You just got the email. Your biggest prospect—the deal that would make your quarter—sent over a security questionnaire.
It’s 200 questions. Half of them you don’t understand. The other half make you wonder if you should even be in business.
Welcome to enterprise sales in 2025.
First: Don’t Panic
Your customer isn’t trying to torture you. They’re doing their job. They have to verify that you’re not going to be the headline in their next breach disclosure.
Every enterprise buyer now requires security due diligence. It’s not optional. It’s not going away.
Security questionnaires come in three flavors:
- SIG (Standardized Information Gathering) - Industry standard, 1000+ questions (they usually pick 200-300)
- CAIQ (Consensus Assessments Initiative Questionnaire) - Cloud Security Alliance’s version
- Custom questionnaires - Homegrown by your customer’s security team (often the worst)
They all want the same thing: proof you take security seriously.
Step 1: Read It First (Don’t Answer Yet)
I know you want to start answering questions immediately. Don’t.
Take 30 minutes and read the entire thing. You’re looking for patterns:
- Questions you can answer with docs you already have
- Questions about controls you have but never documented
- Questions about controls you don’t have (yet)
- Questions that don’t apply to your business
Why this matters: I’ve watched companies spend weeks answering questions in order, only to realize question 180 made their answer to question 12 wrong. You need to see the full picture first.
Step 2: Triage Everything
Sort every question into one of four buckets. Be honest with yourself here.
Green: Easy Wins
You have the control. You can prove it. Answer and move on.
Examples:
- “Do you use multi-factor authentication?” (Yes, Okta for everyone)
- “Is production data encrypted at rest?” (Yes, AWS encryption enabled)
- “Are employee background checks performed?” (Yes, here’s our HR policy)
Yellow: You Have It, But It’s Not Written Down
This is where most startups live. You’re doing the right things, but you never documented them.
Examples:
- Incident response process (you know what you’d do, it’s just in your head)
- Access reviews (you review quarterly, but there’s no policy that says so)
- Backup testing (you have backups, you’ve never tested recovery)
The fix: Document it this week. Then answer the question.
Orange: You Don’t Have It, But Can Build It Fast
These are gaps you can close in 30-90 days without breaking the bank.
Examples:
- Vulnerability scanning (implement Qualys or similar)
- Security training (roll out KnowBe4 or similar)
- Vendor risk assessment process (document your approach)
The fix: Commit to a timeline. Show you’re taking it seriously.
Red: You Don’t Have It and It’s Expensive
These are the deal-killers if you’re not careful.
Examples:
- SOC 2 Type II report (6-12 months, $20K+)
- Annual penetration testing ($15K+)
- 24/7 security operations center ($$$$)
- Dedicated disaster recovery site
The fix: Get strategic. More on this below.
Step 3: How to Actually Answer
Here’s the framework that works:
For Green Items
Be direct. Show evidence.
Bad: “Yes, we use MFA.”
Good: “Yes. We enforce MFA using Okta for all employee access to production systems. See attached configuration screenshot.”
The difference? Specificity and proof.
For Yellow Items
Commit to documentation with a timeline.
Bad: “Yes, we do that.”
Good: “Yes. We perform quarterly access reviews. Documentation of our process will be provided by January 20.”
Then actually provide it by January 20.
For Orange Items
Show you understand the requirement and have a plan.
Bad: “Not currently implemented.”
Good: “Not currently implemented. We are implementing quarterly vulnerability scanning using Qualys with target completion of March 15. We can provide scan results beginning April 1.”
Notice the pattern? You’re not making excuses. You’re showing you get it and you’re fixing it.
For Red Items
This is where you need strategy.
You have three plays:
Play 1: Explain Compensating Controls
“We do not currently have a SOC 2 report. As compensating controls, we provide:
- Our information security policy and procedures
- AWS SOC 2 Type II report (infrastructure provider)
- Most recent penetration test results (October 2024)
- Quarterly vulnerability scan reports”
This works when you have legitimate alternatives.
Play 2: Set Realistic Expectations
“We are pursuing SOC 2 Type II certification with target completion of Q3 2025. In the interim, we’re available for a technical security review with your team.”
This works when you’re actively working toward compliance and the customer values transparency.
Play 3: Be Honest About Your Stage
“As an early-stage company serving SMB customers, we have not implemented 24/7 SOC monitoring. Our current security operations include business hours monitoring (8am-6pm ET) with on-call escalation for critical alerts.”
This works when your security posture matches your business stage and target market.
