Since the introduction of the GDPR requirement that data controllers must assess the security of their data processors, organisations have been requiring their key suppliers to complete a security questionnaire. With the increase in the number of ransomware attacks, including some high-profile incidents, many business insurance providers require companies to carry out assessments of their suppliers in order to obtain assurance. This has escalated the demand to complete security questionnaires to include all suppliers, not only data processors.
Businesses, Government and Local Authorities now require the completion of their security questionnaires as part of their procurement process and in some cases these questions can run into hundreds of questions. Also, their “one-size fits all” approach results in a small supplier of business services having to complete the same questionnaire as an outsourced HR or IT provider. For small businesses these questionnaires can be daunting, time consuming and even an entry barrier to new business.
We have helped numerous SME businesses respond to security questionnaires, as part of the tendering process and be accepted as suppliers. We have completed the security questionnaires, providing details of why questions are not relevant or appropriate and explained what security controls are in place and how they manage the risk. Where required we have produced appropriate supporting collateral such as a security policy, risk assessment or other documentation.
Where companies are regularly receiving a lot of security questionnaires, we have provided a framework of model answers to allow the company to respond to the questionnaires themselves.