What is a security questionnaire?
A security questionnaire (also called a vendor security assessment or VSA) is a formal document that a prospective or existing customer sends to you — the vendor — to evaluate your security controls before sharing sensitive data or granting system access.
Think of it as a structured audit from the outside. Instead of sending in auditors, the customer asks you to self-report on dozens — sometimes hundreds — of security topics, and you provide written answers backed by evidence.
Security questionnaires are not optional. If you sell software or services to enterprises, you will receive them. They are a standard gate in procurement processes.
Why do customers send them?
Enterprise organizations are legally and contractually obligated to perform third-party risk management (TPRM). Regulations like GDPR, HIPAA, NIS2, and SOC 2 require them to document the security posture of every vendor that touches their data.
Before signing a contract, procurement, legal, and security teams need to confirm:
- Your data is encrypted at rest and in transit
- You have an incident response plan and will notify them of breaches
- You enforce access control (MFA, least privilege, offboarding)
- You are certified or compliant with relevant standards (ISO 27001, SOC 2, etc.)
- Your sub-processors (cloud providers, SaaS tools) meet the same bar
The questionnaire is their formal paper trail — evidence that they did their due diligence. It protects them legally if something goes wrong, and it protects their own customers by extension.
What topics do they cover?
Most questionnaires cover the same core domains, regardless of the framework or the customer sending them. Here is what to expect:
Information security policy
Do you have a written policy? How often is it reviewed? Who owns it?
Access control
MFA, least privilege, user lifecycle, privileged access management.
Data protection
Encryption at rest and in transit, key management, data classification.
Incident response
Do you have a documented IR plan? How do you notify customers of breaches?
Infrastructure & availability
Cloud providers, uptime SLA, DR/BCP, penetration testing cadence.
Compliance & certifications
ISO 27001, SOC 2, GDPR, HIPAA — certificates and audit reports.
Sub-processors & vendors
Which third parties do you use? What are their security standards?
HR & personnel security
Background checks, security training, termination procedures.
Larger questionnaires (like the CAIQ or SIG) can have 300+ questions across all these domains. Smaller, custom ones from individual customers may have 20–80 questions but focus on the areas most relevant to the data they will share with you.
Common questionnaire frameworks
Some customers use standardized frameworks; others write their own. The most common standardized ones you will encounter:
SIG / SIG Lite
Shared AssessmentsThe most widely used enterprise vendor risk questionnaire. The full SIG has ~850 questions. SIG Lite is a condensed version (~135 questions) for lower-risk vendors. Common in financial services, healthcare, and insurance.
CAIQ
Cloud Security AllianceConsensus Assessments Initiative Questionnaire. Designed specifically for cloud service providers. Maps to the CSA Cloud Controls Matrix. Common when you are a SaaS or cloud-hosted product.
VSAQ
Vendor Security AllianceA leaner, widely adopted framework used across tech, finance, and healthcare. Often the starting point for customers who do not want to send a massive SIG.
Custom Excel questionnaires
Ad hocMany enterprise security teams write their own questionnaires. These are typically 20–100 questions tailored to the specific data sharing involved. The most common format you will receive day-to-day.
Regardless of the framework, the underlying questions are largely the same. A strong answer library built from your own security documentation will cover 80–90% of questions across all of them.
The real cost of answering them manually
Security questionnaires are deceptively expensive. On the surface they look like a form to fill in. In practice, a single mid-size questionnaire typically requires:
- 4–20 hours of engineering or security team time hunting through internal docs, policies, and runbooks
- Cross-team coordination — security, engineering, legal, HR, and often management all need to contribute or approve answers
- Context switching — questionnaires arrive with tight deadlines mid-sprint, pulling engineers out of product work
- Re-work — 60–70% of questions in a new questionnaire were already answered in a previous one, but answers are buried in old email threads
For a growing SaaS company that closes enterprise deals, this adds up to weeks of engineering time per year spent on compliance paperwork rather than product. And every delayed answer is a delayed deal.
How to answer them efficiently
The key insight is that most answers already exist somewhere in your organization. Your security policies, ISO 27001 certificate, SOC 2 report, pentest summary, and architecture docs contain almost everything a questionnaire asks. The problem is retrieval, not knowledge.
The most effective approach:
- Centralize your security documentation. Gather all policies, certificates, audit reports, and runbooks in one place — whether that is Confluence, a shared drive, or a dedicated tool.
- Build a reusable answer library. The first time you answer a question, save the answer. The tenth time you receive it, copy and adjust. Most teams use a spreadsheet for this; the better approach is a tool that can search it automatically.
- Use AI to draft answers from your docs. Modern tools (like Secreply) can read your existing security documentation and automatically suggest answers to each question, with citations so you can verify before submitting. This turns a 10-hour task into a 30-minute review.
- Review, never submit blind. AI-suggested answers should always be reviewed by a human before sending. The goal is to eliminate the drafting work, not the accountability.
Want to see this in practice?
Download our sample pack — a realistic vendor security questionnaire plus the knowledge base documents needed to answer it. Upload them to Secreply and see the AI fill in answers in under 2 minutes.
Download Sample Pack (free)Frequently asked questions
How long does it take to answer a security questionnaire?
Manually: anywhere from 4 hours (short custom questionnaires) to 3–4 weeks (a full SIG). With a knowledge library and AI assistance, most questionnaires can be processed in under 2 hours of total team time.
Who in the company should answer them?
Typically a security or GRC manager coordinates, with input from engineering (infrastructure questions), HR (personnel security), legal (contracts, DPA), and sometimes the CTO or CISO for sign-off. The coordination overhead is one of the biggest hidden costs.
Can we refuse to answer a security questionnaire?
Technically yes, but practically it will cost you the deal. Most enterprise procurement teams treat a refusal as a red flag. The better move is to have a streamlined process so answering is fast and low-cost.
What's the difference between a security questionnaire and a penetration test?
A questionnaire is self-reported — you answer questions about your controls. A penetration test is an external technical validation where a third party actively tries to find vulnerabilities. Enterprise customers often ask for both: the questionnaire to understand your posture, and a pentest report as evidence.
Do certifications (ISO 27001, SOC 2) replace security questionnaires?
They help a lot — certification reports answer many standard questions at once, and some customers will accept them in lieu of a full questionnaire. But most enterprises still send their own questionnaire even if you are certified, because they want answers specific to their use case and data scope.
What is a Trust Center and does it help?
A Trust Center is a public-facing page where you proactively share your certifications, security policies, and compliance documentation. It can reduce the number of questionnaires you receive by letting customers self-serve answers. It doesn't eliminate questionnaires entirely, but it helps with early-stage due diligence.