How to Answer that Security Questionnaire: Five Tips & Guide
Perhaps you’ve received an email with a security questionnaire attached? Did your heart sink when you saw hundreds of rows in a spreadsheet, each populated with a different question regarding the security posture of your organization?
Yikes! What do you do with this inquiry? Why are they asking you all these questions? At PSG, we’ve fielded calls from many customers that have asked us these very questions – and they were all searching for a bit of guidance on how to approach the dreaded security questionnaire, as well as looking for answers to questions like, “What if we don’t have a physical security policy?”
Many companies are required to now vet all potential (and current) vendors as part of their third-party risk assessment program. And that means – as part of vetting your company – you’re going to be required to answer their questionnaire, so that your customer can show their customers or regulators that they have done their due diligence in vetting the security of their supply chain.
However daunting the spreadsheet looks, with a bit of planning and by finding the right people in your organization, you will be able to answer that questionnaire accurately and efficiently.
Five tips for answering that security questionnaire:
You do not have to have the answer today. Some of the questions will take time to answer, and may involve some back and forth with the customer. Recognize that this process may take several hours or weeks if you have to implement new security controls in your organization.
Do not over-share. Offer answers to the questions you are asked, and nothing more. Adding additional justification, or sharing more documents than necessary can lead to more questions, and more work. If you can answer “Yes”, and supply any requested supporting documentation, you are done with that question.
Be cognizant of any exposed gaps in your security posture, and have an open dialog with your customer about necessary remediation steps.
Get answers from the right people. By engaging your subject-matter experts, you can ensure that you are answering the questions truthfully and accurately.
Understand what is important to the customer. They are simply concerned with the security of the product or service that they are purchasing.
Hopefully this TL/DR version can get you started. However, if you’d like a little more information, I have put together a detailed security questionnaire guide that walks you through how to approach this task step-by-step. Download it today, and feel free to get in touch if you need any further advice.