• An Excel spreadsheet with 100–300 rows of questions
• A shared Google Sheet with evidence required in extra columns
• A portal (OneTrust, Vanta, Drata, etc.) with long checklists and an upload button for evidence

Your answers should be short, honest, and repeatable. Use existing policies or evidence where possible. Don’t invent processes you don’t have. They’ll know.

What You Need to Cover

Expect to be asked about the following areas:

• Access control – who gets access to what, and how it’s revoked?
• Encryption – is data encrypted at rest and in transit?
• Authentication – MFA, password policy, identity management?
• Vendor management – do you evaluate your own suppliers?
• Incident response – what happens if you get breached?
• Data backups – where are they, how often, how are they tested?
• Security awareness – are employees trained, or at least warned?
• Change management – how you deploy and test changes?
• Vulnerability management – do you patch software and track CVEs?

These topics map to common standards like ISO 27001, SOC 2, and NIST 800-53, but most clients just want to see you take things seriously and be able to prove it if needed.

What You Can Safely Postpone

Not everything needs to be implemented immediately. You can usually delay:

• Formal audit certifications (SOC 2, ISO, etc.)
• Physical security policies (unless you manage a datacenter)
• Formal employee security training programs (if you're <10 people)
• Advanced risk management plans (tiered based on risk appetite)

As long as you can show good intent and a roadmap, you're still in the game.

What You Should Not Ignore

Some things will kill the deal or delay it indefinitely:

• No MFA on infrastructure or admin systems
• No encryption of production data
• No backups or recovery testing
• Inability to name your subprocessors or hosting locations
• Completely missing documentation on access controls

These are basics. They will be deal blockers if you're aiming to work with any serious client.

When to Bring in Help

If your deal is large, time sensitive, or you’re being asked for evidence you don’t have, don’t waste cycles guessing. Get a specialist to either:

• Prepare the right documents
• Review or complete your answers
• Implement missing controls fast enough to close the deal