Request a Consultation

STEP-BY-STEP

Answer any security questionnaire, step by step.

SIG, SIG Lite, CAIQ, SOC 2 evidence requests, ISO 27001 supplier questionnaires, HIPAA BAAs, cyber insurance applications, PIPEDA and Law 25 reviews — different spreadsheets, same six steps. Run the process once and the next questionnaire arrives mostly answered.

Get the free template → Have us answer it →

We've been there

Scenario one: the quarter-end security review.

Not a testimonial — a pattern. It repeats often enough that the service and the stack behind this page exist because of it.

01

The win

The largest deal in the company's history clears sales engineering at the end of the quarter. Every technical question answered, every configuration implemented and working. The champion calls it a success and says they're moving ahead.

02

The gate

Procurement routes the order through vendor security review — standard policy, no exceptions. The purchase order sits unreleased until the security team signs off. Their first request: the SOC 2 report.

03

The wall

There is no SOC 2 report, and the honest disclosure of that triggers plan B: a long security questionnaire arrives instead, asking for proof of controls — several of which don't exist yet. The deal everyone celebrated is now stalled in front of a reviewer who never saw the demo.

04

The way through

Not silence, and not a hopeful yes. Triage the questionnaire and answer truthfully — the six steps below. Close the provable gaps with deployable open-source controls that produce evidence the reviewer can check. And put certification on a real track with a compliance readiness sprint, so the next review starts from yes.

Here is the process that survives that review:

The process

Six steps. Any questionnaire.

The format changes; the work does not. This is the same process we run on every engagement — written down so you can run it yourself.

01

Triage and tag every question

Read the whole document before answering anything. Tag each question by domain — access control, encryption, incident response, BCP/DR — and by who in your company actually knows the answer. Ten minutes of triage saves three days of forwarding spreadsheets.

02

Map to your answer library

Most questionnaires are the same questions in a different spreadsheet, so check what you have already answered before writing anything new. No library yet? Start one with the free SIG Lite answer-library template — this questionnaire becomes its first entries.

03

Answer to what you actually run

Write answers grounded in the controls you operate today, not the ones on the roadmap. Optimistic answers get signed into contracts, and twelve months later someone has to make them true. Precise beats impressive.

04

Cite evidence on every yes

Every "yes" should point at something a reviewer can check: a policy name and revision date, an audit report section, a config export. An uncited yes reads like a hopeful yes, and reviewers pattern-match it accordingly.

05

Handle gaps honestly

When the truthful answer is no, say no — then add the compensating control you run today and where the gap sits on your roadmap. A defensible no survives the follow-up call. A vague yes does not.

06

Keep the library; verify dates next time

File every answer into the library before you send the document back. When the next questionnaire arrives, most of it is already answered — your only job is verifying that the dates, versions, and scope are still true.

Each step is expanded — with examples and the failure modes — in the full playbook.

Pick your questionnaire

Same six steps. One step changes weight.

Each guide covers the format's structure, who sends it, and the step that deserves most of your attention.

SIG

Sent by enterprise procurement and vendor-risk teams via Shared Assessments. The step that differs: triage matters most — SIG Core runs to hundreds of questions, so tag and route before anyone answers.

SIG Lite

The shorter SIG, common for mid-size deals. The step that differs: mapping — our free CSV template pre-structures the answer library, so most rows start half-answered.

CAIQ

Sent by cloud-savvy buyers via the Cloud Security Alliance. The step that differs: answering — CAIQ is yes/no with a shared-responsibility column, so be exact about what is yours vs. your cloud provider's.

SOC 2 evidence requests

Sent by buyers who want proof, not promises. The step that differs: citation — every answer should reference a section of the report or a named artifact, not restate the marketing page.

ISO 27001 supplier

Sent by certified organisations auditing their supply chain. The step that differs: gap handling — map your answers to Annex A controls and say plainly which ones you do not run.

HIPAA BAA

Sent by covered entities before they will sign a business associate agreement. The step that differs: answering to what you run — PHI handling claims become contractual the moment the BAA is signed.

