What Is a Security Questionnaire? A Complete Guide for Vendors in 2026

A buyer's procurement team forwards a spreadsheet with 627 yes/no questions. Deadline: Friday. The tabs span access control, encryption, sub-processors, incident response, business continuity, and a new section on AI governance you've never seen before. Half the answers live in last quarter's RFP. The other half need input from your CISO, who is preparing for a board meeting.

That is a security questionnaire. And if you sell to enterprise buyers, you will fill out a lot of them.

This guide is for vendors on the receiving end — the people who have to answer. It covers what a security questionnaire actually is, why customers send them, who answers what internally, the standards behind the biggest ones, how long the process really takes, and what separates a fast, accepted response from one that bounces back with follow-ups.

TL;DR

A security questionnaire is a structured set of questions a prospective customer sends to evaluate a vendor's security, privacy, and compliance posture before signing a contract. The questions usually map to recognized standards — most commonly CAIQ, SIG, and HECVAT — though many buyers use custom variants. A vendor questionnaire typically takes a vendor 2–4 hours on the short end and several weeks at the high end, depending on length, completeness of the answer library, and SME availability. The single biggest factor in response speed is whether the vendor has a clean source of truth — not whether the buyer's questions are easy.

What a security questionnaire is

A security questionnaire — also called a vendor security questionnaire, third-party risk questionnaire, or vendor assessment — is a document a buyer uses to evaluate whether they can safely store data with you, run their workflows through you, or grant you access to their environment. It is part of a broader third-party risk management (TPRM) process.

Buyers send security questionnaires because their own compliance obligations now extend to their vendors. If a buyer is SOC 2 certified, that certification covers their vendors too. If a buyer is regulated under DORA, GDPR, HIPAA, or PCI DSS, they have to demonstrate due diligence over the providers that touch in-scope data. The questionnaire is the artifact that proves they did the work.

Practically, the questionnaire sits in the late-stage sales cycle — usually after the technical evaluation is complete and the contract is in legal review. Procurement won't release the paperwork until the security review clears. That's why "stuck in security review" is the most common reason late-stage B2B deals slip a quarter.

Who sends them

Security questionnaires don't all come from the same desk. Four functions inside the buyer drive the request:

• Procurement — formal vendor onboarding, often via a portal. Procurement is enforcing a checklist, not making a judgment call.
• Security / InfoSec — deeper technical review, often the team that wrote the questionnaire and reviews answers.
• GRC (Governance, Risk, and Compliance) — mapping vendor answers to internal control frameworks and audit evidence.
• Third-party risk teams — at larger buyers, a dedicated team running TPRM end-to-end.

For mid-market buyers you'll often see one person wearing all four hats. For enterprise buyers, the questionnaire passes through each function in turn, which is why response cycles balloon.

What gets asked

Questionnaires vary in length, but the categories are remarkably consistent across buyers. Expect questions in most of these areas:

• Access control & identity — SSO, MFA, role-based access, joiners/movers/leavers process
• Encryption — at rest, in transit, key management, customer-managed keys
• Data handling — classification, retention, deletion, residency, sub-processors
• Network security — segmentation, WAF, DDoS protection, firewall rules
• Application security — secure SDLC, code review, dependency scanning, pen testing
• Vulnerability management — patching cadence, scanning frequency, severity SLAs
• Incident response — runbooks, notification timelines, tabletop exercises
• Business continuity & disaster recovery — RPO/RTO targets, last DR test, backup strategy
• Human resources — background checks, security training, offboarding
• Vendor management — your own sub-processor list, how you assess them
• Compliance — SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, FedRAMP, DORA
• Privacy — DPAs, data subject rights, cross-border transfers
• AI governance (newer) — model use, training data, customer data in prompts, opt-outs

Buyers in regulated sectors push deeper on specific domains: healthcare buyers want detail on PHI handling; financial-services buyers care about operational resilience; education buyers ask about FERPA and accessibility. The base structure stays the same.

The standards behind the biggest questionnaires

A few standardized questionnaires account for most of the volume vendors see. Knowing them by sight saves time — many "custom" questionnaires from buyers are CAIQ or SIG with the buyer's logo on top.

