You've won the business on merit. The contract's as good as signed. Then procurement sends over a spreadsheet with 150 security questions and a due date, and suddenly the whole deal is waiting on you to explain your "incident response process" and whether you enforce "cryptographic controls at rest and in transit".
If that's landed in your inbox recently, you're not alone. Vendor security questionnaires have quietly become the gate every supplier has to walk through to sell to an enterprise or government buyer in Australia. The good news: they're very answerable. The bad news: a vague or defensive answer can stall a deal for weeks — or lose it to a competitor who answered cleanly.
Here's how to handle one properly.
What a vendor security questionnaire actually is
It's a due-diligence check. When a larger organisation brings you on as a supplier, you become part of their supply chain — and, from their auditor's point of view, part of their attack surface. If you get breached and you're holding their data, that's their problem too. The questionnaire is how they satisfy themselves (and their own auditors, and increasingly their own regulators) that working with you doesn't quietly import risk.
You'll see them under a few names — vendor risk assessment, third-party risk questionnaire, supplier security assessment, or a named standard like a SIG (Standardised Information Gathering) questionnaire or a CAIQ (Consensus Assessments Initiative Questionnaire). The format varies from a five-question email to a 300-row spreadsheet, but they're all asking the same thing: how do you protect information, and can you prove it?
What the buyer is really asking
Behind the jargon, almost every question maps to one of a handful of concerns:
- Access — who can get to data, and how is that controlled? (MFA, least privilege, offboarding.)
- Data protection — is data encrypted in transit and at rest? Where is it stored? Who's your cloud provider?
- Detection and response — would you know if something went wrong, and what would you do about it?
- Governance — do you have written policies, and does someone actually own security?
- Certification — can an independent party vouch for any of this? (This is where ISO 27001 and Essential 8 come in.)
Once you can see the concern behind the question, the answer writes itself. "Do you enforce cryptographic controls?" is just "is the data encrypted, yes or no, and how".
The five rules of answering well
1. Answer the question that was asked
Procurement teams read a lot of these. They can tell instantly when you've dodged. If the answer is "yes", say yes and describe the control in one sentence. If it's "no", don't bury it — see rule 4.
2. Be specific, not aspirational
"We take security very seriously" is a non-answer and it reads like one. "All users authenticate to Microsoft 365 with multi-factor authentication enforced by Conditional Access policy" is an answer. Name the control, name the tool, done.
3. Map your answers to a framework
If your controls line up with a recognised framework — ISO 27001, the ACSC Essential 8, NIST — say so explicitly. It lets the buyer tick their box faster and signals that your security is structured, not improvised. A single line like "this control aligns with ISO 27001 Annex A.8 and Essential 8 (multi-factor authentication)" does a lot of work.
4. Handle gaps honestly — with a plan
You will not answer "yes" to everything. Nobody does. A gap answered with a remediation date beats a gap you tried to fudge. "MFA is enforced for all administrative accounts today; rollout to all standard users completes by [date]" is a perfectly good answer that shows control, not weakness. Auditors trust a supplier who knows their own gaps far more than one who claims perfection.
5. Keep an answer library
The second questionnaire asks 80% of the same questions as the first. Keep every answer you've written in one document, mapped to the framework, and reuse it. What takes a fortnight the first time takes an afternoon the third time. This is the single biggest time-saver, and almost nobody does it until they've suffered through three of these.
What to do if you're not there yet
Sometimes the questionnaire arrives and the honest answer to a lot of it is "not yet". That's a normal place to be — it usually just means you've grown into deals that expect more than you've formally documented.
Two moves, in order:
- Do a gap assessment. Map every question to what you actually have in place. You'll almost always find you're doing more than you can currently prove — the controls exist, they're just not written down or centralised. That's a documentation job, not a rebuild.
- Prioritise by what unlocks the deal. You don't need to be perfect to pass; you need credible answers and dated commitments for the gaps. Fix the ones the contract actually depends on first.
If the same buyers keep asking, that's the signal it's time for a formal credential. Essential 8 gives you a concrete, government-recognised maturity level to point at. ISO 27001 gives you an independently audited certificate that answers most of the questionnaire before it's even asked — a lot of enterprise buyers will accept an ISO 27001 certificate in place of their own questionnaire entirely. Either one turns "let me get back to you" into "here's our certificate".
Where we come in
Answering vendor security questionnaires on our clients' behalf is one of the things we do most — it's why we describe ourselves as a compliance-first MSP rather than just a helpdesk. We'll take the spreadsheet off your desk, map it to your real controls, write the answers in language procurement accepts, and flag the gaps worth closing before they cost you a deal. And if the pattern says it's time for Essential 8 or ISO 27001, we implement that too, with ISO 27001 Lead Auditors on staff.
If there's a questionnaire sitting in your inbox right now, book a free compliance gap analysis and we'll walk through it with you. Not sure where you stand? Start with the free Essential 8 self-assessment — 24 questions, five minutes, an instant maturity score.
Frequently asked questions
What is a vendor security questionnaire? A due-diligence assessment sent by a larger organisation before they take you on as a supplier. It asks how you protect information — access controls, encryption, incident response, governance, and certifications — so they can confirm that working with you doesn't add risk to their supply chain. Common formats include the SIG and CAIQ questionnaires.
How long does it take to complete one? The first one is the slowest — often one to two weeks if you're gathering evidence from scratch. Once you keep a reusable answer library mapped to a framework, later questionnaires can take an afternoon.
Do I need ISO 27001 to answer a vendor security questionnaire? No, but it helps enormously. Many enterprise buyers will accept an ISO 27001 certificate in place of their own questionnaire, because an independent auditor has already verified your controls. Without it you can still answer well by mapping your existing controls to a recognised framework like the ACSC Essential 8.
What if I have to answer "no" to some questions? That's normal and it won't necessarily lose you the deal. Answer honestly and attach a remediation date — "in place for admin accounts now, all users by [date]". Auditors trust a supplier who knows their gaps over one who claims perfection.
Can someone else answer it for me? Yes. Your IT Managers answers vendor security questionnaires on behalf of Australian businesses — mapping questions to your real controls, writing procurement-ready answers, and flagging the gaps worth closing.