What is a security questionnaire for?

Many more organizations are requiring potential vendors to complete a security questionnaire as part of a third-party risk assessment. These can sometimes include up to 400 questions – and often appear daunting at first. But don’t worry – this is actually good news. Your potential customer is verifying that you are adhering to industry best practices and regulatory requirements, in order to do business with you.

How to answer security questionnaires

The first step should be to create a process to answer this and future questionnaires in a timely fashion. This will save you time in future by reducing sales friction. Don’t worry if you cannot answer all the questions yourself. It’s very common to assemble a group of subject matter experts to help.

Typically, questionnaires have three choices for an answer – Yes, No or n/a, but you may also need to add a supporting explanation in certain circumstances. However, a common mistake here is over-sharing too much information that is not required. This is where it’s vital you understand what is important to the customer and in scope.

Some of the questions will take time to answer, and may involve some back and forth with the customer. This process may take several hours or weeks if you have to implement new security controls in your organization.

Common concerns:

  • It is OK to answer no to a question?
  • How much additional explanation should I include?
  • Do I need an NDA?
  • What is an answer library?
  • What are some tips for answering security questionnaires?
  • How can I get help if I’m not sure how to answer a question?

Product Security Group has put together a detailed guide to answer these concerns and help you get started answering your security questionnaire today.

Download for free now: Security Questionnaire Guide: Tips for Answering Third-Party Risk Assessments

 

“Security questionnaires are an increasingly common hurdle you need to overcome to win new business.  They require a thoughtful response to ensure you don’t make the process more difficult than it should be.”

Brian White - Product Security Group