Be Secure Cyber

How to respond to a supplier security questionnaire

Guidance for organisations responding to customer or supplier cyber security questionnaires, assurance requests and evidence requirements.

Why customers ask security questions

Customers increasingly ask suppliers to prove that cyber security is being managed properly. This is common where you handle customer data, provide managed services, connect to customer systems or support an important business process.

A supplier security questionnaire is usually an attempt to understand risk. The customer wants to know whether your organisation has appropriate controls, policies and evidence in place.

Start by understanding the request

Before answering, check what the customer is really asking for.

You should understand:

  • whether the questionnaire is mandatory;
  • whether it relates to a contract, tender or renewal;
  • what systems or services are in scope;
  • whether evidence is required;
  • whether there is a deadline;
  • whether the customer expects certification, such as Cyber Essentials or ISO 27001.

This avoids rushed or inconsistent answers.

Avoid optimistic answers

It can be tempting to answer based on what you intend to do or what is written in an old policy. That can create problems later.

Answer based on how your organisation currently operates. If there is a gap, it is usually better to explain the current position and planned improvement than to overstate control maturity.

Customers tend to value clear, honest and well-managed responses.

Gather evidence

Common evidence includes:

  • Cyber Essentials or Cyber Essentials Plus certificates;
  • security policies;
  • access control records;
  • MFA configuration evidence;
  • vulnerability assessment results;
  • incident response plans;
  • business continuity or backup information;
  • data protection documents;
  • supplier management records;
  • security awareness training evidence.

Not every questionnaire needs all of this, but having a structured evidence folder can save time.

Keep responses consistent

If different people answer security questionnaires each time, responses can become inconsistent. This can undermine confidence and create additional questions.

It helps to maintain a standard set of approved responses and evidence. These should be reviewed periodically so they stay accurate.

Use the process to identify improvement areas

A questionnaire can feel like an administrative burden, but it can also show where your security position needs to improve.

Repeated questions about MFA, vulnerability management, incident response, supplier assurance or business continuity may highlight areas where customers expect stronger evidence.

Those themes can feed into a security roadmap or vCISO programme.

How Be Secure Cyber can help

Be Secure Cyber can help you interpret customer security questionnaires, prepare evidence, identify gaps and create a realistic improvement plan. We can also support Cyber Essentials, Cyber Essentials Plus, IASME Cyber Assurance and vCISO work where a questionnaire points to wider requirements.

View cyber security consultancy, view vCISO services or speak to us.