How To Fill Out Cyber Security Questionnaires

One of the hats we often wear for our customers and partners is that of a virtual chief information security officer (vCISO). The role of the vCISO is to help align the strategic business needs of the organization with cyber security processes, technology, and staff. vCISOs are a cost-effective way to get ongoing, expert cyber security strategy support to support organizations as they grow.

In a typical year, we’ll get a few handfuls of requests from our clients to help them respond to cyber security questionnaires. There are plenty of other names for these questionnaires (information security questionnaire, comprehensive business risk questionnaire, etc) but the gist is that some vendor, customer, or partner has sent our customer what is typically a rather long (dozens to low-hundreds of pages) document with tons and tons of cyber security and information technology questions.

Our team can knock these questionnaires out for our clients quickly due to our methodology of using the NIST Cybersecurity Framework (CSF) to underpin all of our security support. But for organizations without cyber security support that may not be familiar with these types of questionnaires, they can be quite a challenge to fill out successfully.

We wanted to provide some best practices to help organizations fill out these questionnaires with the least amount of hassle possible, so read on to learn more.

Do I Really Need To Fill Out This Questionnaire? I Mean, Really?

The majority of these questionnaires are designed to help vendors, customers, or partners understand the cyber security risk of doing business with the questionnaire’s recipient. They want to be sure that the organizations that they are working with are adhering to basic cyber security best practices, have solid cyber security hygiene, and are going to be good stewards of access and data on behalf of the organization sending the questionnaire.

Organizations typically send out these questionnaires when new contracts are about to be (or already have been) signed via an automated workflow. The best, first thing that you can do when you receive one of these questionnaires is to review the questionnaire and contract. Next, think critically about the relationship you’ve got with the organization. If, for example, you’re a nonprofit who is receiving donations from the organization sending the questionnaire but not otherwise exchanging data or providing access to IT systems, there’s a good chance that you can make a case for an exception. Sometimes organizations get a bit too mired in policies and procedures and overwhelm even arms-length partners with arduous documentation requirements.

If you think you can qualify for an exemption to filling out this questionnaire based on the type of work and relationship with the organization providing the questionnaire, get in touch with the team responsible for reviewing the questionnaire and raise your concerns. Ask for a meeting to discuss the questionnaire and your relationship with the part of their organization that is responsible for the questionnaire and see if you can get an exception to filling it out. If that works, then great. If not, proceed to the next section.

Filling Out The Questionnaire

Let’s say you’ve got to fill out the questionnaire - now what? Don't fret, we’ve got you covered.

Read through the questionnaire and see which of the questions you may be able to provide a “not applicable” answer. There may be quite a lot that don’t apply to you, based on the type of service you’re providing, the relationship you have with the organization, and your own IT environment.

For the remainder of the questions, get in touch with your IT department or managed service provider (MSP) to have them help you fill out the questionnaire. If you don’t have an IT department or MSP, find the person on your team that’s responsible for the IT environment and work with them to fill out the questionnaire as best as you can.

Send over your completed questionnaire and ask for feedback. Sometimes the cyber security team responsible for reviewing the questionnaire will be happy with your responses, sometimes they will not. If not, ask for detailed feedback to help guide you in updating the questionnaire. Sometimes, they need just a bit more detail in order to approve the questionnaire and move forward.

If they remain unsatisfied with your answers, consider building a roadmap to address the deficiencies that the organization has identified. We have a fair amount of customers that have come to us after going through these questionnaires and realized that their cyber security is lacking. They see a competitive advantage in upping their cyber security game to help them win more business with organizations that send these types of questionnaires and also to make their organization more resilient against cyber attacks.

In these situations, we review the questionnaires and feedback for our clients, hold workshops to identify specific security tasks, and establish a roadmap to knock out the tasks. In almost 100% of the cases where we do this, providing feedback in the questionnaire that a formerly-deficient item is going to be addressed in such and such fiscal year in the third quarter usually is enough to allow our customers to pass through the questionnaire gauntlet.

Interested in a bit of help with your organization's cyber security? Sign up for a free consultation here.