The Problem
You’re closing a six-figure enterprise deal. The prospect’s procurement team sends a 240-question security questionnaire on a Wednesday afternoon, due Friday morning. The format is a spreadsheet. The questions range from “do you have a written information security policy?” to “describe your container orchestration platform’s key rotation cadence.”
A team that hasn’t seen one of these before responds by panicking, scheduling a war room for Thursday, and shipping a half-baked response. The deal closes on Monday after a clarification call where the prospect’s CISO walks the responder through the questions they answered wrong.
A team that’s been through this twice responds differently. They allocate four hours, work through the questionnaire methodically, and ship a response that closes the deal without needing the clarification call.
The difference is reading the questionnaire correctly.
The Approach
Enterprise security questionnaires test one thing primarily: whether you’ve thought about each control well enough to give an honest answer. Despite appearances, they’re not testing whether you’ve implemented every control perfectly.
That changes how you answer. The CISO reading your response doesn’t expect a Series A company to have the same control posture as a Fortune 500. They expect you to know your posture, describe it accurately, and explain what’s compensating where coverage is incomplete.
Every question has one of four honest answers:
Pattern 1: Yes (we do this)
You have the control fully implemented and can show evidence. The right answer is brief, factual, and points to evidence:
Q: Do you encrypt customer data at rest? A: Yes. All customer data is encrypted at rest using AES-256 via AWS KMS. Customer-managed keys are available on request. Evidence: SOC 2 Type II report, section 4.2.
Don’t oversell. Don’t pad. The CISO is reading 240 of these. They will reward brevity. A long answer to a simple question reads as defensiveness.
Pattern 2: Yes with caveats
You do the thing, but not the way the question implies. State the affirmative; clarify the scope:
Q: Do you maintain a 24/7 SOC? A: We maintain 24/7 on-call coverage with a 30-minute response SLO for security incidents. We do not currently run a dedicated SOC team; security monitoring is integrated into the platform engineering on-call rotation, with automated detection routed to the same paging system as availability incidents. Evidence: on-call rotation policy, sample incident timeline.
Don’t say “no” when the answer is “yes, but smaller in scope.” Don’t say “yes” when the implementation is materially different. The middle ground (affirmative, with honest scope) is what enterprise CISOs are looking for.
Pattern 3: Compensating control
You don’t do the thing the question asks, but you do something else that addresses the underlying risk. Name what you do, and explain why it’s equivalent:
Q: Do you maintain a hot disaster recovery site? A: We use a multi-region active-passive architecture with continuous data replication and a tested RTO of 4 hours and RPO of 15 minutes. We do not maintain a separate “DR site” in the traditional sense; the recovery target is a cold-but-rehearsable deployment to our secondary AWS region. Evidence: DR runbook, last DR drill report (March 2026).
The compensating-control answer is where SMB responses earn trust. CISOs know smaller companies make architectural choices different from enterprises. What they want to know is that you made the choice deliberately and understand its risk profile.
Pattern 4: Not applicable
The question is about a capability you don’t have because your architecture doesn’t have the surface area. State that, and briefly explain why:
Q: Describe your data-in-transit encryption for SCADA/OT systems. A: Not applicable. Our platform does not operate or integrate with industrial control systems or operational technology environments.
Don’t try to answer NA questions. Don’t write “see other answer.” A clear “not applicable, here’s why” gets the auditor moving on. A vague “we follow industry best practices” gets you flagged for a follow-up call.
Common Frameworks You’ll See
Most questionnaires draw from one of a few standard frameworks. Recognizing them saves time:
- SIG (Shared Assessments Standard Information Gathering) — the most common enterprise questionnaire. SIG-Lite is ~100 questions; full SIG is ~1,000. Most prospects send SIG-Lite or a subset.
- CAIQ (Consensus Assessments Initiative Questionnaire) — cloud-specific, ~300 questions, maintained by the Cloud Security Alliance.
- VSAQ (Vendor Security Alliance Questionnaire) — newer, more concise, less common.
- Custom enterprise questionnaire — many large enterprises maintain their own, usually borrowing 50-70% from SIG.
Recognizing the framework lets you leverage prior responses. If you’ve answered SIG-Lite before, your previous answers cover most of the next SIG-Lite. The first questionnaire is the expensive one; every subsequent one is incremental.
Implementation Notes
Build a response repository. Every answer you write goes into a versioned document keyed by question. The next time the same question appears (and it will), you copy-paste with light editing. Most teams maintain this in Notion, Confluence, or a dedicated GRC tool. The exact tool doesn’t matter; the discipline does.
Track answer-aging. Answers go stale. The MFA coverage you reported six months ago might be different today. Tag every answer with a “last verified” date. Anything older than six months gets re-verified before reuse.
Single owner per response. Group-edited security questionnaires produce inconsistent answers. One person owns the document, with subject-matter reviewers for specific sections. The owner makes the consistency calls.
