We analyzed 1,000 DDQ questions — Here are the 50 that always appear
The 50 most common DDQ questions across SIG, CAIQ, and custom questionnaires. Pre-write your answers once, reuse everywhere.
We analyzed over 1,000 questions across 87 real security questionnaires — SIGs, CAIQs, custom DDQs, and vendor assessment forms. The result: 50 questions that appear in some form in nearly every questionnaire.
Pre-write answers to these 50 questions, and you'll have 70–80% of any future DDQ covered before you even open it.
Category 1: Encryption & data protection (8 questions)
1. Do you encrypt data at rest? Appears in: 94% of questionnaires Expected answer: Algorithm (AES-256), where (database, file storage, backups), key management approach
2. Do you encrypt data in transit? Appears in: 93% of questionnaires Expected answer: TLS version (1.2+), HTTPS enforcement, HSTS, certificate management
3. How do you manage encryption keys? Appears in: 72% of questionnaires Expected answer: KMS provider (AWS KMS, Google KMS), rotation schedule, separation of duties
4. How do you classify data? Appears in: 68% of questionnaires Expected answer: Classification levels (Public, Internal, Confidential, Restricted), how classification is applied
5. What is your data retention policy? Appears in: 85% of questionnaires Expected answer: Retention periods by data type, deletion procedures, legal holds
6. How do you handle data deletion/disposal? Appears in: 71% of questionnaires Expected answer: Secure deletion methods, media sanitization, verification process
7. Where is customer data stored (geographic location)? Appears in: 78% of questionnaires Expected answer: Cloud regions, data residency controls, cross-border transfer mechanisms
8. Do you have a Data Processing Agreement (DPA)? Appears in: 65% of questionnaires Expected answer: Yes + availability, GDPR compliance, sub-processor list
Category 2: Access control & authentication (7 questions)
9. Do you enforce multi-factor authentication (MFA)? Appears in: 91% of questionnaires Expected answer: Where (all users, remote access, admin), MFA method, IdP
10. How do you manage user access / least privilege? Appears in: 87% of questionnaires Expected answer: RBAC, access reviews, provisioning/deprovisioning process
11. How do you handle employee offboarding? Appears in: 79% of questionnaires Expected answer: Timeline (same day/24h), access revocation process, checklist
12. Do you perform access reviews? Appears in: 74% of questionnaires Expected answer: Frequency (quarterly), scope, remediation process
13. How do you manage privileged/admin access? Appears in: 76% of questionnaires Expected answer: Separate admin accounts, MFA required, audit logging, time-limited access
14. Do you use single sign-on (SSO)? Appears in: 68% of questionnaires Expected answer: SSO provider, SAML/OIDC support, which systems
15. What is your password policy? Appears in: 72% of questionnaires Expected answer: Complexity requirements, rotation (or why you don't), password manager
Category 3: Incident response (6 questions)
16. Do you have a formal incident response plan? Appears in: 89% of questionnaires Expected answer: Yes, reviewed annually, tested how often
17. How do you detect security incidents? Appears in: 78% of questionnaires Expected answer: SIEM/logging tools, monitoring, alerting, 24/7 or business hours
18. What is your incident notification timeline? Appears in: 82% of questionnaires Expected answer: Customer notification within X hours (typically 72h), communication channels
19. Do you conduct post-incident reviews? Appears in: 71% of questionnaires Expected answer: Post-mortem process, timeline, tracking of remediation items
20. Have you experienced a data breach in the past 12/24 months? Appears in: 74% of questionnaires Expected answer: Yes/No, if yes: scope, remediation, notification
21. How do you classify incident severity? Appears in: 65% of questionnaires Expected answer: Severity levels (P1–P4), criteria for each, escalation paths
Category 4: Network & infrastructure security (6 questions)
22. Describe your network security architecture. Appears in: 76% of questionnaires Expected answer: VPC/network segmentation, firewalls/WAF, IDS/IPS
23. Do you perform penetration testing? Appears in: 88% of questionnaires Expected answer: Frequency (annual/semi-annual), internal vs. external, vendor name, last test date
24. How do you handle vulnerability management? Appears in: 84% of questionnaires Expected answer: Scanning frequency, SLA for remediation by severity, tools used
25. Do you use a Web Application Firewall (WAF)? Appears in: 67% of questionnaires Expected answer: Yes/No, provider (Cloudflare, AWS WAF), what it protects
26. Describe your logging and monitoring. Appears in: 79% of questionnaires Expected answer: What's logged, retention period, SIEM tool, alerting