Cyber insurance

Sent by your broker or carrier at application or renewal. The step that differs: honesty has teeth — a wrong answer here is grounds for a denied claim, not just an awkward follow-up call.

PIPEDA (Canada)

Sent by Canadian enterprise buyers; the ten fair-information principles are the question structure. The step that changes weight: cross-border disclosure.

Law 25 (Quebec)

The strictest privacy regime in North America. The step that changes weight: the outside-Quebec transfer assessment.

PHIPA (Ontario health)

Sent by health information custodians to their vendors. The step that changes weight: proving PHI access audit logging.

When the answer is no

Gaps aren't dead ends — they're a build list.

An honest no with a roadmap passes review; the same control, deployed, passes the next questionnaire outright. Every component below is open source — your auditor can inspect it, and the configs and logs are yours.

No SIEM or log retention?

"Do you maintain and review audit logs?" — Managed Wazuh centralises application, infrastructure, and identity logs with defined retention.

No vulnerability scanning cadence?

"Do you scan on a defined schedule and track remediation?" — Managed OpenVAS runs authenticated scans with a baseline in the first week.

No privileged-access audit trail?

"Are privileged sessions controlled and recorded?" — Managed Teleport gives just-in-time elevation with session recording.

No SSO or MFA story?

"Is multi-factor authentication enforced?" — Managed Keycloak puts SSO and MFA in front of your applications without per-user pricing.

No code-security testing?

"Is code reviewed and tested before release?" — Managed SonarQube adds static analysis and quality gates to every merge.

No IR or forensics capability?

"Can you investigate an incident on your endpoints?" — Managed Velociraptor provides the DFIR depth those questions assume.

Several gaps at once? The managed security stack deploys them as one engagement.

Start the answer library today.

A free SIG Lite answer-library template in CSV. No email gate, no watermark — open it, map this questionnaire's answers into it, and stop starting from zero.

Get the free template →

No time for steps

Deadline this week?

The process above assumes you have a few days. If procurement is holding a deal on this document, we run the steps for you:

  • Truthful answers, cited to the controls you actually run — nothing invented.
  • A typical SIG turns around in about 3 days; shorter formats move faster.
  • An answer library you keep, so the next questionnaire starts mostly answered.
Have us answer it →

FAQ

Common questions.

What order should I answer a security questionnaire in?

Triage first, answer second. Read the whole document, tag questions by domain and by who knows the answer, then batch-answer from your library before writing anything new. Answering top-to-bottom on first read is the slowest possible order.

How do I cite evidence in a questionnaire answer?

Name something checkable: a policy title with its revision date, a SOC 2 report section, a configuration export, a vendor attestation. The test is whether a reviewer could ask for the artifact and you could produce it the same day.

Are SIG, CAIQ, and SOC 2 questionnaires answered the same way?

The six steps are identical; one step changes weight per format. SIG rewards triage, CAIQ demands shared-responsibility precision, and SOC 2 evidence requests live or die on citation. The answer library underneath is the same.

What happens when our honest answer is 'no'?

Structure it: no — compensating control today — roadmap. Then close it. Because ThinSky's managed stack is built on open-source components (Wazuh, OpenVAS, Teleport, Keycloak, SonarQube, Velociraptor), the missing control can be designed, deployed, and producing evidence before the next questionnaire arrives — and your auditor can inspect every part of it.

Our deal is stuck in a vendor security review and we have no SOC 2 — is it dead?

No, but the next move decides it. Reviewers reject silence and hopeful yeses; they accept truthful answers with evidence and a credible plan. Answer the questionnaire honestly, close the gaps that can be closed with deployable open-source controls, and put certification readiness on a documented track. A defensible no with a build list beats a stalled maybe.

Should I reuse last year's questionnaire answers?

Yes — that is the whole point of keeping a library — but verify before you paste. Check that policy revision dates, tool versions, and scope statements are still true. A stale answer submitted as current is worse than a slow fresh one.

Or skip the steps entirely.

Email us the questionnaire, the deadline, and a sentence about the deal. We run the six steps, you keep the library.

Have us answer it →