How to Answer a Vendor Security Questionnaire (With Template Answers)
Why enterprise buyers send questionnaires, common question categories, how to answer questions when you don't have SOC 2 yet, template answers for common questions, and how to approach SIG vs CAIQ vs custom formats.
You've just closed a verbal agreement with a Fortune 500 company. Then their procurement team sends a 200-question spreadsheet. The subject line: "Vendor Security Assessment — Required for Onboarding."
This is a vendor security questionnaire (VSQ), and it's now the biggest obstacle between you and signed contract. How you respond determines whether the deal closes in two weeks or three months — or whether their security team kills it entirely.
This guide explains the formats you'll encounter, the common question categories, how to answer honestly when you're pre-SOC 2, and template language you can adapt directly.
Why Enterprise Buyers Send Questionnaires
Enterprise security teams are responsible for their company's data wherever it flows — including into your SaaS product. When a breach happens at a vendor, the buyer often bears regulatory and reputational consequences. That's why every vendor with access to sensitive data gets scrutinized.
The questionnaire serves several purposes:
- Due diligence documentation — evidence that IT security reviewed the vendor
- Compliance evidence — for the buyer's own SOC 2, ISO 27001, or regulatory requirements
- Risk scoring — some companies assign numeric risk scores to vendors and make procurement decisions based on them
- Negotiating leverage — gaps in your answers may lead to contractual security requirements
Common Questionnaire Formats
SIG (Standardized Information Gathering)
Published by Shared Assessments, the SIG is one of the most widely used formats. The full SIG has 850+ questions. Most buyers send the SIG Lite, which covers 18 risk domains with roughly 60-100 questions per domain. Common senders: financial services companies, healthcare organizations, and large tech firms.
CAIQ (Consensus Assessments Initiative Questionnaire)
Published by the Cloud Security Alliance (CSA). Heavy on cloud infrastructure questions. Common senders: cloud-forward companies, government contractors, and organizations following CSA's Cloud Controls Matrix (CCM).
Custom Spreadsheets
Most common in practice. The buyer's security team made a template, and they've been sending it to every vendor for three years. These vary wildly in depth. Some have 20 questions; some have 300.
How to handle each format:
| Format | Your Approach |
|---|---|
| SIG Lite | Answer in the provided spreadsheet; provide cross-references to your SOC 2 where applicable |
| CAIQ | The CSA has guidance documents for each control; align your answers to CCM domains |
| Custom | Read every question carefully; ask for clarification on vague questions before answering |
The 8 Most Common Question Categories
1. Governance & Risk Management
Questions in this category ask whether you have an information security program at all.
Common questions:
- Do you have a written information security policy?
- Is there a designated person responsible for information security?
- How often is your security program reviewed and updated?
Template answers:
"We maintain a formal Information Security Policy that is reviewed annually and approved by executive leadership. Our [CTO / Head of Engineering / CISO] owns the security program with defined responsibilities for policy maintenance, risk management, and incident response."
If you don't have a formal policy document yet, write one. It can be two pages. A simple policy covering acceptable use, data classification, access control, and incident reporting is sufficient for early-stage startups.
2. Access Control
Questions here probe whether the right people have the right access and nothing more.
Common questions:
- Do you enforce multi-factor authentication for employee access?
- How is privileged access managed?
- How quickly is access revoked upon employee termination?
- Do you conduct access reviews?
Template answers:
"Multi-factor authentication is required for all employee access to production systems, cloud infrastructure, and internal tools. Access is provisioned on a least-privilege basis via our Identity Provider [Okta / Google Workspace]. Upon employee termination, all access is revoked within [4 hours / same business day] through our off-boarding checklist, which includes SSO deprovisioning and revocation of any service-specific credentials. Access reviews are conducted [quarterly / semi-annually]."
3. Encryption
Common questions:
- How is data encrypted at rest?
- How is data encrypted in transit?
- How are encryption keys managed?
Template answers:
"All customer data is encrypted at rest using AES-256 encryption, managed through [AWS KMS / GCP Cloud KMS]. All data in transit is encrypted using TLS 1.2 or higher. Encryption keys are managed by our cloud provider's key management service with automatic rotation enabled. Application-level secrets are stored in [AWS Secrets Manager / HashiCorp Vault] and are never stored in source code or version control."
4. Incident Response
Common questions:
- Do you have a documented incident response plan?
- What is your breach notification timeline?
- Have you had any security incidents in the past 12-24 months?
Template answers (no prior incidents):
"We maintain a documented Incident Response Plan covering identification, containment, eradication, recovery, and post-incident review. In the event of a confirmed data breach affecting customer data, we commit to notifying affected customers within 72 hours of discovery, consistent with GDPR Article 33 requirements. We conduct annual tabletop exercises to test the plan. We have not experienced any security incidents resulting in unauthorized access to customer data."
