How to Respond to a Vendor Security Questionnaire When You Don't Have Everything in Place

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
When a six-figure contract opportunity sends a 150-question security questionnaire, the temptation is to answer 'Yes' to everything and deal with the consequences later. The consequences are real: misrepresentation on a vendor questionnaire is a breach of the contract it supports, and in the event of an incident attributed to a gap you claimed did not exist, personal and organizational liability follows.
The alternative: refusing to answer or submitting a questionnaire full of 'No' answers: also loses the deal. The correct approach is a third option that almost no guidance covers: accurate answers with operational context.
The Three Legitimate Response Categories
Every question on a vendor security questionnaire has exactly three valid response types. Using any other approach creates risk.
'Yes': with an evidence path. 'Yes' means you have the control in place and can substantiate it if asked. Before answering 'Yes,' ask yourself: if the customer's security team asks to see evidence of this control, what would I show them? The answer should be a policy document, a configuration screenshot, a log export, or an audit report: not 'we do this.' 'Yes' without a substantiation path is misrepresentation.
'No': with a remediation plan. 'No' is an honest answer that most procurement teams accept when paired with context. The format: 'We do not currently have [control] in place. We have [compensating control or partial coverage] in the interim, and our plan to implement [control] is [specific milestone + date].'
Example: 'We do not currently have a SOC 2 Type II report. We completed our SOC 2 Type I certification in March 2026 and are in our 12-month observation period for Type II, expected by Q1 2027.'
A 'No' with a roadmap is not a disqualifying answer in most procurement processes. It demonstrates honesty and operational awareness: qualities procurement security teams value more than a blanket 'Yes' they cannot verify.
'N/A': with a justification. 'Not Applicable' is legitimate when a question describes a control that genuinely does not apply to your service model, architecture, or data handling practices. 'We do not store payment card data, therefore PCI DSS cardholder data environment controls are not applicable' is a valid N/A. 'This question doesn't apply to us' without justification looks evasive.
Question Categories and How to Handle Each
Vendor security questionnaires group questions into predictable categories. Here is the honest response approach for each.
Access Control: Questions about MFA, privileged access management, least privilege, and account lifecycle management.
If you have MFA on admin accounts but not all user accounts: 'Yes for privileged and administrative accounts. We enforce MFA for all [percentage] of our administrative users via [tool]. Standard user MFA rollout is [in progress / planned for Q3 2026].'
Incident Response: Questions about IR policies, tabletop exercises, and breach notification timelines.
If you have an IR policy but have never run a tabletop exercise: 'We maintain a documented incident response policy and have defined escalation procedures. We have not yet conducted a formal tabletop exercise; this is scheduled for [date].'
Vulnerability Management: Questions about patch cadence, scanning frequency, and penetration testing.
If you scan quarterly but claim monthly: just say quarterly. 'We conduct vulnerability scans on a quarterly cadence for external assets and semi-annually for internal assets.'
If you have never had a penetration test: 'We have not engaged a third-party penetration testing firm to date. We have scheduled a [scoped/full] penetration test for [date/quarter].'
Data Protection: Questions about encryption at rest, encryption in transit, data classification, and data retention.
These are often verifiable: TLS configuration is publicly observable, and a customer may test your HTTPS implementation. Ensure your 'Yes' answers here are accurate to observable technical controls.
Business Continuity and Disaster Recovery: Questions about RTO, RPO, and backup testing.
If you have backups but have never tested restoration: 'We maintain [daily/weekly] backups with [X days] retention. We have not completed a documented restoration test; this is scheduled for [quarter].'
Vendor / Subprocessor Management: Questions about how you assess your own vendors.
This question is often answered dishonestly by small organizations that have no third-party risk management program. The honest answer for most SMBs: 'We review SOC 2 reports, privacy policies, and contractual security commitments for vendors that process personal data or have access to our production environment. We do not conduct formal annual risk assessments at this stage; this is a planned capability for [year].'
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
The Compensating Controls Framework
For questions where you cannot answer 'Yes' but you have partial coverage, describe your compensating controls. Compensating controls are specific security measures that partially or equivalently address a requirement even when the standard control is not in place.
Format for compensating control responses: 'We do not currently have [stated control]. We address this risk through [compensating controls], which [specific description of how they reduce the risk]. Our plan to implement [stated control] is [timeline].'
Examples of common compensating control combinations:
| Stated control | Compensating control |
|---|---|
| WAF on all web applications | Manual code review for user-controlled inputs + monthly vulnerability scanning |
| DLP (Data Loss Prevention) | Policy-based access controls on sensitive data + quarterly access reviews |
| Formal security awareness training program | Simulated phishing tests + informal monthly security briefings |
| 24/7 SOC coverage | Business-hours monitoring + automated alerting to on-call engineer for critical events |
| Annual third-party pen test | Automated DAST scanning quarterly + bug bounty program |
Compensating controls do not magically make a gap disappear: an informed procurement security reviewer will understand the difference. But they demonstrate that you are aware of the gap and have mitigated it to an acceptable level through alternative means. That demonstration often satisfies procurement requirements even when the primary control is absent.
What to Do About the Certifications You Do Not Have
Questions about SOC 2, ISO 27001, PCI DSS, HIPAA, and other certifications are common and often deal-critical.
