SecurSentry
← All notes
Security questionnaires

Vendor Security Questionnaire: What It Asks & How to Prepare

A clear look at what a buyer's vendor security questionnaire actually covers, why they keep landing in your inbox, and how doing the security work once lets you answer most of them straight.

The short version

A vendor security questionnaire is the form a customer sends before they trust you with their data. It lands by email, usually as a spreadsheet, sometimes through a portal, and it asks — in a hundred different ways — one underlying question: if we hand you our information, will you look after it?

If you sell to anyone larger than yourself, you’ll meet one sooner or later. The first one is daunting. The fifth one is mostly familiar. This guide walks through what these questionnaires actually cover, why they keep arriving, and why doing the security work properly once does far more for you than any clever answering trick.

What a vendor security questionnaire actually asks

Strip away the formatting and almost every vendor security questionnaire covers the same handful of domains: the practical areas where your handling of a customer’s data could go wrong.

The wording shifts from buyer to buyer, but the topics are remarkably stable. Most questionnaires work through some version of these:

You’ll also see questions on staff security training, physical security, secure development if you build software, and your own compliance posture. The order changes. The substance rarely does.

The plain truth behind the jargon

A questionnaire that asks about "logical access controls", "cryptographic key management" and "business continuity arrangements" is asking three everyday questions: who can get in, is the data scrambled, and what happens when something breaks. The formal language is for the buyer's auditor, not a sign that the topic is beyond you.

Why you keep getting them

You keep getting supplier security questionnaires because your customers are required to check every supplier who touches their data, and you’re one of many on a long list.

A mid-size or enterprise buyer typically has a third-party risk process baked into procurement. Before a new supplier is approved, someone in their security or compliance team has to assess that supplier. Often this is a regulatory or contractual obligation, not a courtesy. The bigger and more regulated the customer, the more rigorous the check.

That means the questionnaire isn’t a one-off hoop. It’s a recurring feature of selling to serious buyers, and it tends to reappear at renewal too. The good news hides in plain sight — because so many buyers ask about the same domains, the effort genuinely compounds. The hard part is building the controls in the first place. After that, you’re mostly retelling the same true story to a new audience.

Standard formats exist for a reason

The overlap between questionnaires is so consistent that the industry built standard formats, and seeing them helps you recognise the pattern under any bespoke spreadsheet.

Two come up often. The SIG (Standardized Information Gathering) questionnaire, maintained by Shared Assessments, is a broad third-party risk set covering 21 risk domains grouped under four control areas, from access control and incident response through to business continuity and threat management. It comes in a fuller version and a shorter “Lite” one for lighter-touch checks.

The CAIQ (Consensus Assessments Initiative Questionnaire), from the Cloud Security Alliance, is aimed at cloud providers. It’s a yes/no questionnaire that maps directly to the CSA’s Cloud Controls Matrix, so each answer ties back to a specific cloud-security control.

The existence of standard formats is the whole point made visible: if everyone’s questions weren’t largely the same, no one could have standardised them.

Plenty of buyers won’t use either. They’ll send their own spreadsheet, or a portal with their own phrasing. But once you’ve recognised the underlying domains, a custom questionnaire stops looking like a fresh ordeal and starts looking like a rearrangement of questions you’ve already answered. If you want the full breakdown of these formats, we go through them in SIG, CAIQ and DDQ explained for small suppliers.

How to answer most of them honestly, once

The reliable way to handle these forms is to get the actual security controls in place, then answer from what you genuinely do, rather than wordsmith your way past gaps that aren’t filled.

Here’s the trap. It’s tempting to treat the questionnaire as a writing exercise: find the right phrasing, sound reassuring, get past the gate. That backfires. A buyer’s security team reads these for a living, vague answers invite follow-up questions, and an answer that overstates what you do is a problem you’ve signed your name to.

