10 Best Practices for Answering Security Questionnaires

Aaron Lumnah

12 Nov 2021

You’ve been sent a security questionnaire to complete as part of a sales process. We bet you’re jumping with joy! No? Don’t fret — nobody enjoys answering them. We mean nobody. Including ourselves.

We’d love to help. Here are 10 things to keep in mind when completing security questionnaires. Our goal is to see you breeze through them without slowing down your sales process with endless exchanges with your customers.

    1. Be Truthful: Use content directly from your security and compliance program
      The best way to answer a question is by sharing information directly from your security and compliance program (should you have one…and you should). Share a control and/or policy document that describes how you do something. You should try to avoid making up custom answers for a question because it is difficult to keep track of the nuances in each answer in the future, in case a customer asks you about it down the line.

      If you don’t have a control or policy, but it’s in your roadmap, state that, along with an approximate timeline on when you will adopt the new controls and policies. Always expect the customer to ask for proof, so don’t make up an answer you cannot back up with evidence.

    2. Be Concise: Answer the specific question
      Answer every question in an honest and direct manner, and answer the specific question. There is no need to provide more information than being asked. Be direct, and use an active voice in your answers.
    3. Pay Attention to the Instructions: Provide all materials requested
      Some questions require brief, direct answers. Some questions are multiple-choice. Others require detailed explanations about the types of controls and procedures in place. Regardless of the format, it’s your responsibility to provide everything that is being asked for.

      You should assume that compliance and risk teams will be reviewing all responses with a fine-toothed comb, and your goal should be to have as complete a response as possible. The more complete the response, the less likely you are to have follow-ups – i.e. the sooner the risk assessment is complete, the sooner the deal can close. But – be concise (see best practice #2)!

    4. Pay Attention to ‘gotcha’ Questions: Don’t get tripped up
      Sometimes questions are asked in different ways, multiple times. Deliberately. The reviewer may want to see consistency across your answers. Be aware that they are testing you, so take some time to understand the intent behind the questions before you start drafting answers.
    5. Build out accurate artifacts to support your answers
      In addition to controls and policies in your compliance program, security questionnaires often ask for additional artifacts. Having them and sharing them with your answers provides added credibility to your answers. Some examples include:
      • Yearly SOC 2 Type 1 or 2 reports, ISO 27001 audit reports, 3rd-party HIPAA compliance assessments, etc., which states an auditor’s opinion of your security and compliance program
      • An (at least yearly) application and network penetration testing report (quarterly is ideal)
      • A data and network architecture diagram
      • List of your products and services, their capabilities
      • List of your subprocessors, purpose and location (along with controls governing these subprocessors)
      • An FAQ on your organization’s internal security practices, summarizing your commitment to security and the actions you take to implement controls at your organization
      • A policy packet, including (but not limited to) encryption policy, acceptable use policy, privacy policy, breach notification policy, incident response plan, disaster recovery plan, internal information security, risk management policy, access control policy, physical security policy and vulnerability management policy.
      • List of your organization’s security and compliance leadership team
      • List of security tools you use to protect your product and business
    6. Assign Answers to Subject Matter Experts (SMEs) in your organization: Don’t Guess
      If you’re not sure how to answer a particular question, find the SME on the team and request them to draft the answer for you to review. As an added bonus, the more people you can collaborate with and involve in the process, the faster you will be able to answer the questionnaire.
    7. Reuse past answers: But ensure they are still truthful
      If you’ve had the pleasure of answering multiple security questionnaires, you’ve probably built up a bank of answers you can select from. If you’re using a tool to track and answer security questionnaires (*clears throat* Respond), then this tool is likely keeping track of all of your answers. Either way, as long as the answers are still truthful, you can reuse them and save yourself the effort of drafting answers from scratch, and get through answering the questionnaire quickly.

      Are you starting to notice a trend here?

    8. Share your completed questionnaire in a secure manner
      A completed security questionnaire usually contains highly sensitive information about how you run your business and product operations. Sending your responses over email is not secure, and you should know this if your answers in the security questionnaire indicate that you have a strong security posture in your company. So, the best way to send your complete security questionnaire (along with all the attachments), is to invite the customer into a secure portal or shared drive, ask them to download it (this also allows you to track who downloaded it and when), and then shut off access to these documents.
    9. Track the Commitments You’ve Made to Customers: Don’t Get in trouble when customers audit you
      Unless you’ve got a photographic memory, you will need a tool to help you track the commitments you’ve made to your customers in your security questionnaire responses. In the future, if a customer audits you on controls and policies you’ve shared with them, or security and compliance items you said were in your roadmap, you will need to show them that you are adhering to your commitments.
    10. Do it quickly – don’t slow down your sales process
      The drudgery of answering security questionnaires makes you want to put off answering them. You always have other things to do in your day-job, and you’ll often prioritize those items over completing the questionnaire. Use a tool or a process that can federate the security questionnaire process across your team, or allows you to quickly make progress towards completing the questionnaire accurately and efficiently. The last thing you want to do is let your sales team down and add risk to an opportunity.

Answering security questionnaires doesn’t have to be a painful experience. We disliked the process so much that we built a product that auto-generates answers to security questionnaires in seconds. We call it – TrustShare.

How did we do it?
Oh, we just used a little bit of machine learning (ML) and some natural language processing (NLP). No biggie.

Here’s what our customers have had to say…
“Answering vendor security and risk assessment questionnaires is a required step in most enterprise sales processes. It can take weeks for our team to complete questionnaires correctly, especially because we’ve made a commitment to be transparent with customers and show them that we take security and compliance seriously,” said Mick England, Data Protection Officer at Robin, a workplace platform to manage hybrid work. “TrustCloud’s TrustShare application helps us accurately answer security questionnaires within 1-2 days. We love how easy it is, and the fact that my team doesn’t have to manually set up or maintain a knowledge library of answers anymore is a huge plus.”

Interested in exploring how Respond can help you? Schedule a meeting here.