The Deal-Blocking Problem
A mid-market SaaS company closes a proof of concept with a Fortune 500 enterprise. The deal looks done. Then procurement sends a 90-question vendor security questionnaire. The founders don't have prepared answers. Half the questions are about controls they haven't formally documented. The deal stalls for weeks. Sometimes it falls through entirely.
This is one of the most common — and most avoidable — sales cycle killers in B2B SaaS. Vendor security questionnaires are not an edge case any more. They're a routine step in enterprise procurement at companies of 1,000+ employees, financial institutions, healthcare organisations, and any company operating under SOC 2, ISO 27001, HIPAA, or NIS2 requirements.
This guide covers what's in these questionnaires, why companies fail them, and how to prepare a response that unblocks deals.
What Is a Vendor Security Questionnaire?
A Vendor Security Questionnaire (VSQ), also called a Vendor Due Diligence Questionnaire (DDQ) or Information Security Questionnaire (ISQ), is a structured document that enterprise security and procurement teams send to potential software vendors before signing a contract.
The purpose is to assess whether the vendor's security posture meets the customer's vendor risk management requirements. Under SOC 2 CC9.2 and ISO 27001 A.5.19-A.5.22, organisations are required to assess the security of their suppliers. Your questionnaire response is how they assess you.
Who sends them:
- Any company with a SOC 2 report (they need to assess their own vendors)
- Any company with ISO 27001 certification (same reason)
- Financial services companies (DORA, internal risk policies)
- Healthcare organisations (HIPAA BAA required before sending PHI)
- Government agencies and contractors (FedRAMP, CMMC)
- Enterprise companies with 1,000+ employees (internal security team requirements)
What they cover: Typically 40–120 questions across access controls, encryption, incident response, availability, data protection, personnel security, compliance certifications, and sub-processor management.
The 12 Categories Enterprise Teams Ask About
| Category | Key Questions | What They're Really Checking |
|---|---|---|
| Security certifications | Do you have SOC 2? ISO 27001? When was the last audit? | Third-party validation of your security controls; reduces their due diligence burden |
| Data protection & encryption | How is data encrypted at rest? In transit? Where is it stored? | Data breach risk; data residency compliance (GDPR, CCPA) |
| Access control | Is MFA enforced? Do you use SSO? How is privileged access managed? | Insider threat and compromised credential risk |
| Network security | What cloud provider? WAF deployed? Network segmentation? | Infrastructure exposure risk; whether prod is protected from dev |
| Vulnerability management | Penetration testing frequency? Is a report available? | Whether known vulnerabilities exist and how fast you patch |
| Incident response | Do you have an IRP? How quickly do you notify customers of breaches? | What happens when something goes wrong; regulatory notification compliance |
| Availability & BCP | What's your uptime SLA? RTO/RPO? Is there a status page? | Business continuity risk; does a service outage break their operations? |
| People security | Background checks? Security training? What happens when someone leaves? | Insider risk; whether security is embedded in HR processes |
| Sub-processors | Who processes your customers' data? Where is the sub-processor list? | GDPR Art. 28 controller-processor chain; supply chain risk |
| Audit logging | What's logged? How long are logs retained? Customer-level audit logs? | Forensic capability; their own audit requirements |
| Data retention & deletion | How long do you retain data? What happens to data on contract termination? | GDPR compliance; data minimisation; contract termination risk |
| Compliance frameworks | Which compliance frameworks do you support for customers? | Whether using your product introduces compliance risk for them |
Why SaaS Companies Fail Vendor Security Questionnaires
The most common failure modes, and what they signal to enterprise security teams:
| Failure Mode | What It Signals to the Buyer | How to Fix |
|---|---|---|
| No SOC 2 report | Security not independently verified; higher vendor risk rating; more due diligence required | Start SOC 2 Type I process; or be explicit about timeline and provide evidence of controls in place |
| "In progress" on everything | Nothing is actually done; security is aspirational not operational | Be honest: list what IS in place now, even if not formally certified |
| MFA not enforced for all staff | Immediate access control finding; often a deal-breaker for financial services | Enforce MFA universally before the deal — it's a fast win |
| No documented IRP | No defined breach notification process; customer would not know how to coordinate in an incident | Create an IRP (1-2 days with a template); specify the 72-hour GDPR notification commitment |
| No pen test or report unavailable | Unknown attack surface; risk rated higher | Schedule annual pen test; provide executive summary or attestation letter under NDA |
| Sub-processor list not available | GDPR Art. 28 compliance gap; chain of custody for data unclear | Publish a sub-processor list on your website or make it available on request |
| Data deletion policy vague or absent | Data hoarding risk; GDPR Art. 17 concern; what happens to data after contract? | Define a clear deletion SLA (30 days is standard); document it |
| No answers to technical questions | Team doesn't know their own infrastructure; raises serious concerns | Prepare a standard response document that the sales team can use immediately |
The SOC 2 Report: Your Best Answer to Most Questions
A SOC 2 Type II report is the single most effective answer to vendor security questionnaires. It pre-answers dozens of questions with third-party verified evidence. Enterprise security teams at sophisticated companies will often accept a SOC 2 report in lieu of a detailed questionnaire response, or use it to verify your answers.
