According to a recent study by Deloitte, 70% of companies rate their dependency on vendors as moderate to high; and since 2016, half of the respondents experienced a breach as a result of a lack of security in vendor relationships. As third parties gain more access to sensitive client data, organizations need to prioritize holistic information gathering and the instillment of security practices across the vendor ecosystem. The best way for an organization to achieve a holistic understanding of its vendor ecosystem is to gather information from its vendors and organize it in one central location. As a vendor, this means you will receive (and likely already have) dozens of security questionnaires.
What is a security questionnaire?
Security questionnaires are lists of questions sent from clients to vendors to assess the security and privacy measures they have in place. Questionnaires streamline the process of data gathering and allow customers to make sure that the various parts of their vendor ecosystem comply with industry-relevant regulatory frameworks.
As an enterprise requesting information from your vendors, it’s important that the information you gather is concise, clear, and accurate. Conversely, as a vendor, it’s important that you’re able to provide streamlined and accurate data when requested to do so. Both are equally important steps to help an organization achieve a holistic view of its vendor ecosystem and understand its security gaps in the supply chain.
What should a security questionnaire answering process look like?
Implementing a consistent questionnaire answering process will enable your organization to accurately answer all questionnaires faster, share relevant documentation, and better manage all incoming requests. Here are 5 steps that we recommend:
Step 1: Establish an intake process
To improve a process, you often need to look at the first step. When you receive a request for information, or a request to complete a questionnaire, how do you receive it? This initial intake is critical to set questionnaire respondents up for success.
Organizations use intake points to gather critical information upfront, providing context for questionnaire requests. These intake points are often made available through:
- Integrations with CRM, enabling sales teams to make requests as a part of the sales cycle
- Webforms on a trust profile page, enabling businesses to make requests directly from a website
- Email triggers, enabling individuals to send an email to a specific address to kick off a request
By centralizing intake, your organization can better view all requests, simplifying project management and improving response times.
Step 2: Build a wecurity questionnaire answer library
To save time when responding to a security questionnaire, you need a library of “go-to” answers that you can reuse. This answer library is critical and can either be built up organically as you answer incoming questionnaires or more methodically by building your library with an industry-standard questionnaire, such as the Shared Assessments SIG Lite or SIG Core. When building an answer library, consider:
- The tool you use, because spreadsheets and word docs can grow cumbersome
- The search quality, because finding an answer should be simple
- The ability to attach evidence, because most questionnaires ask for documentation
- The sorting capabilities, because some answers may pertain to only certain questionnaires
Use our free Questionnaire Response Automation tool to build an answer library and autocomplete any incoming questionnaire.
Step 3: Create a trust profile
Organizations will often use a “trust profile” to reduce the likelihood that a questionnaire needs to be completed. By proactively demonstrating a strong security, privacy, and compliance program, you can put your customer’s concerns at ease. A typical trust package may include the following:
- SOC2
- Security, Privacy, and Compliance Certifications
- Privacy Notice
- Security Whitepaper
- Reliability Metrics
- Disaster Recovery Procedures
Create and share your own trust profile with our free tool!
Step 4: Track critical metrics
Do you know if your security questionnaire response process is working well or in need of an overhaul? To understand how well a team is performing, you need a standard to hold them against. Some metrics to consider in making that determination may include:
- Total number of questionnaires completed
- Number of questionnaires completed per person
- Hours spent per questionnaire
- Dollar amount associated with each questionnaire
Step 5: Ensure accountability with an audit trail
When refining your questionnaire response process, it’s important that those involved have accountability. To do so, team leads can set internal service-level agreements (SLAs) to define response-time expectations. While operating over email opens the door to mistakes and missed deadlines, leveraging a dedicated tool can provide activity trails to help report on the metrics mentioned above. Simple automation can help improve accountability too, such as automated:
- Calendar invites
- Email reminders
- Weekly reports
Other tips for answering security questionnaires include:
- Establish secure practices to send (and easily revoke access to) security, privacy, and compliance documentation.
- Get organized with a centralized dashboard to manage all incoming requests for information
- Engage key stakeholders in the process, such as IT, Security, Legal, Compliance, and Privacy teams. Provide them with context, and work with them during the answering process.
- Identify key workflow stages and leverage automation there (e.g. intake, delegation, etc.).
Automate security questionnaire responses
Are you constantly responding to security, privacy, and due diligence questionnaires? Questionnaire Response Automation is key in establishing a secure workflow that saves your company time and money.
