We can help you fill the security questionnaires you receive from your clients. Here is a short video to summarize and augment this article:
Filling the security questionnaire adequately will help you win your client’s business or comply with their requirements to continue working with them.
The article will require you to do a lot of work – but the results will be worth it.
Sometimes the document may be named “Supplier onboarding checklist,” but its purpose remains the same – to assess your readiness to handle cybersecurity risks.
If you need to know how to fill such a questionnaire, which sometimes can contain up to 290 questions, you have come to the right place.
Before you begin, there are a few things you should know:
- Every answer you give makes you legally liable for non-compliance in the event of a breach
- Many questions will sound alien, and your team will have no idea what they are about – do your research before answering
- Answering some questions with a “yes” will require you to go through complex and sometimes expensive projects. Make sure you communicate with your client about these questions – perhaps they are not critical to them in your specific case.
- Cybersecurity may be a completely new field for your entire team. Answering “compliant” may require people to change the way they do their job. Expect resistance. We can help you deal with the opposition in a smooth, productive way.
For smaller vendors, it is an impossible task to fill such a questionnaire by themselves. Each time they do, the result may sound logical to them but completely discredits them in their client’s eyes, who has a well-trained and experienced security team and can quickly spot when you pull answers out of thin air.
We helped our more prominent (8000+ employees) clients create similar questionnaires and vendor assessment processes to evaluate their partners and vendors. If you read this article carefully and follow it, you will have no problem filling the security risk assessment checklist you have just received.
Smaller vendors often fail to see the potential of diligently filling the questionnaire. They see such questionnaires as a bore, a bureaucratic obstacle that slows down their business and is annoying to their IT department.
What if you transformed your company and its IT operations to be secure? What if you ensured you stored and processed client data safely?
And we are not talking about “secure according to ISO 27001” or other auditing standards – we are using the word “secure” in the context of practical, actual security. Where you would go beyond a simple checkbox approach “We have 2-factor authentication” to “The 2-factor authentication we use is user-friendly and difficult to bypass, that is why we feel it is a good and secure approach”.
Here is a video that discusses 2fa bypasses in detail:
If you watch the video, you will understand where is the limitation of security checklists. They ask you the basics. “Do you have 2fa?”. Our recommendation to you, when researching how to fill a security questionnaire, is to dig deeper and answer them with greater detail.
Because by digging deeper, as in the 2FA example above, if you go beyond the basics, you will impress the client. Imagine their satisfaction if you fill the questionnaire with “We have a bypass-resistant 2FA method” instead of just “Yes.”
Impressing your potential client usually means winning their business.
If you fill the first one correctly, you will always fill similar questionnaires and checklists in the way your clients expect; you would instantly rise above your competition.
You will win business that 99% of your competitors will not, simply because they see such checklists as bureaucracy and a waste of time.
Be the exception, become secure, build your information security program, and you will always have the perfect answer to any client’s cybersecurity questions.
How to review the checklist or questionnaire before you start working on it
When you open the Excel spreadsheet or the online questionnaire, you will be presented with an overview and instructions on how to provide your answers.
Usually, it looks like this:
Or like this:
In Excel files, the instructions are usually in the first or second sheet. In online systems, you can usually find instructions for each section or particular question.
Sometimes, they may even include a diagram like the one below:
Spend enough time to understand the instructions, and do not start filling in the file until you are sure you know how to do it. If you have questions, now is a good time to refer them to the person or company who sent you the file.
Some questions are more important than others. For example:
In this case, you see that Identity and Access Management is placed first, and the file asks you a generic question about your authentication and access management. This topic is the cornerstone of every security program, and you do not know how to answer this, which means you have very few controls in place and represent a significant risk as a vendor to your client.
Instead of trying to fix the answer and come up with something believable, we suggest that you try and implement an actual Identity and Access Management program in your company. It will serve you first and, as a result, provide value to your clients.
You can use the questions in such a questionnaire as a free security audit! Take advantage of not paying for the audit and do your research on what you should do and implement risk mitigation controls to impress your clients every time they send you such questionnaires and checklists.
Here is one more example of a vendor security questionnaire that we helped some of our clients become compliant with and then fill appropriately:
Many of these questions have a deeper meaning – usually, your client wants to see your answer and the processes and procedures along with the answer. “Yes, we encrypt our data” is much less valuable than “Yes, we encrypt our disks with BitLocker/AES 256, and we encrypt our traffic by encapsulating it in TLS 1.2 which is the minimum acceptable level of encryption according to our policies and procedures”.
How to answer NIST 800-53 security questionnaires
How to answer ISO 27001 security questionnaires
How to answer 3rd party vendor security risk assessment questionnaires
Should you answer that question with “No”?
Answering “No” is more straightforward but can lead to misunderstanding on your client’s side.
Imagine being in their shoes, reading the filled security questionnaire, and seeing “no” everywhere.
Now compare that with the situation where you ask for clarifications about the criticality of missing the control or even ask their advice on prioritizing specific security control implementation to answer critical questions positively.
“Do you have a Data Leakage Protection?” might be the question. You may answer “No” to that.
But you may also ask, “Considering the ease with which DLP systems can be bypassed and the fact that we use this and that compensating control, can we mark this question’s answer as “Not Applicable” in our situation?”.
Hopefully, you see the difference between the two approaches.
Remember, you are not the last link in the chain. You got this questionnaire file because your client must comply with security rules and regulations and maintain a list of security vendors.
They cannot demand ultimate and perfect security from their vendors because even your client is not 100% secure. They know that.
Instead of simply answering “no,” use any or a combination of the strategies above.
Mark the questions you believe would be relevant for such an approach as “need clarification,” ask them which questions you should focus on, and ask them which security controls are a deal-breaker if missing.
Then focus on implementing these security controls, and then you will be able to answer positively in the questionnaire. Just like that, all sides have what they need, and everyone is happy!
Sometimes you might have budget constraints – and your clients will understand that, especially if you show them the compensating controls you have implemented.