If you have no certifications: 'We do not currently hold [SOC 2 / ISO 27001]. We are in the process of [implementing the required controls / selecting an auditor / completing our observation period]. Our target completion is [quarter/year]. We are happy to provide our security policies and controls documentation for your review in the interim.'
The 'interim documentation' offer: When you do not have a certification to share, offer to share: your security policy, your incident response plan, your access control policy, and a summary of your technical controls. Most procurement teams accept this for initial contract execution with a certification commitment tied to renewal.
HECVAT, CAIQ, and SIG: These standardized questionnaire formats include fields for maturity levels rather than binary yes/no answers. If you receive one of these formats, use the maturity scale: 'Partially implemented' or 'In development' are legitimate answers that many procurement teams find more useful than forced binary responses.
After completing the questionnaire: Keep a copy of your responses. When the same customer's security team follows up (they often do), consistency matters. Build a master answer library that captures your accurate responses so you are not answering the same questions differently across customer questionnaires: inconsistency is a red flag for experienced procurement teams.
The bottom line
The correct vendor security questionnaire response strategy is: answer accurately, pair every 'No' with a remediation plan and timeline, use compensating controls language where partial coverage exists, and offer documentation in lieu of certifications you do not yet have. Dishonest 'Yes' answers create contractual misrepresentation liability: the downside of a misrepresented security gap in a breach scenario far exceeds the downside of losing a deal for honest disclosure. Most enterprise procurement teams accept honest, mature responses significantly better than reflexive 'Yes' answers that cannot be substantiated.
Frequently asked questions
What should I do when I cannot answer yes to a vendor security questionnaire?
Answer 'No' with context: describe the compensating controls you have in place and provide a specific remediation timeline. 'We do not currently have [control]. We address this through [compensating controls]. Our implementation plan targets [quarter/year].' Honest answers with remediation plans are accepted by most procurement teams. Dishonest 'Yes' answers create misrepresentation liability.
Can I answer a security questionnaire honestly if I don't have all the controls?
Yes, and you should. Most enterprise procurement processes are designed to assess risk, not to disqualify vendors who are honest about gaps. A 'No' with a documented remediation plan is more credible than an unverifiable 'Yes.' Misrepresenting controls creates contractual liability: if a breach occurs through a gap you claimed did not exist, the contractual and legal exposure is significant.
What is a SIG questionnaire and how is it different from a custom security questionnaire?
The Standardized Information Gathering (SIG) questionnaire is a library of 800-plus standardized questions developed by the Shared Assessments Program covering 18 risk domains. The SIG Lite is a shorter subset designed for lower-risk vendor assessments. Unlike custom questionnaires, SIG allows vendors to complete the questionnaire once and share it with multiple customers, reducing repetitive assessment work. Many large organizations now accept a completed SIG in lieu of their custom questionnaire, making it worth completing if you receive significant enterprise procurement scrutiny.
How should I store and manage security questionnaire responses?
Build a master answer library in a shared document with your current accurate answer for every question category you commonly receive. Include the evidence path for each 'Yes' answer, the compensating control description for each partial answer, and the remediation timeline for each 'No.' Review and update the library quarterly or whenever a control implementation changes. Consistent, documented responses prevent contradicting yourself across different customer questionnaires and make onboarding new staff who handle questionnaire responses straightforward.
How do enterprise buyers evaluate security questionnaire responses?
Procurement security teams review questionnaires along three dimensions: coverage (does the vendor address all the risk domains relevant to the data they handle?), credibility (does the 'Yes' answer include evidence references or is it a bare assertion?), and maturity (are controls documented, tested, and improving over time?). A 'No' with a clear remediation timeline is often scored more favorably than an unsubstantiated 'Yes' because it demonstrates honest self-assessment. For Tier 1 vendors handling sensitive data, procurement teams commonly follow up with a call to verify 3 to 5 answers -- the responses most likely selected for verification are the most sensitive control areas like encryption, access control, and incident response.
How should a growing company manage the increasing volume of security questionnaires from multiple customers?
As a company grows its enterprise customer base, security questionnaire volume compounds: each new customer arrives with their own format, their own question library, and their own review cadence. Managing this at scale requires shifting from per-questionnaire manual effort to a program-level approach. The first step is building a master answer library that captures your current accurate answer for every question category you commonly receive, organized by topic rather than by customer. This library becomes the single source of truth that questionnaire responders draw from, ensuring consistency across customers and preventing different responders from giving contradictory answers. The second step is evaluating a trust portal or security questionnaire automation tool. Platforms like Vanta, Drata, OneTrust, or Whistic allow you to publish a completed, evidence-linked questionnaire that customers can access on demand, reducing the manual effort of responding to repetitive questionnaires. Many enterprise procurement teams will accept a trust portal link in lieu of a custom questionnaire completion for lower-risk vendor relationships. The third step is identifying which questionnaire formats you receive most frequently. If 60% of your questionnaires are SIG Lite format, completing a well-documented SIG Lite once and maintaining it quarterly is more efficient than starting fresh each time. For organizations receiving more than ten questionnaires per quarter, appointing a dedicated security questionnaire owner who maintains the master library and coordinates responses across departments reduces the per-response effort significantly and ensures that customer-facing answers remain consistent with actual security program state.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