Don’t lie. Don’t oversell. Both poison the relationship and both come back to haunt you. The CISO will find out: follow-up clarification, contract renewal, or (worst case) a breach investigation. The questionnaire is the start of a trust relationship, not a hurdle to clear.
The Template
Below is the response template for thirty of the most common questionnaire questions, with answer patterns. Adapt the specifics; use the structure.
| # | Question | Answer pattern |
|---|---|---|
| 1 | Do you have a written information security policy? | Yes. Reviewed annually. Last review: [date]. |
| 2 | Do you have a designated CISO or security lead? | [Yes — name + title] OR [Compensating: head of platform engineering, security responsibilities documented in role description] |
| 3 | Describe your background check process for employees. | [Yes — vendor + scope] OR [Compensating: smaller team, manager-led reference checks, documented] |
| 4 | Do you provide security awareness training? | Yes. Annual training via [vendor], plus quarterly phishing simulations. |
| 5 | Do you encrypt data in transit? | Yes. TLS 1.2 minimum on all external endpoints; TLS 1.3 preferred. Internal traffic via [mesh / VPC isolation]. |
| 6 | Do you encrypt data at rest? | Yes. AES-256 via [KMS provider]. Customer-managed keys available on request. |
| 7 | Do you maintain an asset inventory? | Yes. [Tool] reconciled [frequency]. |
| 8 | Do you have a vulnerability management program? | Yes. [Scanner] running [frequency]; SLO of [X days] for critical, [Y] for high. |
| 9 | Do you perform penetration testing? | Yes. Annual third-party pen test via [vendor]. Last test: [date]. Findings remediated. |
| 10 | Do you have a SOC2 / ISO 27001 / HITRUST attestation? | [Yes — current state] OR [In progress — target date] OR [Not currently certified — compensating: SOC 2 readiness assessment, evidence available on request] |
| 11 | How do you manage privileged access? | SSO-integrated, MFA-required, [JIT / standing], audit-logged. Privileged access reviewed quarterly. |
| 12 | Do you have logging and monitoring? | Yes. [Stack]. [Retention period]. Alerts route to 24/7 on-call. |
| 13 | Describe your incident response process. | Documented IR playbook. Severity 1 = page within 5 min, comms within 30 min. Last tabletop: [date]. |
| 14 | Do you maintain backups? | Yes. [Frequency, retention, cross-region status]. Restore drill annual; last: [date]. |
| 15 | Describe your DR posture. | RTO: [X hours]. RPO: [Y minutes]. Tested [frequency]. |
| 16 | Do you have a BCP? | Yes. Reviewed [frequency]. |
| 17 | How do you handle subcontractors/sub-processors? | Maintained list. Annual security review. DPAs in place. |
| 18 | Do you support SSO via SAML/OIDC? | Yes. SAML 2.0 + OIDC. SCIM provisioning available on [tier]. |
| 19 | Do you support customer-managed encryption keys? | [Yes — how] OR [Compensating: AWS KMS-managed with customer-specific key per tenant] |
| 20 | What’s your data residency? | [Region(s)]. Data does not leave [region] without [process]. |
| 21 | How do you handle data deletion / right-to-be-forgotten? | Documented process; X-day SLO. Soft-delete + hard-delete distinction. |
| 22 | Are you HIPAA-compliant? | [BAA available; HIPAA-aware architecture; supporting controls documented] |
| 23 | Are you GDPR-compliant? | [DPA available; sub-processor list maintained; DPO designated] |
| 24 | Are you PCI compliant? | [Yes — level] OR [Not applicable — we don’t process card data, payments go via [provider]] |
| 25 | How long is your data retention? | [Policy + tier-specific retention] |
| 26 | Do you maintain change management? | Yes. Every production change tied to a PR; security-relevant changes require additional review. Audit log retained [period]. |
| 27 | Do you have an exception process? | Yes. Documented. Approvals tracked. Reviewed quarterly. |
| 28 | How do you handle EOL/EOS dependencies? | Automated CVE scanning. SLO of [X] for critical CVEs. Quarterly stack review. |
| 29 | Do you have a security champions program? | [Yes — structure] OR [Compensating: security review on every PR; designated security reviewer in engineering] |
| 30 | Where can I find your trust portal / security page? | Link your security page (ours lives at /security). |
The thirty questions above cover ~70% of any typical questionnaire. The other 30% are environment-specific (your specific tech stack, your specific data flows). With the thirty in place as a baseline, the environment-specific questions become the focused work.
Operating Notes
Treat the questionnaire as a strategic asset, not a tactical inconvenience. The answers tell prospects what you stand for operationally. Brief, honest, specific answers signal that you take security seriously. Hedge-filled, marketing-flavored answers signal that you don’t.
For the first three or four questionnaires your team handles, the founder or CTO should be in the response loop. After that, the response repository is mature enough that a security or platform engineer can run the process end-to-end with senior review only on the trickier questions.
The first questionnaire takes a week. The fifth takes a day. The fiftieth is a copy-paste plus a delta review.