← All questionnaires
MODELED ON SIG LITE · 32 QUESTIONS · FREE TEMPLATE

SaaS Vendor Security Questionnaire — the 35 questions enterprise buyers actually ask

When an enterprise buyer asks for your security questionnaire, this is what they're really sending. 35 questions across 7 domains, modeled on the Shared Assessments SIG Lite categories that 80% of procurement teams use as a baseline.

Total questions
32
Categories
7
Typical timeline
5–10 business days for first pass, 1–3 days if you have a pre-built answer pack
Effort
8–20 engineer/security hours per request
Who requests it
  • Enterprise procurement & vendor risk teams (Fortune 1000)
  • CISO offices doing third-party risk reviews
  • Insurance and financial-services buyers under regulator pressure
Who fills it out
  • Your security or GRC team (with engineering input on infra questions)
  • Typically the CISO or Head of Security signs off

The questionnaire — every question, inline

1. Governance, Risk & Compliance

5 questions
Program-level questions about your security organisation and certifications.
  1. 1.1
    Do you have a formal information security program with executive ownership? Provide the policy effective date and review cadence.
    Critical
  2. 1.2
    List all current security certifications and attestations (SOC 2 Type II, ISO 27001, HIPAA, PCI DSS, FedRAMP, etc.) with audit firm and most recent report date.
    Critical
  3. 1.3
    Do you carry cyber liability insurance? Provide limits and a redacted COI on request.
    High
  4. 1.4
    How often is your security policy set reviewed and updated? Who approves changes?
    High
  5. 1.5
    Do you perform an annual enterprise risk assessment? Describe the methodology (e.g. NIST RMF, ISO 31000).
    Medium

2. Access Control & Identity

5 questions
How identities, credentials, and privileged access are managed.
  1. 2.1
    Is SSO via SAML 2.0 or OIDC available on the customer-facing tier the buyer would purchase? Any upcharge?
    Critical
  2. 2.2
    Is MFA enforced for all employees with access to production systems and customer data? List the factor types accepted.
    Critical
  3. 2.3
    How is privileged access granted, reviewed, and revoked? Provide the access-review cadence.
    Critical
  4. 2.4
    Describe your offboarding process. Maximum time between termination and full access revocation?
    High
  5. 2.5
    Are service accounts inventoried and rotated? What is the rotation cadence?
    Medium

3. Data Protection

5 questions
Encryption, data classification, retention, and deletion.
  1. 3.1
    How is customer data encrypted at rest? Specify algorithm, key length, and key management provider (AWS KMS, GCP KMS, HSM, etc.).
    Critical
  2. 3.2
    How is data encrypted in transit? Minimum TLS version and cipher suites enforced?
    Critical
  3. 3.3
    Do you support customer-managed encryption keys (CMEK / BYOK)? On what plan tier?
    High
  4. 3.4
    Describe your data classification scheme and how it maps to handling controls.
    High
  5. 3.5
    Upon contract termination, what is the deletion SLA for customer data (production + backups)?
    Critical

4. Infrastructure & Cloud Security

5 questions
Hosting, network controls, vulnerability management.
  1. 4.1
    What cloud provider(s) and region(s) host customer data? Can data residency be pinned to a region?
    Critical
  2. 4.2
    Describe your network segmentation between customer environments. Single-tenant or multi-tenant?
    High
  3. 4.3
    What is your patch cadence for critical OS and library CVEs? Maximum window from CVSS 9+ disclosure to deployment?
    Critical
  4. 4.4
    How often is external pen testing conducted, by whom, and is an executive summary available under NDA?
    High
  5. 4.5
    Do you use a WAF, DDoS protection, and IDS/IPS? Name the provider(s).
    Medium

5. Secure Development Lifecycle

4 questions
How software is designed, reviewed, and shipped securely.
  1. 5.1
    Is peer code review mandatory before merge to main? How is the policy enforced (branch protection, approvals)?
    High
  2. 5.2
    What SAST, DAST, and SCA tools are in your CI pipeline? Are critical findings blocking?
    High
  3. 5.3
    Do developers have access to production data? If yes, how is that controlled and audited?
    Critical
  4. 5.4
    Do you maintain a software bill of materials (SBOM) per release?
    Medium

6. Incident Response & Business Continuity

4 questions
Detection, response, breach notification, recovery.
  1. 6.1
    Provide your customer breach-notification SLA in writing (max hours from confirmed incident to first customer notice).
    Critical
  2. 6.2
    Is your incident response plan tested at least annually? Describe the last tabletop exercise scenario and outcomes.
    High
  3. 6.3
    What are your RTO and RPO for the production service? When were they last validated by a DR test?
    Critical
  4. 6.4
    Where are backups stored and are they encrypted? Are they tested for restorability?
    High

7. Third-Party & Subprocessors

4 questions
How you manage your own supply chain.
  1. 7.1
    Maintain and publish a current list of subprocessors (name, function, country, data accessed). Provide URL.
    Critical
  2. 7.2
    Do you perform security due diligence on subprocessors before onboarding? Describe the gating criteria.
    High
  3. 7.3
    What advance notice do customers receive before a new subprocessor is added or replaced?
    High
  4. 7.4
    Are DPAs or equivalent contractual data-protection terms in place with every subprocessor handling personal data?
    Critical
Email me a clean copy of this questionnaire
Polished HTML — paste into Word, Sheets, or a Notion page. We'll send one delivery email plus one invitation to build an auto-answered version from your audit. No drip spam.
We'll send the questionnaire + one audit-invitation follow-up. Unsubscribe anytime.

Common pitfalls

Want this pre-filled with YOUR controls?

Run a free SOC 2 / SIG Lite audit. ComplianceIQ uses your audit responses and generated policies to populate an answer pack you can paste into any SIG, CAIQ, or custom enterprise questionnaire — in minutes, not days.

Run free SOC2 audit See answer-pack plans

FAQ

How is this different from the actual SIG Lite?
Shared Assessments owns SIG. We can't reproduce the proprietary question text, but the categories and the type of evidence requested are public and well-documented. These 35 questions are a high-fidelity ComplianceIQ version that maps cleanly to SIG Lite — and to most ad-hoc questionnaires enterprise buyers send.
Do I have to answer every question?
No. Mark non-applicable items 'N/A' with a one-line justification. Buyers respect honest scoping more than vague yeses.
What evidence should I attach?
Latest SOC 2 / ISO 27001 report (under NDA), pen-test executive summary, public subprocessor list URL, security policy index, and your DPA/MSA. Have a single 'trust package' link ready.
How do I turn this into a reusable answer pack?
Answer once in a Notion / Confluence / Google Doc, organise by category, and version it. ComplianceIQ Pro generates a pre-filled DOCX from your audit responses and policies so the next questionnaire takes 90 minutes, not 9 days.

Related free policy templates

SOC 2 Access Control PolicyVendor / Third-Party Risk Management Policy

What happens when these answers are wrong

Equifax
$700M+
Largest consumer-data settlement in US history — Apache Struts patch ignored for 76 days
Uber
$148M
Paid hackers $100K to hide a 57M-record breach for over a year

More questionnaires

Cloud ProviderHIPAA BA AssessmentSOC 2 SubserviceGDPR Art. 28PCI DSS SP