What doesn’t work: Vague promises. “We plan to implement this soon.” Soon isn’t a date.
Step 4: Master the N/A
Many questions won’t apply to your business. But “N/A” alone looks like you didn’t read the question.
Wrong: “N/A”
Right: “N/A - We are a cloud-based SaaS solution with no physical infrastructure. All infrastructure is provided by AWS (SOC 2 Type II certified).”
Always explain why it doesn’t apply. Show you understood the question and thought about it.
Step 5: What to Actually Attach
Your narrative answers need backup. Prepare these documents:
Must-haves:
- Information Security Policy
- Privacy Policy / Data Processing Agreement
- List of subprocessors (with their security certifications)
- Your cloud provider’s compliance docs (AWS, GCP, Azure)
Should-haves:
- Incident response plan
- Business continuity plan
- Security training records
- Recent vulnerability scan or pen test results (if you have them)
Nice-to-haves:
- SOC 2 report (if you have it)
- ISO 27001 certificate (if you have it)
- Cyber insurance certificate
Pro tip: Create a “Security Documentation Package” with all of this. Update it quarterly. Next time someone asks, you just send the folder.
Emergency Mode: When You Have 48 Hours
Sometimes you don’t have time for the strategic approach. The customer wants answers by Friday or the deal dies.
Here’s the triage:
- Answer all the green questions first (30% of them, probably)
- For yellow questions, commit to documentation dates (don’t try to write policies this week)
- For orange questions, acknowledge the gap and give a timeline (“Implementing by March 31”)
- For red questions, be honest and offer alternatives (“We don’t have SOC 2. Here’s what we do have.”)
Critical: Meet the deadline even if answers aren’t perfect. You can always provide additional documentation later. Missing the deadline kills the deal.
When to Get Help
Call in a professional when:
You have more than 20 red/orange items. This isn’t a questionnaire problem. You have security gaps that need fixing.
The deal is worth more than $100K ARR. Pay someone $5K to help you not lose a $100K deal. The math is obvious.
They want a live security assessment. If they’re asking to interview your security team and you don’t have one, you need representation.
You’re seeing this from every prospect. If every deal stalls on security, fix the root cause. Don’t keep patching answers together. This is when virtual CISO services or security consulting pays for itself.
The Real Issue
If you’re scrambling to answer these questions, you don’t have a questionnaire problem.
You have a security posture problem.
Five years ago, you could get away with a signed attestation letter. Not anymore. Buyers expect real answers backed by evidence.
The solution isn’t to get better at answering questionnaires. It’s to build security that makes questionnaires easy.
What You Actually Need Before the Next One
Stop treating every security questionnaire like a surprise fire drill. Build three things:
1. Security Controls Checklist Know what controls you have, what you’re building, and what you’ve consciously decided not to implement (with reasoning). Update it quarterly.
2. Master Response Document Pre-written answers to the 50 most common questions, customized for your business. About 70% of questions are standard across all questionnaires. Write them once.
3. Emergency Playbook Step-by-step process for when a questionnaire is blocking a deal. Who gets involved? What docs do you produce? What’s the escalation path?
Our Startup Security Kit can help you prepare for those questionnaires with a security checklist and an incident response plan template that every questionnaire asks for.
Build the foundation now. Make the next questionnaire a speed bump instead of a crisis.
If you’re staring at a questionnaire right now with too many red flags and a tight deadline, we can help you triage fast.
FAQs
How long should it take to respond?
Well-prepared company: 1-2 weeks. First time doing this: 4-6 weeks. If you’re taking longer than 6 weeks, you’re probably losing the deal.
Can I reuse responses across questionnaires?
Yes. About 70% of questions are identical across SIG, CAIQ, and custom questionnaires. Build a master doc and customize per customer.
What if I can’t answer 30% of the questions?
Be honest about gaps and show a plan to close them. Most buyers accept “we’re working on it with a timeline” over silence or vague answers.
But if you have gaps in critical areas (data encryption, access controls, backups), fix those before pursuing enterprise customers.
Do I need SOC 2 to pass a security review?
No. SOC 2 helps because it answers about 80% of questions with “See attached SOC 2 report.” But you can pass reviews without it using compensating controls, good documentation, and your infrastructure provider’s certifications.
Read our post on SOC 2 for startups to understand when you actually need it.
Should I hire someone to fill this out?
Not to fill out the questionnaire. You need to answer it because you’re signing off on the answers.
But if you have significant gaps (more than 20% unanswered or “No” responses), hire someone to help you fix the underlying security posture. That investment pays for itself in closed deals.