It has been a busy few weeks helping organisations who work with large corporates respond to procurement and security questionnaires.
The questionnaires have all sorts of names; assurance, security, procurement, information security, data protection etc. They are all effectively trying to achieve the same thing, assurance about the security surrounding the information you are working with.
They are becoming more frequently requested as part of working with larger organisations. In the last few weeks, we have helped four companies with completion of the questionnaires and for two of those companies, we have also attended a meeting with their client to try and help them see how the information is secured.
The questionnaires are written from a one size fits all perspective, but we know that isn’t the case, either from the business perspective or the services offered. We have been invited to meetings to explain and support our clients good practices. What we find is that the large corporates have a set process and when a small business doesn’t fit into their patterns, they don’t know what to do. The security questionnaires frequently expect the organisations they are working with to fit a specific criteria so when a small business doesn’t, they frequently fail the questionnaire.
One of the businesses we supported recently was a small market research company (just the one person) working with a large corporate. They failed the questionnaire on a lot of security
questions such as “is the server room secured?”. They had answered no, as they don’t have a server room. This red flagged them. What they have was an encrypted laptop which was perfectly adequate to secure the information being shared. We had a meeting with the client and explained the context and the service being commissioned along with the security controls in place. They were very happy to proceed.
We had a similar experience with another client last week who provides a service where they don’t have access to their clients personal information, but the client had told the procurement team that they did. Another meeting and another explanation and the service and my client were approved.
It is essential when completing security questionnaires that you understand what they are trying to achieve as a result. Always provide more explanatory notes if possible to show you understand the requirements.
We’ve seen an increase in these questionnaires over the last few months, particularly where an organisation is working internationally.
How to handle these questionnaires?
Remember the aim of the questionnaire is to obtain assurance that your organisation is managing personal and business information. They will look for relevant policies, procedures, training and confidentiality to be in place. Also understand that the person who is checking the response you make, looks at policies and responses all day. They know what they need to see and any blagging or poor policies will be immediately evident.
If you have any questions or need help filling in a questionnaire, we are here to support you.