Questionnaires are a company’s opportunity to perform due diligence on prospective third parties, vendors, partners, and suppliers. The information that can be gathered from questionnaires is critical in the evaluation of business and security practices, and is crucial for compliance with various security standards like National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), Payment Card Industry Data Security Standard (PCI DSS), Federal Risk and Authorization Management Program (FedRamp), and more.
So, what should you expect when you tackle your next questionnaire, and more importantly, how can you improve your responses?
As your team gears up to answer its next questionnaire, there are five key things that you can expect to see: custom questions, framework-based questions, questions across numerous domains, the need for evidence-based answers, and the expectation for further validation when needed.
Step 1: Build Your Primary Answer Library
As your team receives different questionnaires to complete, your team should prioritize moving from ad hoc responses to a centralized process. The best way to do this is by building out an answer library complete with documentation. Leverage a common industry standard framework to do this and add to the library with custom answers as necessary – doing this will create a single source of truth for your team and will help streamline your answering process.
Step 2: Add Answer Libraries as Necessary
Overtime as your programs mature and you answer more questions there will be opportunities to add more answer libraries and break existing ones down by topic. Examples of library types include security, privacy, for RFPs and by product.
Step 3: Keep Answers Straightforward
Within your questionnaire responses, it’s critical to keep your answers straightforward. Questionnaires are formulated to get the necessary information while avoiding marketing, sales and product language. A good rule of thumb is to give the minimum amount of information necessary to answer the question and assume an organization will ask you for more information when needed. As you complete more questionnaires and discover the additional information that organizations are asking for, you can add it to your answer library as it grows and scales.
Step 4: Engage Key Stakeholders
It’s difficult for one person in any company to know everything about the organization. Ensuring that you engage with the right internal and external stakeholders will help support you throughout the answering process. Your organization should have key stakeholders across: IT, security, privacy, legal and compliance.
Step 5: Build an Evidence Library
Build out an evidence library of both shareable documents and reference documents for when you build out your answer libraries. Examples of shareable evidence include SOC reports, ISO certifications and certifications of insurance. You can also reference employee handbooks, policies & procedures and technical measures.
Step 6: Streamline the Intake of Requests
In this phase, your team manages the intake process of requests and looks for ways to streamline how they’re being given to your team. You can do this through an external source like a website or through an internal source, like your intranet or SharePoint. Additionally, your team can look for ways to integrate this process across the business through CRM to enable your sales team.
Step 7: Centralize Security Questionnaire Operations
Moving all of your questionnaire operations onto a singular platform that’s accessible to all participating stakeholders and respondents is your next step to streamlining your processes. Centralization of materials leads to a universal source of truth and helps encourage better organization, collaboration and consistency across the enterprise.
Step 8: Maintain Your Answer & Evidence Libraries
It’s critical that once you’ve streamlined your answering process your team enables a way to continually maintain and update your library. To do this you can set up quarterly meetings with subject matter experts to understand changes in your tech stack, updates to processes and new certifications to ensure that your library is evergreen. Additionally, make sure that you review and subscribe to your release notes to understand what’s in your library and what is changing.
Step 9: Measure Performance & Set Goals
Measuring performance and setting goals is what will allow your company to truly make the shift from ad Hoc questionnaire answering processes to streamlined and centralized answer libraries. To do this your team should track the total number of questionnaires you’re completing in a month, the number of questionnaires team members are taking on at a given time, the amount of time each questionnaire takes to complete, the percentage win rate of responding to assessments and the deal size per each questionnaire.
Step 10: Leverage Automation to Avoid Burnout
Responding to questionnaires is time-consuming and tiresome. How can we better automate the process to take some of the manual processes away from our team? Your team should automate:
In addition to improving your processes, there are other critical factors to consider and your team centralizes and streamlines its questionnaire answering process:
Tip: Creating a trust profile is a great way to avoid answering custom questionnaires is an easy way to take a proactive approach by offering an alternative up front.
Questionnaires are here to stay. They remain the primary method to evaluate an organization’s security, privacy, and compliance program. The steps listed above are only a small piece of the solution. Those tasked with responding to questionnaires are looking toward technology, such as OneTrust’s Questionnaire Response Automation tool, to automatically answer any custom questionnaire.