Why Enterprise Security Questionnaires Exist
When an enterprise organisation considers a new SaaS vendor, their security and procurement teams need to verify that the vendor won't create compliance or security risk for their business. Most organisations do this through a standardised questionnaire: they send you a spreadsheet with 100-300 questions, and you have a week to answer it.
For a 3-person SaaS startup, this is terrifying. For an enterprise SaaS company without a Trust Centre or security programme documentation, it can kill deals or delay them by weeks.
The good news: the questions are predictable. With the right preparation, you can answer 70-80% of any questionnaire in under an hour by pointing to existing documentation.
The Most Common Questionnaire Formats
| Format | Used By | Length | Best Response |
|---|---|---|---|
| Google VSAQ | Tech companies, startups | ~50-150 questions | Trust Centre + InfoSec Policy |
| SIG Lite / SIG Core | Enterprise, financial services | 140-800 questions | SOC 2 report + evidence library |
| CAIQ (CSA) | Cloud-aware enterprises | ~295 questions | ISO 27001 or SOC 2 + Trust Centre |
| Custom spreadsheet | Any buyer | 50-500 questions | Reusable answer library |
| OneTrust RFP | Privacy-conscious enterprises | ~100-200 questions | Trust Centre + Privacy Policy + DPA |
The 8 Sections Every Questionnaire Covers
Regardless of the format, enterprise security questionnaires cover the same territory. Here's what each section is asking and what you need to have:
1. Data Classification & Handling
What they're asking: What types of data do you handle? How do you classify sensitivity? Do you process special category data, financial data, or healthcare data?
What you need: Data classification scheme (even a simple 3-tier: public / internal / confidential / restricted), list of data categories you process, clear statement on what you do NOT process.
2. Access Control & Identity Management
What they're asking: Who can access production systems? Is MFA enforced? Do you support SSO? How do you manage privileged access?
What you need: Documented access control policy, MFA policy (including enforcement, not just availability), SSO support (SAML/OIDC), RBAC implementation, privileged access management approach, audit logs.
3. Encryption
What they're asking: Is data encrypted at rest and in transit? What algorithms? Who holds the keys? Can customers manage their own keys?
What you need: Specific answers: AES-256 at rest (AWS KMS / Google KMS / etc.), TLS 1.2+ in transit (TLS 1.3 preferred), HTTPS enforced, key rotation policy. Note if customer-managed encryption keys (CMEK) are available — this matters to large enterprises.
4. Vulnerability Management & Penetration Testing
What they're asking: How do you find and fix vulnerabilities? How often do you pen test? Can you share the report or letter of attestation?
What you need: Named third-party pen test provider, frequency (annual minimum), scope (external network, web application), critical/high/medium patch SLAs, CVE/dependency scanning tools (Dependabot, Snyk), vulnerability disclosure policy.
5. Incident Response & Breach Notification
What they're asking: Do you have an incident response plan? How quickly do you notify customers of breaches? Have you had any breaches in the past 12 months?
What you need: Documented IRP, explicit breach notification commitment (standard: 72 hours; GDPR mandates 72h to DPA; most enterprise contracts require 24-72h customer notification), clean breach history or disclosure of past incidents.
6. Business Continuity & Disaster Recovery
What they're asking: What's your uptime SLA? Do you have a BCP/DRP? What are your RTO/RPO? Have you tested it?
What you need: Uptime SLA (99.9% is table stakes; 99.95%+ for enterprise), status page URL, BCP/DRP documentation with tested RTO/RPO, backup frequency and tested restore procedures, multi-region or multi-AZ architecture documentation.
7. Vendor & Supply Chain Security
What they're asking: Who are your sub-processors? How do you vet vendors? Do your vendors have security certifications?
What you need: Sub-processor list (published publicly — this answers the question directly), vendor assessment process (even a basic one: SOC 2 required for critical vendors), contractual security requirements from sub-processors.
8. Privacy & Data Protection
What they're asking: Are you GDPR compliant? Will you sign a DPA? Where is data stored? How do we exercise data subject rights? Do you sell data?
What you need: Privacy Policy URL, DPA template (or offer to sign theirs), sub-processor list URL, data residency confirmation, data deletion process, DPO or privacy contact email, explicit "we do not sell data" statement.
Building a Reusable Security Answer Library
The highest-ROI thing you can do for enterprise sales is build a security answer library: a Google Sheet or Notion database with standard answers to the 100 most common questions, indexed by topic. When a questionnaire arrives, you paste from the library rather than writing from scratch.
Structure it as: Question | Our Answer | Supporting Evidence | Evidence Location. The "Evidence Location" column links to your Trust Centre section, InfoSec Policy page, SOC 2 report, Privacy Policy, etc.
Update it quarterly or after any questionnaire where you had to research a new answer.
The SOC 2 vs. No SOC 2 Reality
Enterprise security questionnaires become dramatically easier with a SOC 2 Type II report. For questions covering access control, change management, monitoring, incident response, vendor management, and availability — you can simply say "See our SOC 2 Type II report. We can share on NDA." That single sentence closes 40-60% of typical questionnaires.
Without SOC 2, you need to answer each question individually with direct evidence. It's still possible, but it's slower and less convincing. The calculus: if you're closing enterprise deals, the ROI on SOC 2 is usually under 12 months.
What to Do When You Can't Answer "Yes"
Honesty is almost always the right policy. Enterprise security reviewers are experienced — they can tell when answers are vague, evasive, or inconsistent. A few principles:
- "Not yet, but planned" is often acceptable for non-critical controls, especially for startups. Include a concrete timeline.
- Compensating controls can offset gaps. No formal pen test? Explain your automated scanning, bug bounty programme, and code review process.
- Never fabricate. If a buyer discovers you answered "yes" to something that wasn't true, you lose the deal permanently and potentially face legal liability.
- Flag to your sales team. Some gaps may be deal-breakers for specific buyers. Better to know early and decide whether to fix the gap or qualify out the deal.
Your Trust Centre as a Pre-emptive Answer
The most efficient approach is to answer security questionnaires before they arrive — by building a comprehensive Trust Centre. When a prospect's security team visits your website, they find answers to 70% of their questions already documented. The questionnaire, if sent at all, is dramatically shorter.
Use the ComplyKit Trust Centre Generator to build your page. Combined with these additional documents:
- Information Security Policy — shared with enterprise prospects on request
- Incident Response Plan — proves your IRP is documented
- Sub-Processor List — answers vendor management questions directly
- GDPR Data Processing Agreement — enables DPA signing on request
- BCP/DRP Plan — proves business continuity planning
- SOC 2 Gap Assessment — start your path to SOC 2
⚠️ This guide is for informational purposes only and does not constitute legal or security advice. Enterprise security requirements vary significantly by industry, buyer size, and applicable regulation. Your specific questionnaire responses should be reviewed by your security team and/or legal counsel before submission.