The steps to complete a vendor security questionnaire start long before you receive that first assessment. Vendors without a step-by-step process in place or without individuals responsible for completing the questionnaires struggle to complete them in a timely manner and often lose out on sales as a result.
Assemble and prep your response team now by following these steps so your company is prepared to handle any and all security questionnaires.
Determine Who Participates
Depending on the size of your organization, those involved in completing vendor security questionnaires could come from a variety of departments including IT, legal, HR, product development, finance, compliance and more. Your information security team should own the process, but others will need to participate in order to obtain accurate responses from all across the organization.
Legal review is an important step in the process. If you don’t have an in-house lawyer, hire one to review your responses before you submit that first questionnaire. A lawyer can check for liability and can also help protect your organization if a breach of your systems occurs. Keep in mind that if a breach does occur, your responses could be evaluated to determine fault.
Setup the Response Team
Appoint a leader of your response team and gather the team for an initial meeting. During this meeting, define roles and responsibilities for when a vendor security questionnaire is received. Security questionnaires typically initiate with a salesperson, so define your point person to kick off the response process, complete the questionnaire and follow it through to completion.
The response team can also define a typical timeline for completing a questionnaire, giving your salesperson a target date to report back to the customer. Without a clear timeline, customers often become frustrated with the delays caused by completing questionnaires so set expectations up front.
If you haven’t received a vendor security questionnaire yet, find a typical one online and divide the standard questions between your department representatives to answer. Nearly 80% of all vendor security questionnaires are identical so some answers will only need to be defined once unless a process changes. Once all questions are answered, ask a lawyer to review the document at this point.
Storing Your Answers
When companies first began sending out vendor security questionnaires, vendors scrambled to answer them, often logging their answers in lengthy Excel spreadsheets. Each time a new questionnaire was received, the vendor’s security team had to hunt through hundreds of answers to find the right one for a particular question. Thankfully, those days are over!
Today, automation has taken over that tedious process. Platforms, such as ProcessBolt, store your security questionnaire answers in an encrypted Knowledge Base. To complete a questionnaire, you simply use the ProcessBolt plugin inside Excel, Word or Chrome. By clicking on each question, ProcessBolt’s AI engine scans the question and suggests matching answers from those stored in your Knowledge Base. To make the process even more efficient, you can use ProcessBolt’s AutoBolt feature that allows you to auto-populate the entire questionnaire and then proof the document. If a unique question arises that you don’t have an answer for, you can email a member of your response team through ProcessBolt’s platform and the new answer is automatically added to your Knowledge Base.
Cleaning up the Chaos
Usually, responding to a security questionnaire doesn’t happen in a linear fashion: salesperson receives the questionnaire, information security team completes the questionnaire. Often, there are numerous emails back and forth, documents that need to be sent along with the questionnaire, follow up questions that get asked after the questionnaire is sent back to the customer, and sometimes, requests for remediation.
Automated platforms, such as ProcessBolt, help you clean up this chaos by housing all information, all documents, and all emails in one central location. No more hunting through emails or trying to find the latest artifacts and documents to send. Those on your response team with access to your Knowledge Base can easily find all emails, documents and information related to a particular customer.
See for Yourself
Complete this form to receive a personalized walk-through of ProcessBolt and learn how we can enhance your organization’s third-party risk management program.
