Educational guide

What Is a Security Questionnaire?

Everything you need to know about vendor security assessments — what they are, why you receive them, and how to answer them without losing days of engineering time.

What is a security questionnaire?

A security questionnaire (also called a vendor security assessment or VSA) is a formal document that a prospective or existing customer sends to you — the vendor — to evaluate your security controls before sharing sensitive data or granting system access.

Think of it as a structured audit from the outside. Instead of sending in auditors, the customer asks you to self-report on dozens — sometimes hundreds — of security topics, and you provide written answers backed by evidence.

Security questionnaires are not optional. If you sell software or services to enterprises, you will receive them. They are a standard gate in procurement processes.

Why do customers send them?

Enterprise organizations are legally and contractually obligated to perform third-party risk management (TPRM). Regulations like GDPR, HIPAA, NIS2, and SOC 2 require them to document the security posture of every vendor that touches their data.

Before signing a contract, procurement, legal, and security teams need to confirm:

  • Your data is encrypted at rest and in transit
  • You have an incident response plan and will notify them of breaches
  • You enforce access control (MFA, least privilege, offboarding)
  • You are certified or compliant with relevant standards (ISO 27001, SOC 2, etc.)
  • Your sub-processors (cloud providers, SaaS tools) meet the same bar

The questionnaire is their formal paper trail — evidence that they did their due diligence. It protects them legally if something goes wrong, and it protects their own customers by extension.

What topics do they cover?

Most questionnaires cover the same core domains, regardless of the framework or the customer sending them. Here is what to expect:

🔒

Information security policy

Do you have a written policy? How often is it reviewed? Who owns it?

🧑‍💻

Access control

MFA, least privilege, user lifecycle, privileged access management.

🔐

Data protection

Encryption at rest and in transit, key management, data classification.

🚨

Incident response

Do you have a documented IR plan? How do you notify customers of breaches?

🏗️

Infrastructure & availability

Cloud providers, uptime SLA, DR/BCP, penetration testing cadence.

Compliance & certifications

ISO 27001, SOC 2, GDPR, HIPAA — certificates and audit reports.

🤝

Sub-processors & vendors

Which third parties do you use? What are their security standards?

👥

HR & personnel security

Background checks, security training, termination procedures.

Larger questionnaires (like the CAIQ or SIG) can have 300+ questions across all these domains. Smaller, custom ones from individual customers may have 20–80 questions but focus on the areas most relevant to the data they will share with you.

Common questionnaire frameworks

Some customers use standardized frameworks; others write their own. The most common standardized ones you will encounter:

SIG / SIG Lite

Shared Assessments

The most widely used enterprise vendor risk questionnaire. The full SIG has ~850 questions. SIG Lite is a condensed version (~135 questions) for lower-risk vendors. Common in financial services, healthcare, and insurance.

CAIQ

Cloud Security Alliance

Consensus Assessments Initiative Questionnaire. Designed specifically for cloud service providers. Maps to the CSA Cloud Controls Matrix. Common when you are a SaaS or cloud-hosted product.

VSAQ

Vendor Security Alliance

A leaner, widely adopted framework used across tech, finance, and healthcare. Often the starting point for customers who do not want to send a massive SIG.

Custom Excel questionnaires

Ad hoc

Many enterprise security teams write their own questionnaires. These are typically 20–100 questions tailored to the specific data sharing involved. The most common format you will receive day-to-day.

Regardless of the framework, the underlying questions are largely the same. A strong answer library built from your own security documentation will cover 80–90% of questions across all of them.

The real cost of answering them manually

Security questionnaires are deceptively expensive. On the surface they look like a form to fill in. In practice, a single mid-size questionnaire typically requires:

  • 4–20 hours of engineering or security team time hunting through internal docs, policies, and runbooks
  • Cross-team coordination — security, engineering, legal, HR, and often management all need to contribute or approve answers
  • Context switching — questionnaires arrive with tight deadlines mid-sprint, pulling engineers out of product work
  • Re-work — 60–70% of questions in a new questionnaire were already answered in a previous one, but answers are buried in old email threads

For a growing SaaS company that closes enterprise deals, this adds up to weeks of engineering time per year spent on compliance paperwork rather than product. And every delayed answer is a delayed deal.

How to answer them efficiently

The key insight is that most answers already exist somewhere in your organization. Your security policies, ISO 27001 certificate, SOC 2 report, pentest summary, and architecture docs contain almost everything a questionnaire asks. The problem is retrieval, not knowledge.

The most effective approach:

  1. Centralize your security documentation. Gather all policies, certificates, audit reports, and runbooks in one place — whether that is Confluence, a shared drive, or a dedicated tool.
  2. Build a reusable answer library. The first time you answer a question, save the answer. The tenth time you receive it, copy and adjust. Most teams use a spreadsheet for this; the better approach is a tool that can search it automatically.
  3. Use AI to draft answers from your docs. Modern tools (like Secreply) can read your existing security documentation and automatically suggest answers to each question, with citations so you can verify before submitting. This turns a 10-hour task into a 30-minute review.
  4. Review, never submit blind. AI-suggested answers should always be reviewed by a human before sending. The goal is to eliminate the drafting work, not the accountability.

Want to see this in practice?

Download our sample pack — a realistic vendor security questionnaire plus the knowledge base documents needed to answer it. Upload them to Secreply and see the AI fill in answers in under 2 minutes.

Download Sample Pack (free)

Frequently asked questions

How long does it take to answer a security questionnaire?

Manually: anywhere from 4 hours (short custom questionnaires) to 3–4 weeks (a full SIG). With a knowledge library and AI assistance, most questionnaires can be processed in under 2 hours of total team time.

Who in the company should answer them?

Typically a security or GRC manager coordinates, with input from engineering (infrastructure questions), HR (personnel security), legal (contracts, DPA), and sometimes the CTO or CISO for sign-off. The coordination overhead is one of the biggest hidden costs.

Can we refuse to answer a security questionnaire?

Technically yes, but practically it will cost you the deal. Most enterprise procurement teams treat a refusal as a red flag. The better move is to have a streamlined process so answering is fast and low-cost.

What's the difference between a security questionnaire and a penetration test?

A questionnaire is self-reported — you answer questions about your controls. A penetration test is an external technical validation where a third party actively tries to find vulnerabilities. Enterprise customers often ask for both: the questionnaire to understand your posture, and a pentest report as evidence.

Do certifications (ISO 27001, SOC 2) replace security questionnaires?

They help a lot — certification reports answer many standard questions at once, and some customers will accept them in lieu of a full questionnaire. But most enterprises still send their own questionnaire even if you are certified, because they want answers specific to their use case and data scope.

What is a Trust Center and does it help?

A Trust Center is a public-facing page where you proactively share your certifications, security policies, and compliance documentation. It can reduce the number of questionnaires you receive by letting customers self-serve answers. It doesn't eliminate questionnaires entirely, but it helps with early-stage due diligence.

Stop spending weeks on security questionnaires

Upload your security docs once. Secreply answers the next questionnaire automatically — with source citations you can verify before submitting.

Start Free Trial