Getting-Started Guide: Responding to Security Questionnaires
Security questionnaires are the most popular method for evaluating an organization’s security program. However, it’s time-consuming and cumbersome to answer hundreds of questions. Those responsible for responding to these questionnaires know this all too well.
So, what can we do to make it easier to respond to security questionnaires?
Step 1: Establish an Intake Process
To improve a process, you often need to look at the first step. When you receive a request for information, or a request to complete a questionnaire, how do you receive it? This initial intake is critical to set questionnaire respondents up for success.
Organizations use intake points to gather critical information up front, providing context for questionnaire requests. These intake points are often made available through:
- Integrations with CRM, enabling sales teams to make requests as a part of the sales cycle
- Webforms on a trust page, enabling businesses to make requests directly from a website
- Email triggers, enabling individuals to send an email to specific address to kick off a request
By centralizing intake, your organization can better view all requests, simplifying project management and improving response times. Remember, collecting even basic context as part of the intake process is critical. This information can be as simple as:
- Client name
- Requesting individual
- Status of NDA
- Status of trust package (see step 3)
- Any additional context
Step 2: Build a Security Questionnaire Answer Library
To save time when responding to a security questionnaire, you need a library of “go-to” answers that you can reuse. This answer library is critical and can either be built up organically as you answer incoming questionnaires or more methodically by basing your library off of an industry-standard questionnaire, such as the Shared Assessments SIG Lite or SIG Core.
When building an answer library, consider:
- The tool you use, because spreadsheets and word docs can grow cumbersome
- The search quality, because finding an answer should be simple
- The ability to attach evidence, because most questionnaires ask for documentation
- The sorting capabilities, because some answers may pertain to only certain questionnaires
Use our free Questionnaire Response Automation tool to build an answer library and autocomplete any incoming questionnaire.
Step 3: Create a Trust Package
Organizations will often use a “trust package” to reduce the likelihood that a questionnaire needs to be completed. By proactively demonstrating a strong security, privacy, and compliance program, you can put your customers concerns at ease.
A typical trust package may include the following:
- SOC 2
- Security, Privacy, and Compliance Certifications
- Privacy Notice
- Security Whitepaper
- Reliability Metrics
- Disaster Recovery Procedures
Many organizations will build public-facing versions in the form of a trust page on their website. Here is a good example.
Step 4: Track Critical Metrics
Do you know if your security questionnaire response process is working well or in need of an overhaul? To understand how well a team is performing, you need a standard to hold them against.
Some metrics to consider in making that determination may include:
- Total number of questionnaires completed
- Number of questionnaires completed per person
- Hours spent per questionnaire
- Dollar amount associated with each questionnaire
Step 5: Ensure Accountability with an Audit Trail
When refining your questionnaire response process, it’s important that those involved have accountability. To do so, team leads can set internal service-level agreements (SLAs) to define response-time expectations. While operating over email opens the door to mistakes and missed deadlines, leveraging a dedicated tool can provide activity trails to help report on the metrics mentioned above. Simple automation can help improve accountability too, such as automated:
- Calendar invites
- Email reminders
- Weekly reports
Respond to More Questionnaires, In Less Time
Questionnaires are here to stay. They remain the primary method to evaluate an organization’s security, privacy, and compliance program. The steps listed above are only a small piece of the solution. Those tasked with responding to questionnaires are looking toward technology, such as Vendorpedia’s Questionnaire Response Automation tool, to automatically answer any custom questionnaire.
eBook | How the Exchange Assessment Works: Explaining Control Mapping and the Emergence of the SIG Lite