FillBase
Back to blog
·Guides

Complete an ISO 27001 questionnaire online — AI-powered security assessment in minutes

Need to complete an ISO 27001 security questionnaire online? Upload your buyer's assessment, add your certification docs, and get source-cited answers covering all 93 Annex A controls.

Complete an ISO 27001 questionnaire online — AI-powered security assessment in minutes

Your buyer's security team sent a questionnaire based on ISO 27001 — the international standard for information security management. It covers 93 controls across organizational, people, physical, and technological domains. Every answer needs to map to a specific control, with evidence.

Even if you're ISO 27001 certified, manually mapping each question to your Statement of Applicability and policies takes hours. Here's how to complete it in minutes.

What is an ISO 27001 questionnaire?

ISO/IEC 27001 is the international standard for information security management systems (ISMS). Buyers use ISO 27001-based questionnaires to evaluate whether your security controls meet the standard's requirements.

Key facts:

  • Based on 93 Annex A controls (ISO 27001:2022) or 114 controls (2013 version)
  • Controls organized into 4 themes: Organizational, People, Physical, Technological
  • Response format varies — some buyers use their own spreadsheets, others use standard templates
  • Expects references to your SoA (Statement of Applicability), policies, and certification
  • Commonly seen alongside SOC 2-based questionnaires in enterprise procurement

If you have a SOC 2 Type II report, there's ~65% overlap with ISO 27001 control areas — especially around access control, cryptography, incident management, and operations security.

The 4 ISO 27001:2022 control themes

ThemeControlsKey areas
Organizational (A.5)37 controlsPolicies, roles, threat intelligence, asset management, access control, supplier relationships
People (A.6)8 controlsScreening, employment terms, awareness, disciplinary, offboarding
Physical (A.7)14 controlsSecurity perimeters, equipment, clear desk, storage media
Technological (A.8)34 controlsUser endpoints, privileged access, authentication, cryptography, secure development, monitoring

For SaaS companies, Organizational and Technological controls are the most heavily questioned. Physical controls may be partially N/A if you're fully cloud-hosted (cite your cloud provider's ISO 27001 certification).

Common ISO 27001 questionnaire questions

Here's what you'll typically see, organized by control theme:

Organizational controls:

  • "Do you have a documented information security policy? When was it last reviewed?"
  • "How do you manage information security risks? Describe your risk assessment process."
  • "How are security roles and responsibilities defined?"
  • "Describe your supplier/vendor security assessment process."

People controls:

  • "Are background checks conducted for employees with access to sensitive data?"
  • "Describe your security awareness training program."
  • "What is your offboarding process for security access revocation?"

Technological controls:

  • "Describe your encryption standards (at rest and in transit)."
  • "How is privileged access managed and reviewed?"
  • "Describe your secure development lifecycle."
  • "How do you monitor for security events and anomalies?"

How FillBase completes ISO 27001 questionnaires

  1. Upload — Drop the buyer's questionnaire in any format (Excel, Word, PDF). FillBase detects ISO 27001 control references (A.5.x, A.8.x) automatically.

  2. Knowledge base matching — FillBase matches each question to your uploaded documents: ISO 27001 certificate, Statement of Applicability, policies, SOC 2 report, and prior questionnaire responses.

  3. Auto-fill with citations — Each answer includes a source reference. "A.8.24 Cryptography: AES-256 at rest via AWS KMS... Ref: Information Security Policy §4.2, SoA Control A.8.24."

  4. Review and submit — You review the ~15% of questions FillBase flagged for manual input, approve the rest, and export in the buyer's original format.

Upload these documents for best results

DocumentImpact on accuracyWhy
ISO 27001 certificateMediumConfirms certification scope and validity
Statement of Applicability (SoA)Very highMaps every control to your implementation
Information security policyHighCovers organizational and people controls
Technical policies (encryption, access, development)HighCovers technological controls in detail
SOC 2 Type II reportHigh~65% overlap with ISO 27001 controls
Prior ISO 27001 questionnaire responsesVery highExact question-answer pairs in context

The SoA is your single most valuable document. It already maps all 93 controls to your implementation status, control description, and justification. FillBase uses this mapping directly.

ISO 27001:2022 vs 2013 — which will the buyer ask about?

The 2022 revision restructured controls from 14 domains / 114 controls to 4 themes / 93 controls. Many buyers still use the 2013 structure. Some mix both.

FillBase recognizes both structures:

  • 2022 references (A.5.1 → A.8.34) — maps to 4-theme structure
  • 2013 references (A.5 → A.18, 114 controls) — maps to 14-domain structure

Your answers are the same — FillBase handles the mapping regardless of which version the buyer references.

When to use FillBase vs. your certification body

ScenarioUse FillBaseUse your certification body
Buyer sends a custom questionnaire
Completing the SoA itself
Internal audit preparation
Responding to buyer's security team during procurement
Renewal or surveillance audit documentation

FillBase is for buyer-facing questionnaire completion — not internal compliance management. Use your certification body and GRC tool for the standard itself.

Try it free

Upload an ISO 27001 questionnaire and your company URL at fillbase.app. FillBase fills up to 50 questions free — with source citations on every answer. No account required.

For the full questionnaire: register for the free tier (200 requirements/month) or start a Starter plan ($149/month) for higher volume.

Use the ISO 27001 questionnaire tool to get started, or browse all questionnaire types including SOC 2, vendor risk assessments, and DDQ.

Related tools & resources

ISO 27001 Questionnaire Tool Complete ISO 27001 assessments online SOC 2 Tool Complete SOC 2 questionnaires All Questionnaire Types Browse all supported formats

Related articles

Guides Complete a SOC 2 questionnaire online — auto-fill from your Type II report
Complete a SOC 2 questionnaire online — auto-fill from your Type II report Complete SOC 2 compliance questionnaires online in minutes. Upload your Type II report and the buyer's questionnaire — get source-cited answers mapped to trust service criteria.
Guides CAIQ vs SIG vs custom DDQ — What's the difference?
CAIQ vs SIG vs custom DDQ — What's the difference? CAIQ, SIG, and custom DDQs explained. Learn the differences between security questionnaire types, when you'll encounter each one, and how to handle them efficiently.
Guides Fill out an information security questionnaire online — any format, any framework
Fill out an information security questionnaire online — any format, any framework Complete any information security questionnaire online using AI. Upload the buyer's assessment in any format, add your company docs, and get source-cited answers in minutes.

Your next enterprise deal shouldn't wait on a spreadsheet

Get started