The honest route is also the easier one over time. Get the underlying work done (sort out access and MFA, turn on encryption, set up and test backups, write down what you’d do in an incident, list your sub-processors) and the answers become a matter of describing reality. You’re not inventing anything. You’re reporting it.

This is where the compounding really shows. The control behind “we enforce multi-factor authentication on all admin accounts” satisfies that question whether it’s phrased the SIG way, the CAIQ way, or a buyer’s own way. The same is true across the board:

It’s the same insight that sits underneath cyber security certifications. A scheme like Cyber Essentials or a standard like ISO 27001 asks you to put a defined set of controls in place, and those same controls are what the questionnaires are probing for. Doing the real work once means a single set of controls answers many different forms. You’re not building a separate answer for every buyer. You’re maintaining one honest picture of how you operate, and pointing each questionnaire at the relevant part of it.

If you're tempted to leave a box blank or fudge it

A blank or a hedge tells the buyer exactly where your gap is. Better to answer honestly, say what you do today, and note what you're improving. Buyers respect a supplier who knows their own posture far more than one who papers over it, and you avoid committing in writing to something you can't stand behind.

Where to go from here

Treat your first questionnaire as a map of the security work worth doing, not just a form to clear.

If a questionnaire has just landed and you need to get through it, our guide to answering a security questionnaire walks through it section by section. If a buyer is asking for a SOC 2 report you don’t have, answering a security questionnaire without SOC 2 covers how to respond honestly with the assurance you do hold.

The deeper point is worth holding onto. Every vendor security questionnaire is, underneath, a request to see your security controls. Build those controls properly once — getting access, encryption, backups, incident response and your supplier list genuinely in order — and you’ve done the work that answers the next form, and the one after that. SecurSentry is being built to help UK small businesses get exactly that groundwork in place, so the questionnaires become a description of what you already do rather than a scramble to catch up.

Frequently asked questions

What is a vendor security questionnaire?

It's a set of questions a prospective customer sends to check how you handle and protect their data before they buy from you. It usually covers access control, encryption, backups, incident response and the sub-processors you rely on. Bigger buyers send one as a standard part of their procurement and third-party risk process.

Why do I keep getting supplier security questionnaires?

Most mid-size and enterprise buyers are required, by their own policies or regulators, to assess every supplier that touches their data. So each new deal can trigger its own questionnaire. The questions overlap heavily between buyers, which is why the work you do for one largely carries over to the next.

What's the difference between the SIG and the CAIQ?

Both are standardised questionnaire formats. The SIG (Standardized Information Gathering) questionnaire, from Shared Assessments, is a broad third-party risk set covering 21 risk domains grouped under four control areas, and it comes in shorter and fuller versions. The CAIQ (Consensus Assessments Initiative Questionnaire), from the Cloud Security Alliance, is a yes/no questionnaire for cloud providers that maps to the Cloud Controls Matrix. A buyer may send either, a custom spreadsheet, or their own shortened version.

Do I need a certification to answer a security questionnaire?

No. Plenty of suppliers answer honestly without a formal certificate by describing the controls they actually have in place. A certification like Cyber Essentials or an ISO 27001 certificate can save you answering some questions and reassure the buyer, but it isn't a precondition for completing the form truthfully.

Written by The SecurSentry Team

We write plain-English notes on security and compliance for small businesses — the things we wish someone had explained to us. Read more notes →

More from the blog

Cyber Essentials

How to Choose a Cyber Essentials Certification Body

4 Jul 2026 · 6 min
Cyber Essentials

What Cyber Essentials Plus Actually Costs

1 Jul 2026 · 6 min
SME security

The UK Small Business Compliance Journey: Cyber Essentials, GDPR and Security Questionnaires

29 Jun 2026 · 8 min

Be first to know when we launch.

Leave your email and we'll let you know the moment SecurSentry is ready. One email — no newsletters, no spam.

Just one email, at launch. We never share your data. Privacy policy.

You're on the list — we'll be in touch at launch.