Security Questionnaire
A security questionnaire is a structured set of questions one organization sends another — usually a customer to a vendor — to assess how it protects data and systems. Common formats include the SIG, CAIQ, RFP security sections, and custom spreadsheets, and answers must be consistent, evidence-backed, and reviewed before they are returned.
Synonyms: vendor security questionnaire, third-party security questionnaire, security assessment questionnaire, due diligence questionnaire
A security questionnaire is how a prospective or existing customer verifies that a vendor handles data and systems responsibly before or during a contract. Questions span access control, encryption, data residency, incident response, business continuity, subprocessors, and compliance posture. They arrive as standardized frameworks (SIG, CAIQ), as the security section of an RFP, or as bespoke spreadsheets.
Because the same questions recur across every customer, the work is less about writing new answers and more about retrieving the right approved answer, citing the evidence behind it, and getting sensitive responses reviewed before they leave the building. Treating each questionnaire as a tracked record — with cited evidence, an owner, an approval step, and an audit trail — keeps answers consistent and defensible when a control changes or an audit revisits them later.