Security Questionnaires Explained: How to Respond to the Most Common Questions

Satya Moutairou

27 Jan 2023

What is a Security Questionnaire?

Security questionnaires are a set of questions used to assess the security posture of an organization, usually to determine if one company can trust another and work together. These questions are designed to identify and evaluate potential vulnerabilities, as well as to ensure compliance with industry standards and regulations. 

Using TrustShare, our AI-powered security questionnaire automation tool, we were able to comb through our database to find the questions most commonly asked by Fortune 500 companies, like Google, Amazon, 3M, Visa, and Verizon.

Read on for guidance from our compliance experts, who weighed in on how to answer.

Category: Policy Management

Question: Are your information security policies and procedures made available to all impacted personnel and business partners, authorized by accountable business role/function and supported by the information security management program as per industry best practices (e.g. ISO 27001, SOC 2)?

What they’re asking: 

  • How often are policies reviewed/updated?
  • How are policies shared?

Guidance on how to answer: It is best practice to review policies annually. However, it is important to note that policies can change over the year due to business and operational changes. Policies should always reflect everything a company does. If something within the process changes, then policy should be updated immediately.

Additionally, for policies to be relevant, they need to be made available to all employees. This is done through training and open communication. 

Here are some more helpful materials for Policy Reviews and Policy Communications

Category: Security Incident Management Plan

Question: Is a security incident response plan that includes relevant internal departments, impacted CSCs, and other business-critical relationships (such as supply-chain) established, documented, approved, communicated, applied, evaluated, and maintained?

What they’re asking:

  • How do you define an incident?
  • How did you implement an incident response plan?
  • How did you communicate the plan?
  • How have you tested the plan?

Guidance on how to answer: Incident Management is a critical part of building security posture. It is first important to define what an “incident” is. Most companies tend to say that they don’t have incidents, and that’s usually only because their definition of “incident” is limited.

Taking the thoughtful approach is key – specifically defining what an incident is, and going over all the various ways in which it can manifest itself, is pivotal for a strong plan. 

The process is to define and implement a plan to remediate the incident. This should include who is responsible for responding, analyzing and remediating the issue.

The timeliness of these actions need to be clear and concrete as well. In other words, if something were to occur, the company should have an idea on how soon and when an incident could be remediated.

Lastly, the plan should continuously be tested, regardless of whether an incident occurred or not.

Here are some more helpful materials for Incident Response Plans, and Incident Response Testing.

Category: Pen Testing

Question: Are processes, procedures, and technical measures defined, implemented, and evaluated for periodic, independent, third-party penetration testing?

What they’re asking: 

  • What is the difference between pen testing and internal vulnerability scanning?
  • How often should pen testing be done and who should do it?
  • What type of pen testing should we do?

Guidance on how to answer: Pen testing is different from an internal vulnerability scanning because pen testing should be done by external parties, whereas internal scanning is done through internal scans used by internal users.

There is no mandatory pen testing (white vs. black box testing), but it’s always good to err on the side of caution and do it once a year. For general compliance purposes, it is required to track any vulnerabilities and remediate them in a timely manner.

Here are some more helpful materials for Pen Testing: Best Practices and Pen Testing Types

Category: Disaster Recovery Plan

Question: Are criteria for developing business continuity and operational resiliency strategies and capabilities established based on business disruption and risk impacts?

What they’re asking:

  • How to build a disaster recovery plan and what should it include?
  • How often do you test it?

Guidance on how to answer: Disaster Recovery should ultimately address the question, “Are we prepared to bounce back from an unexpected event?”

Whether the event is a data breach or a tsunami, building a plan requires taking a look at the attacked surface, and prioritizing the critical systems that would need to remain operating.

The plan should be tested at least once a year, if not more.

Here are some more helpful materials for Disaster Recovery Plan Best Practices.

Trust Issues: Your Trusted Source for GRC & Security News. Subscribe Now!

Category: Key Management

Question: Are processes, procedures, and technical measures to monitor, review and approve key transitions (e.g., from any state to/from suspension) being defined, implemented, and evaluated to include legal and regulatory requirement provisions?

What they’re asking:

  • What’s the key management process in place?

Guidance on how to answer: Encryption is critical in safeguarding data. The encryption keys must be managed to ensure that they don’t fall into the wrong hands. If a company is cloud-based, this is typically covered by the cloud provider. However, additional steps can be implemented to further protect the data.

Here are some more helpful materials for Key Management Best Practices.

Category: Data in Transit Encryption

Question: Measures for the protection of data during transmission.

What they’re asking: 

  • What’s the encryption process in place?

Guidance on how to answer: Encryption is critical is safeguarding data. Data in Transit is susceptible to attacks, therefore a strong process is required to ensure that transit data is protected.

Here are some more helpful materials for Data Encryption Examples, Transit Examples, and Data in Transit Encryption – Cloud

For more information on how TrustShare tackles security questionnaires, take a look at our webpage.

Or, if you’d prefer to speak directly to us, we’d be more than happy to get that set up. Schedule a quick demo today!