8 Documents That Can Upset Your Deal

Security questionnaires are challenging to prepare for because they come in many forms and can be unexpectedly complex. When your organization isn’t anticipating a questionnaire, you may struggle to complete it promptly, provide the most accurate answers, or sometimes even have answers at all. This is how deals are lost and revenue becomes increasingly unpredictable.

Today’s enterprises face a myriad of security questionnaires from different organizations, each with its own unique format and requirements. Whether it’s the comprehensive SIG (Standardized Information Gathering) questionnaire, the annually updated VSA (Vendor Security Alliance) assessment, or the detailed CCM/CAIQ (Cloud Controls Matrix/Consensus Assessment Initiative Questionnaire) for cloud security, the landscape is vast and varied. Adding to the complexity, companies often create custom questionnaires tailored to their specific needs, making it nearly impossible to anticipate every potential document.

Failing to complete these questionnaires accurately and on time can lead to significant business repercussions, from losing out on lucrative deals to damaging your company’s reputation. Therefore, it’s crucial to know the types of documents you might encounter while trying to close an enterprise deal. Being prepared can mean the difference between sealing a deal and watching it disappear.

1. SIG Questionnaire

The Standardized Information Gathering (SIG) questionnaire is the most common questionnaire a vendor trying to seal an enterprise deal will receive. It’s one of the most recognized third-party risk questionnaires, developed by Shared Assessments, a collaborative group with over 350 members who work to standardize third-party risk management. There are two versions of the SIG questionnaire that address different levels of security: SIG Lite and SIG Core.

SIG Lite

The SIG Lite questionnaire’s name is indicative of its content. This questionnaire is typically used as a precursor to the SIG Core or for third-party vendors that won’t have access to sensitive data. Your prospect will introduce it just as you're first meeting — before you ever make a deal — as a way to gauge whether the relationship is worth pursuing.

SIG Lite only asks questions about general information security (infosec) compliance and structure within a potential vendor but doesn’t dig into details. This questionnaire is 150 or so questions about the organization’s basic frameworks and controls.

For some partnerships, that initial handshake is just the beginning. If an organization plans on a long-term engagement with a vendor where intimate information is exchanged, they’ll want to get to know them more first.

Updated: As of 2024, the SIG Lite now includes approximately 330 questions, offering a broader scope than previous versions. This expansion reflects the growing complexity of security frameworks and the need for more detailed initial assessments.

SIG Core

The SIG Core is like that second handshake that either seals a deal or makes it clear the organization is parting ways permanently.

If you thought 150 SIG Lite questions seemed excessive, buckle up for SIG Core. The SIG Core questionnaire is much more extensive than the SIG Lite, delving into areas of your business you may not even have defined yet. It consists of roughly 675 questions and covers 18 areas of risk control, including the following:

• Enterprise Risk Management
• Security Policy
• Organizational Security
• Asset and Information Management
• Human Resources Security
• Physical and Environmental Security
• IT Operations Management
• Access Control
• Application Security
• Cybersecurity Incident Management
• Operational Resilience
• Compliance and Operational Risk
• Endpoint Device Security
• Network Security
• Privacy
• Threat Management
• Server Security
• Cloud Hosting Services

Updated: The 2024 SIG Core questionnaire now includes over 600 questions and has expanded to cover 21 risk categories. Notable additions include "Supply Chain Risk Management" and "Artificial Intelligence" domains, reflecting emerging industry concerns. Additionally, "Application Security" has been updated to "Application Management," and "Cloud Hosting Services" has been updated to "Cloud Services" to better encompass the broader scope of these areas.

2. VSA Questionnaire

The Vendor Security Alliance (VSA) questionnaire was developed by another group of collaborative organizations seeking to standardize internet security, much like the SIG questionnaire. Their founding organizations make for an impressive roster: Adobe, Coinbase, and Dropbox, to name a few. The VSA is updated annually to stay current with new technologies and threats. If you’re beginning to build a relationship with one of the founding organizations, you can bet this is the questionnaire you will receive.