We’ve designed our Questionnaire Response Automation tool to help you automate the completion of incoming questionnaires (start with the free version today). The tool offers a simple dashboard to collaborate on incoming questionnaires, store all your questionnaire answers and security documentation, as well as automatically answer any assessment. Our answer-matching technology matches your stored answers with incoming questionnaires using Natural Language Processing (NLP), Machine Learning (ML), and OneTrust Athena™ AI.
- Complete Your Next Questionnaire Automatically: Use the Questionnaire Response Automation tool to automatically answer any incoming questionnaire. Answer-matching technology uses NLP, AI, and ML to improve accuracy over time. Review answers and adjust them before sending them back to the requesting organization.
- Maintain a Library of Your Answers from Previously Completed Questionnaires: With Questionnaire Response Automation, eliminate repetitive work by saving answers from your previously completed questionnaires. Attach evidence to each answer in your library to reduce the time spent searching for the right documentation. Use those answers to automatically complete your next incoming questionnaire.
- Create, Manage, and Collaborate on Projects to Streamline Questionnaire Response: Leverage the Questionnaire Response Automation tool as your central hub for handling all incoming questionnaires and requests for information. With the tool, get organized by managing each incoming questionnaire as individual projects. Collaborate internally, and with the requesting organization, to answer questionnaires and provide necessary evidence during security, privacy, and compliance evaluations.
- Securely Share Documents, Certifications, and Audit Reports: Store security, privacy, and compliance documentation for easy access, and when needed, securely send evidence directly through the portal. Take advantage of expiring links to provide and revoke access to sensitive information after a designated time period.
Learn more about Questionnaire Response Automation: Watch the demo video.
Best practices for answering a security questionnaire
Answering questionnaires is no small feat. Here are the 8 best practices we recommend when tackling the process:
- Understand the “what,” “why,” and “when” of the questionnaire. What questionnaire are you filling out? What is it trying to understand about your company? When is the questionnaire due? Why does compliance with the topic in question matter in this business relationship? All of these questions are important to ask yourself to provide the most streamlined and accurate version of your data to the requestor.
- Only answer what the questionnaire asks. Don’t overwhelm your customer with information they don’t need to know. If they need more technical information, they’ll ask for it. Overwhelming them can compromise the clarity of the data you’re providing and the overall effectiveness of the data gathering.
- Keep an archive of past questionnaires and practice version control with them. How have you answered questionnaires in the past, and do you have any updates to previously outlined policies?
Tip: streamlining your answer process can be made easier by using a questionnaire response automation (QRA) tool.
- Have your compliance documentation at the ready. Does your organization comply with a specific regulation or procedure like SOC2, NIST, ISO 27001, or CIS? Have the appropriate documentation to show at your disposal when you’re answering questions.
- Develop unique answer varieties based on the type of questionnaire you’re answering. Make sure that you’re answering questions and providing data in the lens of the questionnaire that you’re answering. The more questionnaire-specific the answers are, the more clarity the information can provide.
- Be proactive in the questionnaire process. Reach out to your customer and understand their security needs before you begin answering the questionnaire. We know that questionnaires are purpose-built to help requestors gain a more holistic view of their vendor ecosystem, but there might be more to the story. As a vendor, the goal of filling out a questionnaire is to work with your client to provide a secure experience for everyone that interacts with them.
- Have a streamlined intake process. It’s no secret that answering questionnaires can be time-consuming. Having a process in place will reduce the stress of completing long questionnaires or managing multiple questionnaires at one time. Does your organization have a method in place for ingesting a questionnaire?
- Have points of contact for each area of the questionnaire. To accurately provide information on a questionnaire, it’s crucial to have contact information for subject matter experts. When necessary, ask them questions and look over your work to ensure that your customer receives the most accurate information.
OneTrust Vendorpedia offers an easy-to-use solution built to meet automation needs in the questionnaire response process. Start for free today!
Why do organizations send security questionnaires to vendors?
There are many reasons why organizations send security questionnaires to vendors. Most notably, questionnaires are purposed to:
- Help organizations build trust with their vendors: Establishing a relationship of trust means showcasing a dedication to security across the supply chain, ensuring the safety of important customer data. Questionnaires are a great launching point for information gathering and insight into the above categories.
- Assist in entering business relationships: Building business relationships is key in having a successful organization. To do so, it’s common that organizations need security questionnaires answered to provide insight into the maturity of their security program.
- Demonstrate competency in compliance and security controls: Questionnaires are often used to provide tangible evidence that an organization has the necessary security and controls in place and is compliant with relevant regulations in the space.
In addition to increased vendor dependency, the sudden surge in reliance on remote work technology drove a rapid increase in digital transformation, pushing security teams to expand protective measures with a quick turnaround and exposing vulnerabilities for bad actors to exploit in the process. Since then, the number of successful, large-scale cyberattacks has astronomically increased (62% in the last year, to be exact). Perfect examples of this are the recent attacks on the oil and gas, food, and IT industries.
