Security Questionnaire

What Is a Security Questionnaire?

A security questionnaire, called a vendor security questionnaire in the US and a supplier security questionnaire in the UK, is how a buyer checks that a current or prospective supplier meets its security and data-protection standards before trusting it with systems, data, or infrastructure. It can run from a short checklist of fifteen or twenty items to a detailed document of several hundred questions across a dozen control domains. For the supplier, completing it accurately and on time is often a formal condition of winning a new contract or keeping an existing one, and for many enterprise and regulated buyers an incomplete or unconvincing response is enough to pause or end a procurement process.

Why Do Companies Send Security Questionnaires?

Organisations that handle data are legally and operationally responsible for protecting it, including the portions of that data processed by third-party suppliers. The security questionnaire is how a buyer carries out third-party risk management: it creates a documented record that the buyer evaluated a supplier's security posture before granting access.

This practice is most prevalent in software and technology, financial services, healthcare, and other regulated sectors where data-breach consequences are severe and regulators explicitly require evidence of third-party oversight. Regulations such as DORA (the EU Digital Operational Resilience Act, effective January 2025) and NIS2 mandate that regulated entities manage and document supplier risk, which has driven a significant increase in questionnaire volume across European supply chains. Security questionnaires are typically triggered during initial supplier evaluation, immediately before onboarding, and then at periodic intervals (commonly annually) throughout the relationship.

What Does a Security Questionnaire Cover?

The scope of a security questionnaire reflects the domains where a supplier's weaknesses could expose the buyer to harm. Common coverage areas include:

• Access control and authentication, covering how the supplier manages user accounts, passwords, multi-factor authentication, and privileged access.
• Data protection and encryption, covering how data is classified, encrypted in transit and at rest, and retained or deleted.
• Network and application security, covering perimeter controls, vulnerability management, patch management, and penetration testing.
• Business continuity and incident response, covering disaster recovery plans, recovery-time objectives, and the process for notifying customers after an incident.
• Compliance and certifications, covering whether the supplier holds recognised third-party certifications such as ISO/IEC 27001 or has completed a SOC 2 audit, and how it maps its controls to relevant regulations.
• Subprocessor and supply-chain risk, covering which fourth-party providers the supplier relies on and how it vets them.

Many buyers request supporting evidence alongside the answers. A SOC 2 Type II report, an ISO 27001 certificate, or a penetration-test executive summary can pre-answer large portions of a standard questionnaire and reduce the back-and-forth between buyer and supplier.

What Are the Common Security Questionnaire Frameworks?

Rather than writing bespoke questions from scratch, many buyers rely on shared frameworks that cover standard control domains. This reduces duplication for both sides: a supplier that has answered a SIG questionnaire for one customer can reuse much of that work for another.

SIG (Standardised Information Gathering)

The SIG questionnaire is maintained by Shared Assessments, a member organisation focused on third-party risk management best practice. It is available in two versions: a lighter SIG Lite (covering the highest-priority control areas) and the comprehensive SIG Full (covering 18 or more domain areas with hundreds of questions). The SIG is structured to map to a wide range of regulatory and industry frameworks, which makes it particularly popular with financial services institutions and large enterprise procurement teams that operate under multiple compliance obligations simultaneously.

CAIQ (Consensus Assessments Initiative Questionnaire)

The CAIQ is published by the Cloud Security Alliance and is designed specifically for cloud service providers. It is built on top of the Cloud Controls Matrix (CCM), a framework of security controls mapped to cloud-relevant regulations and standards. Completed CAIQ responses can be submitted to the CSA STAR registry, a publicly accessible repository where prospective buyers can review a provider's self-assessed security posture before initiating their own evaluation. This makes the CAIQ a common first-stop for buyers assessing SaaS and infrastructure vendors.

VSA (Vendor Security Alliance questionnaire)

The Vendor Security Alliance is a coalition of technology companies that developed a shared questionnaire to reduce the burden of answering hundreds of overlapping assessments. The VSA questionnaire is available in a full version and a shorter core version. Its membership-driven origins mean it reflects the practical priorities of technology buyers and is widely used within the enterprise software sector.

Even with these frameworks in use, many buyers still send their own bespoke spreadsheets or portal-based questionnaires, meaning suppliers regularly answer the same underlying questions reworded differently across multiple simultaneous requests. Holding a recognised certification such as ISO/IEC 27001 or a current SOC 2 report materially reduces this burden, because audited evidence pre-answers a large share of standard control-domain questions.

How Is a Security Questionnaire Different from a DDQ?

A due diligence questionnaire (DDQ) is the broader supplier assessment covering financial stability, legal standing, data protection, governance, and information security. A security questionnaire is the information-security component of that broader evaluation, and is frequently sent either as a standalone document or embedded within a DDQ.

The terms are used loosely and overlap in practice. Some buyers send a combined document and call it a DDQ; others separate the security section and send it independently, often routed to a different internal team (security or IT rather than procurement). In investment and private-equity contexts, "DDQ" typically refers to a fund-manager due diligence questionnaire used by institutional investors, which is a distinct document with different scope. The supplier-security meaning described throughout this entry is the more common usage in B2B procurement.

How Do Suppliers Respond to a Security Questionnaire?

Suppliers answer from a maintained library of approved answers and supporting evidence, mapping each incoming question to an existing response and keeping a qualified reviewer in control before submission. The harder part is operational: the volume of incoming questionnaires, the variety of formats, and the same question reworded across dozens of buyer templates, each with its own deadline. We cover that response process end-to-end in the questionnaire response process guide and on our Security Questionnaire Response page.

Where SEQUESTO Fits

Security questionnaires have two sides: the buyer sends them to assess a supplier, and the supplier completes them to win or keep the business. The SEQUESTO aOS is built for the supplier side of that process.

If your team responds to security questionnaires, the SEQUESTO aOS helps you answer faster from a trusted, reusable knowledge base; keeps every answer accurate, cited, and auditable; and keeps a person in control of the final word before anything is submitted. It ingests an incoming questionnaire in any format, uses Reference Mapping to match each question against your approved answers and evidence, and drafts cited responses for a reviewer to approve rather than author from scratch.

Learn more about Security Questionnaire Response and Security Questionnaire Automation.