There are three major differentiating factors of the VSA compared to SIG. The first is that it’s a non-profit organization, so the questionnaires are free to download and use by both sending organizations and receiving vendors. The SIG, on the other hand, is a members-only paid service. It’s worth noting that VSA does offer an optional paid membership, which gives member organizations access to a network of auditors and a portal for vendors to complete questionnaires. Secondly, the VSA addresses global (rather than just national) security compliance, including regulations in the EU. Thirdly, VSA assessments are product-based versus vendor-based, which means they approach security from the perspective of how the individual product or service was developed rather than the organization as a whole.

Similar to the SIG, VSA offers two versions of the questionnaire — a comprehensive version and a more abbreviated version — the VSA-Full and VSA-Core, respectively (Hey, no one ever said cybersecurity professionals were creative with naming things).

VSA-Full

The VSA-Full is the comprehensive, in-depth security assessment offered by VSA and focuses on eight areas of security and compliance:

• Service Overview
• Data Protection & Access Control
• Policies & Standards
• Proactive Security
• Reactive Security
• Software Supply Chain
• Customer Facing Application Security
• Compliance

The VSA-Full is most often employed by companies that are primarily concerned with security over compliance.

Updated: As of 2024, the VSA-Full has been expanded to include additional questions on emerging areas such as artificial intelligence and supply chain risk management. This update ensures that the questionnaire remains relevant in addressing the latest security threats and regulatory requirements​

VSA-Core

The VSA-CORE only covers the most-critical security controls from the eight areas listed above and includes an additional section covering privacy compliance that the VSA-Full does not. Companies that are most concerned with compliance will typically employ this assessment versus the VSA-Full.

Updated: The 2024 update to the VSA-Core includes new privacy compliance questions that align with recent global privacy regulations, including updates related to the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)​

3. CCM/CAIQ Questionnaire

The Cloud Controls Matrix (CCM) and the Consensus Assessment Initiative Questionnaire (CAIQ) used to be two separate security frameworks published by the Cloud Security Alliance (CSA). However, in 2021 the CSA combined the two frameworks into one comprehensive assessment for cloud security. If you’re a cloud service provider, this will likely be one of the first things you see when an enterprise is seriously considering a partnership with you.

The combined assessment includes 197 control objectives and 17 domains, covering governance, risk, and compliance (GRC) across IaaS, PaaS, and SaaS services. The goal is to provide transparency into the security posture of an organization to form the basis for service level agreements.

One unique advantage of this framework is organizations can complete a self-assessment and submit it to the CSA Security, Trust, Assurance, and Risk (STAR) Registry to get certified proactively. It’s like having your dating profile available before you even begin a relationship — it lets other companies get a quick assessment of your security measures and compatibility.

It’s worth noting that the CSA recently developed an abbreviated version of the CCM/CAIQ called the CCM Lite, as well as one tailored to SaaS companies called the CCM SaaS (Again, with the creativity). These questionnaires were just published in Q1 of 2022, so time will tell if they become established security questionnaires.

Updated: As of 2024, the CCM and CAIQ have been further refined and integrated. The latest version, CAIQ v4, includes streamlined questions and expanded sections that address new security concerns such as artificial intelligence and supply chain risk management. Additionally, the framework now includes specific metrics to support internal GRC activities and improve service-level agreement transparency.

4. RFI

A Request For Information (RFI) is typically the first step in defining a potential relationship between two organizations. An RFI is like the initial meet-and-greet and a speed dating event. The prospect is feeling out their options and seeing if the vendor is compatible on a fundamental level.

The RFI helps organizations easily compare vendors by asking a series of questions about the services, methodology, and price point a vendor offers that could meet the prospect’s needs. This prevents both parties from wasting time exploring a partnership that’s fundamentally incompatible.

‍Updated: As of 2024, RFIs have become more structured and standardized to improve efficiency and consistency in the information gathered. This standardization helps organizations compare potential vendors more effectively and streamline the procurement process. Additionally, digital tools and automation have been increasingly adopted to manage and respond to RFIs, reducing the manual workload and speeding up the process​

5. RFP

If the response to an RFI is satisfactory, the organization will then send a more specific Request For Proposal (RFP) that digs a little deeper into how the vendor would specifically address the needs and wants of the requesting organization. It asks the vendor to describe things like project timeline, budget, and scope, as well as more general things like company structure, values, and sustainability.