To avoid falling victim to a large-scale cyberattack, organizations must ensure the suppliers they work with have suitable measures in place to identify risk, prevent risk, and respond quickly if they are affected by an attack. This is done by implementing a third-party risk management program operationalized to provide visibility into potential risks, enabling teams to prepare for a potential attack. For example, a third party who cannot provide evidence of a strong security program with appropriate policies and controls may be more susceptible to a ransomware attack.
Organizations should consider the level of risk of a supplier going offline for an extended period as a result of the recent increase in attacks. Can your organization survive if a key supplier or partner is taken offline? Or, do you need additional redundancy or secondary processes to get the organization through such an event? To begin answering these questions, you need to have an awareness of how to evaluate vendors. This and all of the reasons above are why companies send security questionnaires to their vendors.
Explore the importance of vendor risk management.
Understanding how you will be evaluated
It’s important to understand the different means by which an organization can evaluate you as they manage their vendor ecosystem. Here are some of the most common forms of vendor analysis:
- Assessments: Assessments are by far the most common form of evaluation, with a CeFPro survey of 129 enterprises reporting that 90% of customers using them to evaluate their vendors.
- Security and privacy certifications: CeFPro also reports that security and privacy certifications are used by 61% of customers to analyze their vendors. To do this, they look at the qualifications that an organization has as evidence in the form of certificates, courses passed, and published security materials like white papers.
- On-site audits: On-site audits are done by 45% of customers (CeFPro). Here, organizations go to the physical location of their vendor and evaluate the security measures that they have in place. On-site audits are typically reserved for the most high-risk vendors.
- Risk exchanges: Third-Party Risk Exchanges are used by 30% of customers to provide visibility into their vendor ecosystem (CeFPro).
Although there are many ways that enterprises can gain visibility into their vendor ecosystem, the most popular means of doing so is through assessments. This means that having a streamlined answering process and a complete understanding of the scope of questionnaires is crucial to any mature security assurance or customer trust program.
What security questionnaire trends are popular?
When answering security questionnaires, it’s important to understand current trends and how they will affect the answering process. There are five trends that security questionnaires commonly follow:
- Customization: Questionnaires will often have unique and customized questions. This is based on specific industry and topic needs, frameworks, or overall company goals. Not all questionnaires are the same, so read them carefully and understand what information is needed and why. When in doubt, ask clarifying questions.
- Framework-based: Questionnaires are often based on popular frameworks (e.g. SOC2, NIST, ISO 27001, CIS, etc.). Familiarizing yourself with them and understanding which frameworks are relevant to your industry is a great place to start when creating or answering questionnaires.
- Risk domain tailoring: Questionnaires will often address numerous risk domains. Some of the most common risk domains include security, privacy, ethics, ESG, and more.
- Resiliency-based: Most questionnaires now focus heavily on business resilience due to the pandemic. Gathering data and having a holistic understanding of what this means for your enterprise will help you through the answering process.
- Evidence Requirements: Many questionnaires will also require you to provide evidence that supports your responses. Make sure that you have preemptively gathered the necessary data and proof to back up your answers prior to answering the questionnaires.
Start autocompleting security questionnaires today with our free tool!
Common security questionnaire obstacles
As companies around the globe transition from spreadsheets to digital processes, many obstacles have made themselves known. In particular, the process of answering security questionnaires has become a pain point for most enterprises. Before going into the process, it’s important to know what you’re going to face. Here are the top 4 obstacles you’ll run into throughout the process:
- Lengthy Questionnaires: Questionnaires are meant to gather all of the necessary information for assessing your company’s security posture across the supply chain. With such a tall order, it’s unavoidable that questionnaires will be detailed and time-consuming. Prepare for the length of questionnaires by instilling a consistent and systematic data gathering process across your enterprise.
- Information gathering: Before gathering the information to prepare for potential questionnaires, ask yourself the following: Who do I work with to find the information that I need? Who should be involved in the data gathering process? What SMEs are the best to consult for each necessary area?
- Process Establishment: As mentioned above, it’s best to establish a universal process before walking into answering the questionnaire and gathering the data necessary to do so. What’s the best process to filling out these questions, and how can you implement it consistently across your organization?
- Reporting: In tandem with establishing clear processes across the enterprise, it’s increasingly important to move away from ad hoc reporting. The more uniform and consistent your processes are, the less room for error.
Follow OneTrust on LinkedIn, Twitter, or YouTube for the latest on security questionnaires.
