Request a Consultation
ThinSky security operations dashboard on a desktop monitor overlooking the Toronto skyline at night

QUESTIONNAIRE RESCUE

The vendor security questionnaire on your desk is not a one-week project.

SIG, CAIQ, SOC 2 evidence requests, cyber insurance applications — the questions are dense, the answers stall deals, and the person filling them out is rarely the person who built the controls. Most teams burn days of focused work on a typical SIG, and then re-do it for the next prospect. We answer them with you, truthfully, and hand back a library you keep.

Get questionnaire rescue →

The questionnaire

Why this lands on your desk and stays there.

You don't know what your encryption-at-rest actually is.

Half the questions read like compliance trivia — key rotation cadence, SDLC controls, BCP/DR testing frequency, privileged access reviews. You can guess, or you can stall the deal asking three colleagues who also don't know.

Sales is sitting on a deal until you send this back.

Procurement has the questionnaire as a gate. Days turn into weeks. The deal slips a quarter. The CRO starts forwarding it to you twice a day.

Wrong answers get signed into the contract.

Optimistic or vague answers become contractual commitments. Twelve months later your incident response programme has to actually exist — the way you described it.

You'll re-write the same answers next quarter for a different customer.

Every prospect's questionnaire is 80% the same questions in a different spreadsheet. Nobody keeps the answers. Everyone starts from scratch.

What we do

Three steps. Honest answers. A library you keep.

Typical turnaround on a SIG-shaped document: 3 days. Cyber insurance applications and shorter CAIQ Lite documents move faster.

01

Review

We read the incoming questionnaire and your actual security posture in parallel. Where you have controls, we cite them. Where you don't, we say so — clearly, before you commit anything to writing.

Deliverables:

  • Question-by-question gap map across the full document
  • Honest scoring of what is defensible today vs. what is aspirational
  • Clarifying questions for the requester before you commit to a deadline
02

Draft

We write the answers in your voice, grounded in what you actually do. The language is precise but not evasive — a CISO reading it should respect it, not pattern-match it as marketing.

Deliverables:

  • Completed questionnaire in the requester's format (Excel, PDF form, online portal)
  • Citations to your existing policies, audits, runbooks, or vendor attestations
  • Flagged answers where 'in progress' or 'not yet' is the truthful response
03

Library

The answers get packaged into a reusable answer library you keep. The next questionnaire — whether it lands next month or next quarter — reuses 70–90% of it.

Deliverables:

  • Markdown + DOCX answer library, version-controlled and yours to keep
  • Prioritised gap list with what each missing control would cost to build
  • Optional follow-up to close the top gaps before the next questionnaire arrives

Formats we handle

If it has questions in cells, we've answered it.

SIG / SIG Lite (Shared Assessments)CAIQ (Cloud Security Alliance)SOC 2 evidence requestsISO 27001 supplier questionnairesHIPAA business associate addendaCyber insurance applicationsGovernment RFP security sectionsBespoke vendor risk spreadsheets

Sent in a format we haven't named? Send it anyway. The questions repeat across templates; the spreadsheet is the part that changes.

What you get

Five deliverables. One questionnaire off your desk.

  • A completed questionnaire that a CISO on the receiving side would respect.
  • A reusable answer library you keep forever — the same questions don't cost you twice.
  • A prioritised gap list of the controls you do not yet have, with cost-to-build estimates.
  • An honest assessment of which deals this questionnaire was a fit for and which it was not.
  • Optional follow-up to close the top gaps before the next request arrives.

Honest scope

What we will not do.

We will not invent controls you do not have. We will not sign as your compliance officer. We will not guarantee a specific deal outcome — the questionnaire is one signal in a procurement process we do not control.

If a question has no truthful "yes" answer, the right response is "no — here is our roadmap, here is the compensating control we run today, here is what we would need to add it." That is the answer we will write. A CISO on the receiving side would rather read a defensible "no" than a hopeful "yes" that falls apart in the follow-up call.

FAQ

Common questions.

How fast can you answer a SIG questionnaire?

A typical SIG turns around in about 3 days. CAIQ Lite, SOC 2 evidence requests, and cyber-insurance forms usually move faster.

Can I outsource a vendor security questionnaire?

Yes — that is exactly what this service is. Email us the document, the deadline, and a sentence about the deal; we answer it with you, truthfully, and hand back a reusable answer library you keep.

Do you invent controls to pass the review?

No. We answer to what you actually do, cite your controls, and flag real gaps before you commit anything to writing. A defensible “no” beats a hopeful “yes.”

What does it cost?

An introductory fixed price of $750 to start. Because you keep the answer library, the next questionnaire reuses 70–90% of the work.

Do it yourself

Prefer to answer it in-house? Start here.

Send us the questionnaire.

Email the document, the deadline, and a sentence about the deal. We come back with scope, turnaround, and an introductory fixed price of $750.

Get questionnaire rescue →