Guide

Security questionnaires, explained

SIG Lite, CAIQ, custom Excel, portal tabs — same pain, different wrappers. Here’s what these forms are for, what “good” answers look like, and how to stop rewriting them from scratch every deal.

A security questionnaire is a structured set of questions a buyer uses to decide whether your company is safe enough to plug into their environment. It sits between “nice website” and “signed MSA” — often after you’ve shared a SOC 2 report, and sometimes instead of waiting for one.

If you sell B2B software, you will fill dozens of these. The goal isn’t literary excellence. It’s an honest, evidence-backed answer the buyer can defend to their auditor.

Why buyers send them

  • Map your controls onto their risk taxonomy (not yours).
  • Create a paper trail for procurement and info-sec.
  • Spot gaps early — MFA, encryption, subprocessors, IR SLAs — before legal burns cycles.
  • Compare vendors with a semi-standard scorecard (SIG / CAIQ) or a bespoke sheet.

A polished marketing trust page helps. It does not replace row-level answers when the portal demands them.

Common formats you’ll see

SIG / SIG Lite

Shared Assessments questionnaires used heavily in enterprise and financial services. Structured themes, lots of reuse if you keep a cited answer bank. Deep dive: build a SIG Lite / CAIQ answer bank that doesn’t drift.

CAIQ (Cloud Security Alliance)

Cloud-control focused. Same reuse story: theme → claim → evidence → owner → last verified. Portals change labels; your vault shouldn’t.

Custom Excel / CSV / portal forms

Every buyer invents a slightly different spreadsheet. Underneath it’s still access, data protection, SDLC, logging, vendors, and incident response. Treat custom sheets as a theme-mapping problem, not a brand-new product.

SOC 2 follow-up questionnaires

“Do you have SOC 2?” is the opener. The follow-up sheet asks how you operate now. See how to survive SOC 2 vendor questionnaires.

What a good answer looks like

Three traits, every time:

  • Accurate today — not “true in last year’s export.”
  • Cited — policy section, architecture note, report excerpt, or runbook ID.
  • Honest about gaps — blank or UNVERIFIED beats a made-up yes under deadline pressure.

Buyers follow up on evidence. Confident prose without a pointer just delays the awkward email.

A sane operating model

  1. Own an evidence vault. Versioned policies, diagrams, report excerpts, runbooks — not a Slack search. Evidence vault guide.
  2. Answer at the theme layer. One canonical claim per theme, many wordings on top.
  3. Draft fast, approve slow enough. Automation for retrieval and first draft; humans for what ships. Automation playbook.
  4. Refresh on change, not on panic. Architecture change → update source → re-export rows. Don’t wait for the next portal deadline.

Step-by-step when a new sheet lands

For a concrete fill sequence (intake → theme map → cite-or-flag → approve → export), use how to fill vendor security questionnaires. That’s the “open the spreadsheet and finish it” companion to this overview.

Where Trustfill fits

Trustfill is built for this exact loop: seed a vault, upload the questionnaire, get cited drafts, keep gaps UNVERIFIED, approve, export. No sales call required — start free or try the sample demo.

Honest comparison of manual reuse vs a cited vault: manual questionnaires vs Trustfill.

Ready to stop rewriting the same answers?

Trustfill drafts cited answers from your evidence vault. You approve. You export. Start free.

Or jump straight to signup.