When sharing your SOC 2 report:
- Always under NDA — the report contains your control environment, which is sensitive
- Share the full report, not just the executive summary — enterprise teams want the auditor opinion letter, the management assertion, the system description, and the testing results
- Note the report period — a Type II from 18 months ago is weaker than a recent one; enterprise teams will note the gap
- For Type I: Acceptable as a starting point, but enterprise teams will ask when you're doing Type II
- For bridge letters: If you're between annual audits, a bridge letter from your CPA firm extends assurance to the present date
If you don't have a SOC 2 report yet, the next best option is to provide a completed security questionnaire with evidence attachments (policy documents, architecture diagrams, pen test executive summaries).
Standard Questionnaire Formats: SIG, CAIQ, and Custom
Enterprise customers use several standardised questionnaire formats. Knowing which one is coming helps you prepare:
| Format | Who Uses It | Length | How to Handle |
|---|---|---|---|
| SIG (Standardised Information Gathering) | Financial services, enterprise with mature procurement | 300–1,400 questions (SIG Full / SIG Lite / SIG Core) | Complete the SIG once and reuse; import your SOC 2 controls |
| CAIQ (Consensus Assessments Initiative Questionnaire) | CSA STAR programme, cloud security focus | ~280 questions across 17 domains | Complete CSA STAR Level 1 (free self-assessment) to pre-answer |
| Custom questionnaire | Most enterprise customers | 40–150 questions | Prepare a standard security Q&A document; copy relevant answers |
| Security review call | Very large deals, high-risk assessments | 30–60 minute call | Prepare your CISO or security lead with standard answers; have documentation ready |
Building a Reusable Vendor Security Response
The most time-efficient approach is to create a master security response document — essentially a pre-completed questionnaire covering all standard topics. This document:
- Reduces deal cycle time significantly (days, not weeks)
- Gives sales reps a document they can send immediately without waiting for an engineer
- Is updated once centrally (not re-answered per deal)
- Can be extended with customer-specific answers when needed
What to include in your master security response:
- Company overview and product description
- Security certifications (SOC 2, ISO 27001, Cyber Essentials, etc.) with dates and availability
- Data protection: encryption methods, data hosting locations, DPA availability
- Access control: MFA enforcement, RBAC, PAM, access reviews
- Network security: cloud infrastructure, WAF, DDoS, segmentation
- Vulnerability management: pen test schedule, report availability, bug bounty
- Incident response: IRP summary, breach notification timeline, monitoring
- Availability: SLA, RTO/RPO, status page, BCP
- People security: background checks, security training, offboarding
- Sub-processors: list availability, change notification process
- Data retention and deletion: policy, timelines, customer data export
- Audit logging: scope, retention, customer access
- Compliance frameworks supported
- Security contact information
The Fastest Wins Before Your Next Enterprise Deal
If you don't have time to get SOC 2 certified before your next deal, these are the fastest wins that address the most common questionnaire failures:
| Win | Time to Implement | Questions It Answers |
|---|---|---|
| Enforce MFA for all staff on all systems | 1 day | MFA enforcement, access control, authentication |
| Create a documented IRP | 1–2 days | Incident response, breach notification, monitoring |
| Publish a sub-processor list | 2 hours | Sub-processor transparency, GDPR Art. 28, supply chain |
| Draft a DPA | 1 day | GDPR compliance, data processing, controller-processor relationship |
| Define data deletion policy | 2 hours | Data retention, post-termination deletion, GDPR Art. 17 |
| Schedule a penetration test | Book it today | Pen testing, vulnerability management — shows intent even if not done yet |
| Create a security response document | 4–8 hours with this generator | All 12 categories — gives sales team a ready answer to any questionnaire |
Generate Your Vendor Security Questionnaire Response
Use the SOC 2 Vendor Security Questionnaire Generator to create a complete, pre-filled vendor DDQ response document based on your actual security posture — covering all 12 standard categories that enterprise procurement teams ask about.
Related generators: SOC 2 Gap Assessment, SOC 2 Evidence Pack, SOC 2 System Description, TPRM Policy, Information Security Policy.
Related reading: SOC 2 System Description Guide, SOC 2 Management Assertion Letter Guide, SOC 2 Gap Analysis Guide.
⚠️ This guide is for informational purposes only and does not constitute legal or compliance advice. Vendor security questionnaire responses should be reviewed for accuracy by your security team before distribution to enterprise customers.