Like any DTR statement, often until the expectations are in writing, teams don’t even realize how far apart they are from reaching an agreement. For example, an organization may expect the vendor to accommodate unplanned requests or some form of a non-compete agreement that infringes on prior contracts.

Some prospects may be willing to negotiate on certain points of the RFP. As a vendor, it’s important to only compromise to the extent that you can realistically accommodate or feel comfortable with. Starting a relationship feeling at odds is never good; protect your interests and be clear from the beginning about what you’re comfortable with.

Updated: In 2024, RFPs have become more detailed and tailored to specific project requirements, incorporating advanced technologies and methodologies. This includes more comprehensive sections on cybersecurity measures, sustainability practices, and regulatory compliance. Organizations are also leveraging AI-powered tools to analyze and score RFP responses, making the evaluation process faster and more objective.

6. RFQ

An RFQ is much more technical than an RFI but is similar in that it asks questions that seek to understand if the vendor can meet the requirements of the relationship. Instead of asking questions like “how do you approach this aspect of the requested service,” it might ask what your competency is in approaching the project within a specific framework.

If an RFI is to understand a vendor’s existing approach to the service, a Request For Quotation (RFQ) is to understand if the vendor can complete the service request in the way the sending organization wants it done. Essentially, the former is more of a collaborative request, and the latter is more of a unilateral request for a bid.

Updated: The latest updates for 2024 include a stronger focus on digitalization and automation in RFQ processes. RFQs are now frequently managed through procurement software that ensures consistency and accuracy in quotations. Additionally, there is a growing emphasis on sustainability and ethical sourcing, with many RFQs requiring vendors to disclose their environmental and social governance (ESG) practices​

SecurityPal delivery service specialists are here to take the stress and out of trying to anticipate every document that could upset your deal. All you have to do is email that document to SecurityPal. Our specialists will complete it for you, and it will be back in your inbox within 24 hours.

7. DDQ

Due Diligence Questionnaires are most often used in the investment world by hedge fund managers. Fund managers use DDQs to assess organizations they are interested in investing in and service providers they may use in managing the fund.

While most security questionnaires focus on cybersecurity, DDQs are more comprehensive. DDQs cover cybersecurity risk as well as general risk and compliance, business strategy, structure, environmental governance, and more.

Essentially, if there are any business aspects that could impact the sustainability or efficacy of an investment partnership, that’s what a DDQ attempts to uncover.

Updated: As of 2024, DDQs now feature enhanced Environmental, Social, and Governance (ESG) criteria, reflecting the importance of sustainability and social responsibility in investment decisions. Updates also include new questions on sanctions screening and anti-money laundering (AML) measures to navigate complex regulatory landscapes. Standardization efforts by organizations like AFME promote efficiency and consistency, while digital tools automate the DDQ process, reducing administrative burden. Industry-specific updates, such as those from AIMA for hedge fund managers, incorporate new regulatory requirements and streamline due diligence​

8. Custom Questionnaires

You’re probably wondering at this point what could possibly NOT be covered in one of these documents — like how many documents do you need to prepare to get a deal signed? Well, there’s not a simple number since many organizations will create their own version of a questionnaire, completely custom to their needs. And, if you thought maybe you could just skip over these high-maintenance prospects, you’ll likely be skipping out on deals with some of the largest, most coveted logos. At the end of the day, you can do your best to plan ahead, but you won’t be able to anticipate every kind of document or questionnaire type.

Feeling overwhelmed?

This list isn’t to make you feel overwhelmed and then dump you with no hope. Have no fear, the yeti is here! SecurityPal delivery service specialists are here to take the stress and out of trying to anticipate every document that could upset your deal. All you have to do is email that document to SecurityPal. Our specialists will complete it for you, and it will be back in your inbox within 24 hours.

No longer will deals be delayed over a single document. No longer will you have to postpone yet another internal initiative to work on someone else’s priorities. With SecurityPal, it doesn’t matter what document gets sent your way, it’s handled. It’s not just automation, it’s real people just getting sh*t done. We’ve answered over 80% of Fortune 500 questionnaires (so, like, a lot). There’s not much we haven’t seen and certainly no questionnaire we can’t handle. Get in touch to learn what SecurityPal can do for you.