CAIQ — Consensus Assessments Initiative Questionnaire

CAIQ comes from the Cloud Security Alliance (CSA). It's a downloadable spreadsheet of yes/no questions that map to the controls in CSA's Cloud Controls Matrix (CCM). The current version, CAIQ v4, contains 261 questions covering 197 control objectives across 17 cloud security domains, with multiple questions sometimes needed to fully verify a single control.

CAIQ is the most common questionnaire format vendors see from cloud-first buyers. It's free to download, machine-readable, and pre-mapped to other frameworks (ISO 27001, NIST CSF), which makes it cheap for buyers to issue and fast for sophisticated vendors to respond to. If your prospect runs on AWS, GCP, or Azure, expect a CAIQ. See our CAIQ automation page for the full workflow.

SIG — Standard Information Gathering

SIG comes from Shared Assessments and is the dominant format in financial services and large enterprise. There are two main flavors:

• SIG Lite — around 128 questions, used for a quick first pass or for lower-risk vendors
• SIG Core — 627 questions across 21 risk domains, used for vendors that touch sensitive data or critical systems

The 2026 SIG Workbook regrouped controls into organizational, people, physical, and technological categories — a structure familiar to anyone working with ISO 27002. Unlike CAIQ, SIG is licensed (you need a paid Shared Assessments membership to access the latest workbook), but vendors receive the questions in the buyer's spreadsheet so licensing isn't a vendor-side blocker. Our SIG questionnaire page covers SIG Lite vs SIG Core in more detail.

HECVAT — Higher Education Community Vendor Assessment Toolkit

HECVAT comes from EDUCAUSE, Internet2, and REN-ISAC, and it's the de facto standard for selling into colleges and universities. The current version, HECVAT 4.1.5 (released February 2025), consolidates the old Full, Lite, and On-Premise versions into a single workbook of 321 questions across 7 sections, with a dedicated AI/ML domain of 32 questions that distinguishes between machine learning and large language model implementations. If you sell to the higher-ed market, HECVAT will be your primary questionnaire. See our HECVAT automation page for what changed in 4.x.

Custom and hybrid questionnaires

Plenty of buyers — especially large enterprises and regulated industries — issue their own questionnaires that borrow questions from CAIQ and SIG but add internal control language, industry-specific items (e.g. FedRAMP for federal buyers, DORA ICT items for EU financial entities), and bespoke commercial terms. Custom questionnaires are why your answer library cannot just be "the CAIQ filled in once." Reviewers re-phrase, re-order, and re-scope questions you've already answered.

Standards at a glance

A quick mental map of what each looks like in practice. CAIQ v4 is 261 yes/no questions across 17 cloud-security domains, delivered as an XLSX, and shows up most often from cloud-first SaaS buyers. SIG Lite (2026) is roughly 128 questions used by mid-market buyers for first-pass screening. SIG Core (2026) is the heavy version — 627 questions across 21 risk domains — and dominates financial services and large enterprise. HECVAT 4.1.5 is 321 questions across 7 sections (including the AI/ML domain) and is the de facto standard for higher education. Custom questionnaires vary from 50 to 800+ questions and arrive in XLSX, DOCX, PDF, or a web portal.

Who answers them on the vendor side

This is where new responders are usually surprised: a security questionnaire is rarely a one-person job. A 300-question SIG Lite will pull from:

• InfoSec / GRC — the owner of the response, source of truth on policies and controls
• Engineering — encryption, key management, sub-processors, architecture diagrams
• IT / SecOps — endpoint controls, MDM, patching, logging
• Legal — DPAs, sub-processor terms, data residency clauses
• HR — background checks, training, joiners/movers/leavers
• Sales engineering — translating technical answers into customer context
• Sales / account team — owning the customer relationship and deadline

Whistic's research found that 75% of organizations involve multiple teams in vendor assessments, and the average company dedicates 4–6 people to assessments alone. That coordination — not the difficulty of any individual question — is what eats the calendar.

How long they take and why

There is no single honest number, only a range. Industry data points:

• A typical questionnaire takes 2–4 hours for a short, familiar one, and several days to several weeks for a long custom one (DSALTA, 2025).
• 88% of organizations take more than two weeks per assessment when done manually (SafeBase).
• 50% of companies spend more than 20 hours per week on vendor assessments, and 54% receive 11+ questionnaires per month (Whistic).
• 37% of SaaS sales teams report a deal pushing because of slow security responses, and 35% lost a deal outright (Whistic).

