A security questionnaire is a structured set of questions a buyer uses to decide whether your company is safe enough to plug into their environment. It sits between “nice website” and “signed MSA” — often after you’ve shared a SOC 2 report, and sometimes instead of waiting for one.
If you sell B2B software, you will fill dozens of these. The goal isn’t literary excellence. It’s an honest, evidence-backed answer the buyer can defend to their auditor.
Why buyers send them
- Map your controls onto their risk taxonomy (not yours).
- Create a paper trail for procurement and info-sec.
- Spot gaps early — MFA, encryption, subprocessors, IR SLAs — before legal burns cycles.
- Compare vendors with a semi-standard scorecard (SIG / CAIQ) or a bespoke sheet.
A polished marketing trust page helps. It does not replace row-level answers when the portal demands them.
Common formats you’ll see
SIG / SIG Lite
Shared Assessments questionnaires used heavily in enterprise and financial services. Structured themes, lots of reuse if you keep a cited answer bank. Deep dive: build a SIG Lite / CAIQ answer bank that doesn’t drift.
CAIQ (Cloud Security Alliance)
Cloud-control focused. Same reuse story: theme → claim → evidence → owner → last verified. Portals change labels; your vault shouldn’t.
Custom Excel / CSV / portal forms
Every buyer invents a slightly different spreadsheet. Underneath it’s still access, data protection, SDLC, logging, vendors, and incident response. Treat custom sheets as a theme-mapping problem, not a brand-new product.
SOC 2 follow-up questionnaires
“Do you have SOC 2?” is the opener. The follow-up sheet asks how you operate now. See how to survive SOC 2 vendor questionnaires.
What a good answer looks like
Three traits, every time:
- Accurate today — not “true in last year’s export.”
- Cited — policy section, architecture note, report excerpt, or runbook ID.
- Honest about gaps — blank or UNVERIFIED beats a made-up yes under deadline pressure.
Buyers follow up on evidence. Confident prose without a pointer just delays the awkward email.
A sane operating model
- Own an evidence vault. Versioned policies, diagrams, report excerpts, runbooks — not a Slack search. Evidence vault guide.
- Answer at the theme layer. One canonical claim per theme, many wordings on top.
- Draft fast, approve slow enough. Automation for retrieval and first draft; humans for what ships. Automation playbook.
- Refresh on change, not on panic. Architecture change → update source → re-export rows. Don’t wait for the next portal deadline.
Step-by-step when a new sheet lands
For a concrete fill sequence (intake → theme map → cite-or-flag → approve → export), use how to fill vendor security questionnaires. That’s the “open the spreadsheet and finish it” companion to this overview.
Where Trustfill fits
Trustfill is built for this exact loop: seed a vault, upload the questionnaire, get cited drafts, keep gaps UNVERIFIED, approve, export. No sales call required — start free or try the sample demo.
Honest comparison of manual reuse vs a cited vault: manual questionnaires vs Trustfill.