The Questions that 96% of Enterprise Security Questionnaires Ask
March 18, 2021
Enterprise Security Questionnaires | Vendor Onboar
We've talked frequently about what to expect on enterprise security questionnaires. When founders know what to anticipate on those types of questionnaires, they get a head start on preparing proactively. That preparation can make all the difference when it comes to persuading a large enterprise that a startup is mature enough to be relied upon for business critical operations.
But, a sticking point in those conversations between founders and enterprise compliance teams can be... well... compliance. Some compliance obligations are not ones that can be satisfied overnight; some take weeks or months (and occasionally years) to get right.
So, founders are especially wise to try to anticipate what compliance questions they might face in enterprise security questionnaires. With that information in hand, founders are equipped to go on the dual track that we most frequently recommend: preparing compensating controls until compliance can be fully achieved, while also beginning to pursue formal compliance (even if that takes awhile). We see this very frequently with SOC 2: we often find that our clients are able to satisfy an IT compliance team by demonstrating sophistication on the types of controls that are often relevant to SOC 2, even if they don't yet officially have a clean SOC 2 report supplied by an auditor. When they do finally obtain the report, it further cements their credibility with the enterprise they are doing business with.
That's the backdrop. So, what are enterprise security questionnaires asking, when it comes to compliance? Here's what we know from our analysis of the enterprise security questionnaires in our internal archive:
96% of Enterprise Security Questionnaires ask...
In our analysis, 96% of enterprise security questionnaires ask at least one regulatory or compliance question. The topics they ask about are wide-ranging (and candidly, not always well-structured). Here are some of the popular topics that come up:
- Discovery Questions: these questions appear to be designed to induce disclosure from the vendor/startup about what regulatory obligations they have. Paraphrasing, they typically ask something like "Are your products/services subject to any regulatory requirements?"
- Specific Regulatory Obligations: it's no surprise when a question about GDPR or HIPAA comes up, for example. Especially if the enterprise is subject to these regulatory obligations, and therefore wants to make sure their vendors aren't doing anything to create new/undesired regulatory exposure.
- Specific Compliance Requests: even if an enterprise has no particular legal obligation to do so, they may very well ask about SOC, ISO 27001, or other types of compliance.
Here's our experience in each of those areas, and some perspective on how negotiable (or not) these parts of enterprise security questionnaires are.
In our experience, the discovery questions in enterprise security questionnaires require a straightforward response. Founders need to exercise caution because their response may be incorporated by reference into a Master Services Agreement as a representation.
Specific Regulatory Obligations
In our experience, specific regulatory obligations require founders to either (honestly, correctly) state that they are compliant, or to make a case that their particular work with the enterprise is not subject the the specified regulation. For example, a startup serving an enterprise in a project that is very specifically designed to only serve employees / users / customers in the U.S., may be able to make the case that they have no GDPR obligation.
Specific Compliance Requests
Lastly, in our experience, specific compliance requests are the most hotly debated area. For example, an enterprise that routinely asks all prospective vendors if they have a SOC 2 report, is almost certainly willing to bring on some vendors that haven't yet achieved that type of compliance. We don't view enterprise security questionnaires as a requirements list that must be 100% fulfilled; we view it as an opening salvo in what an enterprise would ideally want a vendor to look like.
However, it's often a nuanced dance between the vendor and the enterprise, wherein the vendor works through dozens or hundreds of security questions to demonstrate that they have a sophisticated security program... even if they don't quite have a SOC 2 report yet.
Enterprise Security Questionnaires: Keeping the Big Picture in Mind
96% of enterprise security questionnaires ask about regulatory/compliance matters, and 82% as about at least one specific regulatory or compliance framework such as HIPAA, GDPR, ISO 27001, SOC 2, FedRAMP, or FIPS.
Realistically, most enterprises that do business with any early-stage vendors will have some vendors that they agree to do business with even if the vendor doesn't have every regulatory or compliance checkbox "checked". However, it might take some tactful debate and discussion to get there. We wish you well in that endeavor, and we're standing by to help if you prepare.