Questionnaires are a company’s opportunity to perform due diligence on prospective third parties, vendors, partners, and suppliers. The information that can be gathered from questionnaires is critical in the evaluation of business and security practices, and is crucial for compliance with various security standards like National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), Payment Card Industry Data Security Standard (PCI DSS), Federal Risk and Authorization Management Program (FedRamp), and more.
So, what should you expect when you tackle your next questionnaire, and more importantly, how can you improve your responses?
What to expect in your next security questionnaire
As your team gears up to answer its next questionnaire, there are five key things that you can expect to see: custom questions, framework-based questions, questions across numerous domains, the need for evidence-based answers, and the expectation for further validation when needed.
- Custom questionnaires: Be custom with unique questions. 84% of questionnaires are in house custom questionnaires that are being sent out. Customers are no longer sending a standard questionnaire to be filled out – they want specific information that is tailored to their goals.
- Framework-based questionnaires: Despite being custom, the questionnaire will likely be based on an industry framework. SIG and SIG light as well as NIST are the top two frameworks organizations are using to inform their questionnaires. Additionally, custom questions are based on the following:
- Industry expectations, regulations and jurisdictions
- Security frameworks
- TPRM frameworks
- Privacy laws
- Regulatory influences and bodies
- Numerous domains covered: As digital transformation persists, organizations are responsible for tracking and mitigating risk across numerous domains. Some domains include:
- Risk management
- Security policy
- Environmental, social & governance
- Disaster recovery & incident management
- Cloud hosting
- Compliance
- Evidence-based answers: It is becoming critical that all answers are evidence-based. What kind of reports and data do you have to inform the answers that you’re giving on the questionnaire? Do you have third-party validation to support every answer that you’re giving?
- Further validation: In many cases further validation will be required to approve questionnaire answers. This can look like an onsite or remote audit to ensure the items reported in the questionnaire are accurate. Typically, this is required when a business or vendor is considered high-risk.
10 steps to improving your responses
Step 1: Build Your Primary Answer Library
As your team receives different questionnaires to complete, your team should prioritize moving from ad hoc responses to a centralized process. The best way to do this is by building out an answer library complete with documentation. Leverage a common industry standard framework to do this and add to the library with custom answers as necessary – doing this will create a single source of truth for your team and will help streamline your answering process.
Step 2: Add Answer Libraries as Necessary
Overtime as your programs mature and you answer more questions there will be opportunities to add more answer libraries and break existing ones down by topic. Examples of library types include security, privacy, for RFPs and by product.
Step 3: Keep Answers Straightforward
Within your questionnaire responses, it’s critical to keep your answers straightforward. Questionnaires are formulated to get the necessary information while avoiding marketing, sales and product language. A good rule of thumb is to give the minimum amount of information necessary to answer the question and assume an organization will ask you for more information when needed. As you complete more questionnaires and discover the additional information that organizations are asking for, you can add it to your answer library as it grows and scales.
Step 4: Engage Key Stakeholders
It’s difficult for one person in any company to know everything about the organization. Ensuring that you engage with the right internal and external stakeholders will help support you throughout the answering process. Your organization should have key stakeholders across: IT, security, privacy, legal and compliance.
Step 5: Build an Evidence Library
Build out an evidence library of both shareable documents and reference documents for when you build out your answer libraries. Examples of shareable evidence include SOC reports, ISO certifications and certifications of insurance. You can also reference employee handbooks, policies & procedures and technical measures.
Step 6: Streamline the Intake of Requests
In this phase, your team manages the intake process of requests and looks for ways to streamline how they’re being given to your team. You can do this through an external source like a website or through an internal source, like your intranet or SharePoint. Additionally, your team can look for ways to integrate this process across the business through CRM to enable your sales team.
Step 7: Centralize Security Questionnaire Operations
Moving all of your questionnaire operations onto a singular platform that’s accessible to all participating stakeholders and respondents is your next step to streamlining your processes. Centralization of materials leads to a universal source of truth and helps encourage better organization, collaboration and consistency across the enterprise.
Step 8: Maintain Your Answer & Evidence Libraries
It’s critical that once you’ve streamlined your answering process your team enables a way to continually maintain and update your library. To do this you can set up quarterly meetings with subject matter experts to understand changes in your tech stack, updates to processes and new certifications to ensure that your library is evergreen. Additionally, make sure that you review and subscribe to your release notes to understand what’s in your library and what is changing.
Step 9: Measure Performance & Set Goals
Measuring performance and setting goals is what will allow your company to truly make the shift from ad Hoc questionnaire answering processes to streamlined and centralized answer libraries. To do this your team should track the total number of questionnaires you’re completing in a month, the number of questionnaires team members are taking on at a given time, the amount of time each questionnaire takes to complete, the percentage win rate of responding to assessments and the deal size per each questionnaire.
Step 10: Leverage Automation to Avoid Burnout
Responding to questionnaires is time-consuming and tiresome. How can we better automate the process to take some of the manual processes away from our team? Your team should automate:
- Intake
- Delegation
- Reminders
- Answers (this includes your library and introducing AI to answer questionnaires)
- Review of suggested responses
Critical considerations
In addition to improving your processes, there are other critical factors to consider and your team centralizes and streamlines its questionnaire answering process:
- Offer an alternative up front: Is there any way that your team can offer an alternative to custom questionnaires? Be proactive in your information sharing by creating a package of your certifications, white papers and policies to share with organizations before being asked to complete a custom questionnaire.
Tip: Creating a trust profile is a great way to avoid answering custom questionnaires is an easy way to take a proactive approach by offering an alternative up front.
- Build a list of key stakeholders: Building a list of key stakeholders ensures that you’re able to understand the impact your process has across the organization and enables you to have subject matter experts to reach out to as you centralize your processes.
- Take a Comprehensive Approach: Good people and good technology result in success for a team. Take a comprehensive approach by hiring top talent and setting them up for success by integrating technology into their workload. This will help avoid burnout and increase efficiency overtime.
How can OneTrust help with security questionnaire response?
Questionnaires are here to stay. They remain the primary method to evaluate an organization’s security, privacy, and compliance program. The steps listed above are only a small piece of the solution. Those tasked with responding to questionnaires are looking toward technology, such as OneTrust’s Questionnaire Response Automation tool, to automatically answer any custom questionnaire.