27. Do you segment your network? Appears in: 72% of questionnaires Expected answer: VPC design, production vs. staging separation, database isolation
Category 5: Business continuity & disaster recovery (5 questions)
28. Do you have a Business Continuity Plan (BCP)? Appears in: 81% of questionnaires Expected answer: Yes, scope, review frequency, last test date
29. Do you have a Disaster Recovery Plan (DRP)? Appears in: 83% of questionnaires Expected answer: RTO target, RPO target, recovery procedures, last test
30. What are your RTO and RPO? Appears in: 76% of questionnaires Expected answer: Specific targets by tier (e.g., RTO 4h, RPO 1h for critical systems)
31. How do you handle backups? Appears in: 85% of questionnaires Expected answer: Frequency, encryption, retention, testing/restoration verification
32. Have you tested your DR plan in the past 12 months? Appears in: 69% of questionnaires Expected answer: Yes/No, test type (tabletop, failover), results, findings
Category 6: Compliance & governance (6 questions)
33. Do you have SOC 2 Type II certification? Appears in: 91% of questionnaires Expected answer: Yes/No, audit period, trust service criteria covered, auditor name
34. What compliance frameworks do you follow? Appears in: 78% of questionnaires Expected answer: SOC 2, ISO 27001, GDPR, HIPAA (if applicable), PCI DSS (if applicable)
35. Do you have a formal information security policy? Appears in: 86% of questionnaires Expected answer: Yes, review frequency, approval authority, scope
36. How do you manage third-party/vendor risk? Appears in: 73% of questionnaires Expected answer: Vendor assessment process, review frequency, risk tiering
37. Do you carry cyber insurance? Appears in: 64% of questionnaires Expected answer: Yes, coverage amount, carrier, policy type
38. Who is responsible for information security? Appears in: 70% of questionnaires Expected answer: CISO/CTO/VP Eng, reporting structure, security team size
Category 7: Application security (5 questions)
39. Describe your SDLC and security practices. Appears in: 80% of questionnaires Expected answer: SDLC methodology, code review, security testing in CI/CD, deployment process
40. Do you perform code reviews? Appears in: 74% of questionnaires Expected answer: Yes, all PRs reviewed, who reviews, tooling
41. Do you perform static/dynamic application security testing? Appears in: 77% of questionnaires Expected answer: SAST tool, DAST approach, frequency, integration point
42. How do you manage dependencies/third-party libraries? Appears in: 68% of questionnaires Expected answer: SCA tool (Snyk, Dependabot), update frequency, vulnerability SLA
43. Do you have a responsible disclosure/bug bounty program? Appears in: 55% of questionnaires Expected answer: security@ email, responsible disclosure policy, or bug bounty platform
Category 8: HR & physical security (4 questions)
44. Do you perform background checks on employees? Appears in: 76% of questionnaires Expected answer: Yes, scope (criminal, education, employment), when (pre-hire), provider
45. Do you provide security awareness training? Appears in: 82% of questionnaires Expected answer: Frequency (annual + onboarding), topics covered, training platform, completion rate
46. Do employees sign confidentiality/NDA agreements? Appears in: 71% of questionnaires Expected answer: Yes, as part of employment agreement, covers during and after employment
47. Describe physical security at your facilities. Appears in: 62% of questionnaires Expected answer: For remote/cloud companies: "Primarily remote workforce. Production infrastructure hosted on [AWS/GCP/Azure]. Physical security managed by cloud provider per SOC 2/ISO 27001."
Category 9: Privacy & data subject rights (3 questions)
48. How do you handle data subject access requests (DSARs)? Appears in: 67% of questionnaires Expected answer: Process, timeline (30 days), verification, tools
49. Do you use sub-processors? Can you provide a list? Appears in: 72% of questionnaires Expected answer: Yes, list available (link), notification process for changes
50. How do you handle cross-border data transfers? Appears in: 58% of questionnaires Expected answer: Standard Contractual Clauses, DPA, data residency options
How to use this list
Pre-write answers to all 50. Spend a day (or a few hours with a tool like FillBase) and create approved, source-cited answers for each one.
Store them in your knowledge base. Whether that's a Google Sheet, Notion page, or an automated tool — have them centralized and searchable.
Update quarterly. When policies change, pen tests complete, or SOC 2 audits finish, review and update the affected answers.
Use as onboarding for new team members. When you hire a GRC analyst or security lead, this list is their day-one playbook.
With these 50 answers ready, the next DDQ that lands in your inbox goes from a 6-hour nightmare to a 30-minute review.
Auto-generate answers to all 50 with your actual documents →
