← Back to blog
·6 min read

How to Answer Security Questionnaires as a Small Company

A practical guide to handling customer security questionnaires without a security team. What to answer, how to prepare, and when to invest.

You're about to close a deal. The customer's security team sends over a 150-question security questionnaire. It asks about your encryption policies, incident response plan, access controls, vendor management, and data retention practices.

You don't have a security team. You barely have an IT setup. And this questionnaire is standing between you and revenue.

This happens to every growing company eventually. Here's how to handle it without panicking.

Why you're getting these

Enterprise customers, healthcare organizations, financial services companies, and increasingly mid-market businesses all require their vendors to demonstrate basic security controls before signing contracts.

This isn't going away. If anything, it's accelerating. The more B2B customers you pursue, the more questionnaires you'll see. Some will be simple (20 questions). Some will be exhaustive (300+ questions across multiple categories).

The good news: most questionnaires ask about the same core topics. Once you've done the work to answer one properly, you can reuse 80% of your answers.

The topics they always ask about

Regardless of the format, security questionnaires consistently cover these areas:

Access control

  • How do you manage user access to systems?
  • Do you use single sign-on?
  • Is multi-factor authentication enforced?
  • How do you handle employee offboarding?
  • How often do you review access permissions?

Data protection

  • Is data encrypted at rest and in transit?
  • Where is customer data stored?
  • Who has access to customer data?
  • What are your data retention and deletion policies?

Device management

  • Do you manage employee devices?
  • Is disk encryption enforced?
  • Can you remotely wipe lost or stolen devices?
  • Are OS updates enforced?

Incident response

  • Do you have a documented incident response plan?
  • How do you notify customers of security incidents?
  • When was your last security incident?

Business continuity

  • Do you have data backups?
  • What's your disaster recovery plan?
  • What's your uptime commitment?

Vendor management

  • Do you evaluate the security of your third-party vendors?
  • Which subprocessors handle customer data?

Employee security

  • Do employees receive security training?
  • Do you perform background checks?
  • Are employees bound by confidentiality agreements?

How to prepare (before the questionnaire arrives)

The worst time to implement security controls is when you're staring at a questionnaire with a deal on the line. Do the work proactively.

Implement the basics

Most of what questionnaires ask about comes down to a handful of controls:

  1. SSO and MFA on all accounts. This answers half the access control questions immediately.
  2. MDM on all devices. Encryption enforced, OS updates managed, remote wipe capability.
  3. Password manager. Shared credentials managed properly, not floating around in Slack.
  4. Documented offboarding process. Access revoked within 15 minutes of departure.
  5. Google Workspace or M365 properly configured. DKIM, SPF, DMARC, 2FA enforced, sharing restrictions set.

These five things let you answer "yes" to the majority of common questions with confidence.

Create a master security document

Build a single document (Notion page, Google Doc, or dedicated wiki) that describes your security posture. Include:

  • Your identity and access management approach
  • Device management policies
  • Data handling and storage practices
  • Incident response plan (even a simple one)
  • Employee security practices
  • List of key vendors/subprocessors

Update this document quarterly. When a questionnaire arrives, you'll reference this document instead of scrambling to figure out what you actually do.

Write an incident response plan

This doesn't need to be a 50-page document. A one-page plan covering the basics is enough for most small companies:

  1. Detection. How incidents are identified (monitoring alerts, employee reports, customer reports).
  2. Containment. Immediate steps to limit damage (disable compromised accounts, isolate affected systems).
  3. Investigation. Who investigates, what they look at, how findings are documented.
  4. Notification. When and how customers are notified (within 72 hours is a common expectation).
  5. Recovery. Steps to restore normal operations.
  6. Post-incident review. What happened, why, and what changes prevent recurrence.

Having this plan written down, even if you've never had to use it, transforms your questionnaire answer from "we handle incidents on a case-by-case basis" to "we have a documented incident response plan."

How to answer effectively

Be honest

Don't claim controls you haven't implemented. Experienced security reviewers can tell when answers are aspirational rather than actual. If you get caught overstating your security posture after a contract is signed, the consequences are worse than losing the deal.

If something isn't in place yet, say so clearly: "We are currently implementing MDM across our device fleet, with full enrollment expected by [date]." This is far better than claiming full MDM coverage when you don't have it.

Provide context, not just yes/no

Many questions can be answered with a simple yes or no, but a brief explanation makes your response more credible.

Instead of: "Yes, we enforce MFA."

Try: "Yes. MFA is enforced for all employees through Google Workspace using authenticator apps. SMS-based verification is not permitted. Enforcement is configured at the organizational level and cannot be bypassed by individual users."

The second answer demonstrates that you actually understand what you're doing, not just checking a box.

Use "N/A" correctly

Some questions won't apply to your business. If you don't have physical offices, questions about physical security controls are not applicable. If you don't process payment card data, PCI DSS questions are not applicable.

Mark these as "N/A" with a brief explanation: "N/A. We are a fully remote company with no physical office spaces."

Address gaps with a plan

If you're missing a control, explain what you're doing about it:

"We do not currently perform formal penetration testing. We are evaluating third-party penetration testing providers and plan to conduct our first assessment in Q2 2026."

A gap with a remediation plan is dramatically better than a gap with no plan.

Building a reusable answer bank

After completing your first questionnaire, save your answers. Organize them by category (access control, data protection, etc.) and keep them in your master security document.

For subsequent questionnaires:

  1. Map each question to your existing answer bank
  2. Copy and customize the relevant answer
  3. Update any answers that have changed since last time
  4. Flag new questions that need fresh answers

Over time, this turns a multi-day scramble into a few hours of work.

When to get help

If security questionnaires are becoming a regular part of your sales process, it's worth investing in proper preparation rather than scrambling each time.

A fractional IT contractor can implement the underlying controls, build your master security document, and handle questionnaire responses as they come in. The controls that make questionnaires easy to answer are the same controls that make your company genuinely more secure.

If you're tired of guessing your way through security questionnaires, book a call. I'll help you implement the controls and build the documentation so you can answer with confidence.

Related posts

·6 min read

SOC 2 for Startups: What You Actually Need to Know

A plain-English guide to SOC 2 compliance for startups. What it is, when you need it, and how to prepare without hiring a compliance team.

soc 2compliancestartupssecurity
·8 min read

The IT Mistakes Every Remote Startup Makes

The 10 most common IT mistakes remote startups make, why they happen, and exactly how to fix each one.

startupsit mistakesremote teamssecurity
·8 min read

Google Workspace Security Settings Every Startup Should Change

The Google Workspace admin security settings most startups never touch. Here's what to change and exactly where to find it.

google workspacesecuritystartupsadmin settings