Template answers (prior incident):
Be honest. Describe what happened, what data was affected, how you responded, and what controls you implemented afterward. Covering up a prior incident and having the buyer discover it later destroys the deal and the relationship.
5. Vulnerability Management
Common questions:
- How often do you conduct penetration testing?
- Do you perform vulnerability scanning?
- How do you manage third-party library vulnerabilities?
Template answers:
"We conduct annual web application penetration tests performed by a third-party security firm. Most recent test: [date]. All critical and high findings from our most recent assessment have been remediated; we can share the executive summary under NDA. Automated dependency scanning runs on every code commit via [Dependabot / Snyk], with critical vulnerabilities addressed within 24 hours and high severity within 7 days. Infrastructure vulnerability scanning runs weekly."
6. Data Handling & Privacy
Common questions:
- Where is customer data stored?
- Can you sign a GDPR Data Processing Agreement?
- How do you handle data subject access requests?
- What is your data retention and deletion policy?
Template answers:
"Customer data is stored in [AWS us-east-1 / eu-west-1, specify region]. We are happy to sign a Data Processing Agreement (DPA) — our standard DPA is available at [link] or we can review the buyer's DPA. Data Subject Access Requests are fulfilled within 30 days. Our data retention policy retains customer data for [90 days / 1 year] after contract termination, after which it is securely deleted. Customers may request earlier deletion."
7. Business Continuity & Availability
Common questions:
- What is your uptime SLA?
- What are your RTO and RPO?
- How is data backed up?
Template answers:
"Our service targets 99.9% uptime, which represents no more than 8.7 hours of downtime per year. Database backups are performed daily with 30-day retention, and we support point-in-time recovery within the retention window. Our Recovery Time Objective (RTO) is 4 hours and Recovery Point Objective (RPO) is 1 hour for a full-environment failure scenario. Status page: [status.yourdomain.com]."
8. Third-Party & Subprocessor Risk
Common questions:
- Who are your subprocessors?
- How do you vet vendors before onboarding?
- Will you notify us of subprocessor changes?
Template answers:
"Our current subprocessors are listed at [yourdomain.com/subprocessors] and include [AWS, Stripe, SendGrid, etc.]. Before onboarding any subprocessor with access to customer data, we review their SOC 2 Type II report or conduct a security questionnaire. We notify customers of material subprocessor changes with [30 days] advance notice. All subprocessors have signed Data Processing Agreements."
Answering When You Don't Have SOC 2 Yet
Pre-SOC 2 is not an automatic deal-killer, but it requires the right positioning.
What not to say:
- "We don't have SOC 2" (full stop)
- "We're working on it" (no timeline)
- Anything that sounds evasive or uncertain
What to say instead:
"We are currently completing our SOC 2 Type II audit with [auditor name], targeting report issuance in [Q3 2025]. In the interim, we are happy to complete your security questionnaire in full detail, share documentation of our implemented controls, and provide references from comparable enterprise customers. Our current control environment includes [list 5-7 key controls: MFA, encryption at rest/transit, annual pentest, SOC 2-aligned policies, etc.]."
Offering to complete the questionnaire thoroughly is often enough to unblock a deal while SOC 2 is in progress, particularly if you can provide evidence artifacts.
How to Speed Up Questionnaire Response
Build a security knowledge base. Maintain a document or spreadsheet with your standard answers to all common questions. The first questionnaire takes days to answer. The tenth should take an hour.
Prepare a security one-pager. A two-page PDF covering your key controls, certifications, pentest history, and contact information. Attach it with every questionnaire.
Create a security portal. A dedicated /security page on your website with your policies, subprocessors list, SOC 2 summary, and a form to request the full report under NDA. Buyers often check here before sending a formal questionnaire.
Use automation tools. Platforms designed for security questionnaire automation (including ShipSafer's questionnaire autofill feature) can map questions to your existing documentation and pre-populate answers based on your known control environment, dramatically cutting response time.
Red Flags That Slow Down Deals
| Your Answer | How Buyers Interpret It |
|---|---|
| "We use industry-standard security" (no specifics) | You don't know what you have |
| "Security is important to us" (no controls listed) | Marketing language, not evidence |
| Inconsistent answers across sections | You don't have documented policies |
| No breach notification timeline given | You haven't thought through incident response |
| "Our vendor handles that" | Unacceptable — you own it even if a vendor operates it |
The fastest path through a security questionnaire is specificity. Every vague answer generates a follow-up question. Every specific answer with documentation closes the loop.