Phase 1 of The 5 phases of Responding to a Security Questionnaire & How to Get Proactive

June 01, 2019

Phase 1: Initial Panic

Over the coming weeks, we’ll dive into the key phases involved within the overall process of responding to a security questionnaire.

Given the current status of Cybersecurity & Information Security environments, odds are that you have been involved in responding to a security review, or more specifically completing a security questionnaire at the request of one of your business partners. With the volume of vendor assessments Whistic sees across our SaaS platform, it’s not an understatement to say that we field a number of questions asking why they are being asked to complete a security questionnaire, followed by how to “do it right”, and so forth.

It’s evident that companies realize in order to access another entities’ data, there are necessary protocols in place in order to properly vet third parties and mitigate risk. Electronic Data Interchanges (EDI’s) are proliferating as is our dependence on The Cloud. As a primer, examples of industry standard questionnaires include (in alphabetical order) acronyms like:

Consensus Assessments Initiative Questionnaires from The Cloud Security Alliance, or CSA for short.

CIS First 5 & CIS Top 20:
The Center for Internet Security Versions of Audit Guidelines.

GDPR & GDPR Processor Questionnaire:
General Data Protection Regulation Regulations.

Higher Education Cloud Vendor Assessment Tool Standards.

ISO 27001:
International Organization for Standardization Framework of policies.

National Institute of Standards And Technology Framework.

Privacy Shield:
Frameworks designed by the U.S Department of Commerce & the European Commission and Swiss Administration.

SIG, SIG Core, & SIG Lite:
Standardized Information Gathering Questionnaires from The Shared Assessments Program.

Vendor Security Alliance Questionnaire from The VSA, a coalition of top technology companies committed to improving internet security.

Whether you’re working through your first questionnaire, or it’s been a while since you’ve completed a security questionnaire it’s important to approach this process with optimism & a level-head. While nobody wants to explain to their manager that ANY potential deal or partnership was lost due to inability to comply and/or respond to a security review appropriately, this can be a painful reality some must endure.

It’s quite possible your business doesn’t have a robust information security team, and this is fine as multiple departments should be involved in completing a security audit and there are resources available to help step you through this process. Below are a few quick reference articles to provide further insight & context for the uninitiated or those that need a refresher:

The Most Commonly Requested Documents You Need In Order to Respond to Security Questionnaires

Empower Your Sales Team to Respond to Security Questionnaires

Solve the NDA Pain During Your Next Security Review: Whistic Security Profile Update

It’s important to assign the appropriate priority and timeliness when populating & returning your security questionnaire to the requestor in order to expedite the flow of data necessary to conduct business, and equally important to show your security posture as one that fosters trust moving forward.

Since panic & stress typically don’t help get things done, Whistic admonishes an air of calm upon receipt of a security compliance request, allowing you to start getting organized in an efficient manner.

If you’re the type of person that eats their dessert first, or doesn’t like waiting (absolutely nothing wrong with either in our opinion by the way), feel free to download the Ebook here.

Schedule A Whistic Platform Demo To See How You Can Setup Your Own Security Profile

Risk Management information security cybersecurity cloud computing compliance

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.