How To Answer Vendor Security Questionnaires

HOW TO ANSWER VENDOR QUESTIONNAIRES FROM PROSPECTS AND CLIENTS

Companies that are subject to regulation and that have mature information security, privacy, and risk management programs send questionnaires to their vendors to attest to the strength of the vendor’s program as trusted partners that process sensitive company data. These questionnaires are part of third-party risk (or ‘vendor management’ or ‘vendor risk management’) programs that support regulations and standards like SOX, COBIT, GDPR, and ISO. The questionnaires can be long or short, technical or operational, tailored to each vendor or one-size-fits-all.

Keep in mind that you, as the answerer of the questions, and the client’s risk manager who receives your answers in the context of risk, have several goals in common, so help them!
  • You both want to efficiently complete the questionnaire task in a timely manner
  • You both want your product/solution/service to meet the needs of the customer
  • You both want to minimize or eliminate next steps as a result of the answers you give

HOW TO HELP THE RISK MANAGER TO HELP YOU
Often the choices to questions are “Yes”, “No”, and “Not Applicable” with a text section devoted to ‘Explanation’. Here are the answers I prefer in order of preference for a company’s risk assessment professional if explanations are optional:

  • Compliant (often ‘Yes’) without an explanation – an attestation of complete compliance is best!
  • Compliant (often ‘Yes’) with an explanation – it may be a surprise that an explanation is not always best, but sometimes an explanation to a ‘yes’ answer results in requests for further clarification requests.
  • Not Applicable with an explanation – explain concisely why this is Not Applicable to the product/solution/service that will be provided to the client to help the risk manager to exclude it.
  • Not Applicable without an explanation – often will result in a subsequent request for an explanation to justify.
  • Not compliant (often ‘No’) with a mitigating explanation – an explanation that helps the risk manager to accept the ‘not compliant’ answer by pointing out other strengths that compensate or why it is not important.
  • Not compliant (often ‘No’) – least desirable with highest chance for further activity.
Share by: