8 best practices for answering security questionnaires

Brianna Smith, Content Marketing Specialist, OneTrust | GRCP
April 20, 2022


According to a recent study by Deloitte, 70% of companies rate their dependency on vendors as moderate to high; and since 2016, half of the respondents experienced a breach as a result of insecure vendor relationships. As third parties gain more access to sensitive client data, organizations need to prioritize holistic data gathering and the instillment of security practices across the vendor ecosystem and implement security questionnaire best practices.

The best way for an organization to achieve a holistic understanding of its vendor ecosystem is to gather information from its vendors and organize it in one central location. As a vendor, this means you will (and likely already have) receive dozens of security questionnaires.  

Let’s take a look at some security questionnaire best practices:

Use the free tool today to enable automatic security questionnaire responses! 

Why are security questionnaires important?  

Security questionnaires are lists of questions sent from clients to vendors to assess the security and privacy measures they have in place. Questionnaires streamline the process of data gathering and allow customers to make sure that the various parts of their vendor ecosystem comply with industry-relevant regulatory frameworks. 

As an enterprise requesting information from your vendors, it’s important that the information you gather is concise, clear, and accurate. Conversely, as a vendor, it’s important that you’re able to provide streamlined and accurate data when requested to do so. Both are equally important steps to help an organization achieve a holistic view of its vendor ecosystem and understand its security gaps in the supply chain. 

Now, let’s look at some of the best practices for completing a vendor security questionnaire. 

8 Security questionnaire best practices

  1. Understand the “what,” “why,” and “when” of the questionnaire. What questionnaire are you filling out? What is it trying to understand about your company? When is the questionnaire due? Why does compliance with the topic in question matter in this business relationship? All of these questions are important to ask yourself to provide the most streamlined and accurate version of your data to the requestor.   
  2. Only answer what the questionnaire asks. Don’toverwhelm your customer with information they don’t need to know. If they need more technical information, they’ll ask for it. Overwhelming them can compromise the clarity of the data you’re providing and the overall effectiveness of the data gathering.   
  3. Keep an archive of past questionnaires and practice version control with them. How have you answered questionnaires in the past, and do you have any updates to previously outlined policies? (Tip: streamlining your answer process can be made easier by using a questionnaire response automation(QRA) tool.)
  4. Have your compliance documentation at the ready. Does your organization comply with a specific regulation or procedure like SOC2, NIST, ISO 27001, or CIS? Have the appropriate documentation to show at your disposal when you’re answering questions.   
  5. Develop unique answer varieties based on the type of questionnaire you’re answering. Make sure that you’re answering questions and providing data through the lens of the questionnaire that you’re answering. The more questionnaire-specific the answers are, the more clarity the information can provide.  
  6. Be proactive in the questionnaire process. Reach out to your customer and understand their security needs before you begin answering the questionnaire. We know that questionnaires are purpose-built to help requestors gain a more holistic view of their vendor ecosystem, but there might be more to the story. As a vendor, the goal of filling out a questionnaire is to work with your client to provide a secure experience for everyone who interacts with them.   
  7. Have a streamlined intake process. It’s no secret that answering questionnaires can be time–consuming. Having a process in place will reduce the stress of completing long questionnaires or managing multiple questionnaires at one time. Does your organization have a method in place for ingesting a questionnaire? 
  8. Have points of contact for each area of the questionnaire. To accurately provide information on a questionnaire, it’s crucial to have contact information for subject matter experts. When necessary, ask them questions and look over your work to ensure that your customer receives the most accurate information. 

OneTrust Vendorpedia offers an easy-to-use solution built to meet automation needs in the questionnaire response process. Request a demo today.

You may also like


IT Risk & Security Assurance

PCI DSS Compliance: How to scope and streamline monitoring with Certification Automation

Join our PCI DSS webinar where we discuss how Certification Automation can help free up valuable InfoSec resources, streamline audits, and stay continuously compliant.

June 13, 2023

Learn more


GRC & Security Assurance

Combating InfoSec compliance fatigue: Insights for navigating growingly complex requirements

In this webinar, you will hear first-hand from information security experts experts what are the key pain-points and their strategies to be audit ready. 

February 27, 2023

Learn more


IT Risk & Security Assurance

Introducing OneTrust Certification Automation: Build, scale, and automate your InfoSec compliance program webinar

In this webinar, learn how to right-size your compliance scope for different frameworks across various business dimensions and enable an agile audit process.

February 15, 2023

Learn more