Phase 2 of The 5 Phases of Responding to a Security Questionnaire & How to Get Proactive

June 14, 2019

Phase 2: Interdepartmental Communication

Now that any initial panic, stress, or even annoyance has subsided from your receipt of a request to complete a security questionnaire, it’s time to get the right stakeholders at your company in the same room and on the same page.

Given that the reason you are completing this security review has to do with the fact that your business plans to access the data of another business in some fashion, you will want to involve the proper internal departments in order to provide accurate responses and supporting documentation. Security questionnaires group questions by section, so a quick review of each of these sections will give you a pretty good idea of whom you will want to involve.

A few general section examples include:

  • Company Profile (Scope of Service, etc)
  • Policies/Standards
  • Asset Management
  • Human Resources Security Policies & Enforcement
  • Supply Chain Management & Processes
  • Application Security (API Management, Data Retention, etc)
  • Compliance (Internal & External Audit Procedures)
  • Security (Proactive & Reactive, Monitoring, Response, etc)
  • Communications Procedures
  • Access Controls (User, Network, etc)

Information Technology and Information Security Teams typically lead-out when completing a third party vendor security questionnaire. Small business can lump IT/InfoSec into Engineering/Programming/Development or even under the purview of a COO. Regardless of title and/or department, you’ll want to involve the individuals most familiar with each of the aforementioned sections.

Chronologically your Sales Organization was likely involved as security requests are typically part of the latter stages of the sales process. In more optimal situations, Sales Engineers have access to a company repository or contract management system (a central place where records are kept, which we’ll dive into further in Phase 3) in order to populate as much of your company profile as possible before delving into the more involved security sections. Sales is also crucial in identifying/denoting interactions with other partners that would be pertinent within your response. Marketing and Public Relations can also get involved at this point in order to fully consider corporate communications, security of contact, client, prospect lists etc. where relevant. In many cases Human Resources has a seat at the table as employee onboarding, transitions out of your company, and everything in between dealing with how employee cybersecurity is delineated and enforced comes into play.

Legal also has a stake in this process, even if only initial oversight at this phase, as service levels, security posture and incident response are typically incorporated into contracts.

Last but not least is C-Level/Executive involvement. Even if this is to keep company execs apprised of the process, it’s never a bad idea given the bearing security questionnaire responses can have on burgeoning corporate relationships. Additionally, if responding to security questionnaires is something your business does or will do at scale, having a decision-maker involved early can potentially lead to accelerated process-improvement as well as the reduction of any internal “red tape” for you and your company.

Stay tuned for Phase 3. For those looking to review all five phases involved in a security questionnaire response Download the Ebook here

Schedule A Whistic Platform Demo To See How You Can Setup Your Own Security Profile

Risk Management information security cybersecurity gdpr cloud computing

About the author


The latest insights and updates on information security and third party risk management.