How to Survive Vendor Security Questionnaires


Clients demanding compliance? Try these tried and true principles…

It’s happened. You’ve built your offering, won a bunch of early customers, rung the bell. Then, your sales leader tells you that the team has landed the massive deal that its been working on with ACME Corp. But, to close and start reaping the rewards, there is one last hurdle you need to overcome. Compliance. The dreaded “supplier cyber security checklist.”

Third-party risk, or supply chain risk, has been a huge concern for large companies lately. As they’ve gotten their internal houses in order, they’ve recognized that their data no longer lives solely inside the boundaries of their organizations. It’s outside too, in a hodgepodge of SaaS and cloud-service providers. With the added flexibility comes added risk.

So how are they managing the newly introduced, third-party risk?

  • One off: develop cyber security checklists based on internal policies or principals that suppliers must comply with.

  • Standards based: rely on proven external standards including ISO27001, SOC 2 Type 2 or NIST and request that suppliers demonstrate alignment, certification or ongoing compliance.

  • Regulatory driven: mandate that suppliers must comply with the same industry standards that drive the organization’s own compliance initiatives (i.e. GDPR, HIPAA, PCI, FedRamp, NIST DFARS)

Tackling compliance

Have you found yourself in a similar compliance scenario? Ideally, you’ve been a security superstar from the start. But the reality is, you’ll probably have some work to do to comply with clients’ specific requirements.

Pick a core standard

Think about your sales targets and your geography, and pick a core standard that can act as an anchor for your organization. If you handle credit card data, it could be PCI. If you’re a service provider, SOC 2 Type 2 is often a good choice. Sell a lot to US companies? NIST. If you’re active in the EU/globally, ISO27001/27002 is a good foundation. All standards have some overlap, so if you tackle one of the big standards, you’ll likely hit most of the requirements of other standards if they arise as requirements.

Designate a lead

Every critical project needs to be managed properly. It’s important to choose someone senior enough so he/she can manage the work and budget and champion the initiative. Project management is also a priority. You may choose to designate an existing employee or hire one. Alternately, you can rely on third-party expertise. Outside professionals experienced with the standard can accelerate the process and lower your costs.

Consider tools

If you expect to live in a large, complex compliance framework for a long period of time, tracking with spreadsheets and word documents will prove inefficient and cumbersome. Using GRC tools to help organize, manage and collect various compliance artifacts will save a ton of time and effort.

Perform a gap assessment

It’s important to know where you are and what’s required to get you to your desired state. Those insights can help to shape the scope of work.

Recognize that it’s a process

In the early days, it may be enough to “align” with a standard and have a goal for achieving compliance/certification or an attestation. Eventually, you’ll want to fix a date – driven by an audit, third-party agreement or some other external requirement – that your team aligns to and rallies behind. Once you’ve completed the audit and achieved your status (although there may be remediation steps along the way), you’ll need to periodically re-assess and update your workflows and process to deal with changes to the standards and your environment.