ISO 27001 supplier questionnaires: how to answer with or without the certificate

ISO 27001 supplier questionnaires come in two flavors: the buyer who wants to verify your certificate actually covers what they're buying, and the buyer using the standard's control set as a question bank whether you're certified or not. Both arrive as a spreadsheet with rows that look like A.5.15, and both reward the same approach — answer in the standard's own language, with clause references, and be exact about what the certificate does and doesn't say.

The certificate doesn't exempt you

A common and expensive assumption: "we're ISO 27001 certified, so we'll just send the certificate." The certificate is one page. It names your organization, the certification body, and a scope statement — and that scope statement is what the buyer's reviewer reads first. If your certificate covers "the ISMS supporting the engineering function at the London office" and the buyer is purchasing a SaaS product run from AWS by a team in three countries, the certificate answers very little.

The questionnaire exists to fill that gap: which controls apply to this service, how they're implemented, and what falls outside the certified boundary. Certified vendors still answer questionnaires — they just answer them faster, because the evidence is already organized.

Answer in Annex A's language

The 2022 revision restructured Annex A into 93 controls across 4 themes — organizational, people, physical, and technological — down from 114 controls in 14 domains in the 2013 edition. Check which numbering the questionnaire uses before answering: a reference like A.9.2.3 is 2013; A.8.2 with a theme prefix is 2022. Mixing the two in your answers signals that nobody checked.

Whatever the buyer's questions look like, anchor your answers to clause references. "Yes — access is reviewed quarterly per our Access Control Policy, implementing A.5.18 (access rights)" does three jobs at once: it answers the question, names the evidence, and tells the reviewer you know your way around the standard. Reviewers fluent in ISO 27001 read clause-referenced answers in seconds; they slow down and start probing when answers are framework-free prose.

The Statement of Applicability excerpt strategy

Your Statement of Applicability is the most questionnaire-shaped document you own: every Annex A control, whether it applies, and why. It is tempting to attach the whole thing and call the questionnaire done. Don't — the full SoA discloses your exclusions and the reasoning behind them, which is more than any single buyer needs and occasionally more than you want a prospect's security team reading line by line.

The better pattern is the excerpt: pull the SoA rows that correspond to the buyer's actual questions, attach those under NDA, and reference them from your answers. You get the credibility of audited documentation without handing over the full internal map. Keep a sanitized excerpt version ready — building it once turns every future ISO-flavored questionnaire into a lookup exercise.

Not certified? Say so — precisely

A large share of vendors receiving these questionnaires hold no certificate, and the honest answer pattern works better than most of them expect: aligned, not certified. Concretely: "We are not ISO 27001 certified. Our security program is aligned to ISO 27001:2022; we operate the following Annex A controls: [list with references]. Certification is [on our roadmap for a stated period / not currently planned]."

Three rules keep this answer safe. State the certification status in the first sentence, not buried after the controls list. Only claim a certification timeline you have genuinely committed budget to — "pursuing certification" with no audit booked is the kind of soft claim that surfaces at renewal. And never let "aligned" drift toward "compliant" or "certified" in follow-up calls; reviewers notice the upgrade, and a discovered overstatement costs more trust than the gap itself ever would.

How to answer the ISO 27001 supplier questionnaire, step by step

1. Identify the Annex A edition the questionnaire was written against. Look at the control references: 14-domain numbering means 2013, 4-theme numbering means 2022. Answer in the edition you were sent, mapping from your own documentation where it uses the other one.
2. Set up an answer library keyed to clause references. Start from our free answer-library template and add an Annex A reference column. ISO-flavored questionnaires repeat across buyers more reliably than any other format, because they all draw from the same 93 controls.
3. Write your certification-status sentence first. Certified (with scope), aligned-not-certified, or partially aligned — one precise sentence, used verbatim everywhere the question appears. This is the answer that gets quoted in the buyer's risk memo, so write it once, carefully.
4. Answer control questions with clause references and named evidence. Each answer names the policy or tool and the Annex A control it implements. Where the honest answer is "no," say which controls you do operate in that theme instead of leaving the cell bare.
5. Prepare your SoA excerpt and certificate-plus-scope attachment. Certified vendors: attach the certificate with the scope statement and the relevant SoA rows. Uncertified vendors: a one-page controls summary organized by the four 2022 themes does the same job.
6. Review for scope honesty before sending. Reread every answer asking one question: does this hold for the specific service this buyer is purchasing, or only for the certified part of the business? Scope drift between the certificate and the answers is the first thing an ISO-literate reviewer checks.

When the answer is no: closing ISO 27001-specific gaps

Annex A gaps are control gaps, and controls can be stood up. For the themes suppliers fail most — operations security, access control, secure development — we deploy auditable open-source components whose configs and logs are yours to show the next reviewer:

• Operations security (A.8 — vulnerability management): Managed OpenVAS — scheduled scans with tracked closure.
• Access control (A.5/A.8): Managed Teleport — privileged access with recorded sessions, mapped to the clauses you cite.
• Secure development (A.8.25–8.31): Managed SonarQube — static analysis evidence for the development-control rows.

The general method — triage the questionnaire before answering, answer to what you do, keep the library — is covered in our security questionnaire guide; this page is the ISO-specific layer on top. If the questionnaire landed with a deadline and your SoA hasn't been touched since the last audit, ThinSky's Questionnaire Rescue drafts clause-referenced answers from your real posture in about 3 days.