Three things drive the difference between four hours and four weeks:

1. How well-organized your answer library is. If "encryption at rest" lives in three different documents with three slightly different phrasings, every reviewer pass introduces drift.
2. How available your SMEs are. Most delay is waiting, not writing. Settle's analysis of the human cost of RFPs and questionnaires found that the bulk of cycle time is coordination, not drafting.
3. How much format work the export needs. Buyer portals, locked XLSX columns, conditional logic, and character limits all eat time after the answers are written.

What good answers look like

Reviewers don't read every word. They scan for specificity and contradictions. A good security questionnaire answer does three things:

• Answers the question directly. Yes/no first, then context.
• Cites the underlying control or policy. Not just "Yes, we encrypt data at rest" but "Yes — AES-256 at rest, managed via AWS KMS. See our SOC 2 Type II report, control CC6.1."
• Stays consistent with everything else you've submitted. A reviewer who finds two different answers to the same question across two questionnaires will write it down — and ask in the next round.

Two short examples.

Question: Do you encrypt customer data at rest?

• Weak: "Yes."
• Strong: "Yes. All customer data is encrypted at rest using AES-256. Keys are managed via AWS KMS with annual rotation. Evidence: SOC 2 Type II, control CC6.1; pen-test report dated 2025-11."

Question: Describe your incident response process.

• Weak: "We have an incident response plan."
• Strong: "Yes. We maintain a documented incident response plan reviewed annually and tested via tabletop exercises (last test: 2026-02). Severity classification follows NIST SP 800-61. Customer notification SLA: 72 hours for confirmed data incidents, in line with GDPR Article 33. Plan available under NDA."

Notice the pattern: a direct answer, a control reference, an artifact the reviewer can request. Post 8 in this series covers 12 of these question patterns in depth.

Common pitfalls

Three mistakes show up in nearly every first-time response:

1. Treating it as a sales document. Questionnaire reviewers are not your buying committee. They're not impressed by marketing language; they're checking whether you can do the thing.
2. Copy-pasting from the last questionnaire without re-reading. Buyer A's question about "data residency" is not the same as Buyer B's question about "data localization." Wrong copy, wrong answer, follow-up.
3. Letting the deal team write security answers. Account executives writing security responses is the single biggest source of contractual risk — committed controls that the security team didn't sign off on. Lock the answer library down and route every question through a reviewer.

How tools change the response cycle

A decade ago the answer library was a spreadsheet. Five years ago it was a library tool — Loopio, Responsive (formerly RFPIO), Ombud, Qvidian — that stored Q&A pairs and let you search them. Useful, but maintenance-heavy: teams routinely spend more time curating the library than responding from it.

The shift in 2025–2026 is AI grounding. Instead of searching a library for an exact match, modern tools generate the answer from your source documents — your SOC 2 report, your policies, your architecture docs — and cite the passage they used. TrustCloud's comparison of RFP software vs security questionnaire automation draws the same distinction: library tools were built for marketing-style responses, security tools need to pull from your actual security program.

SafeBase reports that AI-assisted questionnaire response can cut completion time by 80% or more — but the gains only land if every generated answer is grounded in a source you can point to. Ungrounded AI on a security questionnaire is a liability, not a productivity tool.

This is the design choice behind RequestFX. We're a responder-side tool built around four ideas: every AI answer cites the exact quote and source document it came from; every answer carries a quality indicator (Complete, Partial, or Not answered) so reviewers know where to focus; the system parses the questionnaire on the way in and writes answers back into the original XLSX file or web portal on the way out (via our Chrome extension); and the knowledge base can pull live from Google Drive so your source of truth stays in one place. A built-in AI agent and per-questionnaire chat sit on top for the cross-functional coordination work.

A note on honest limits: RequestFX does not currently hold SOC 2 or ISO 27001 certification, so we are a poor fit for buyers who mandate those certifications from their vendors as a procurement prerequisite. If that's where you sit, evaluate accordingly.

Where to go from here

If you're staring at your first security questionnaire, the next step is structuring an answer library you can reuse — and pointing the right tool at it.

See how RequestFX automates security questionnaires → /solutions/security-questionnaire-automation