FillBase
Back to blog
·How to

How to answer security questionnaires — step-by-step guide with examples

A practical guide to answering security questionnaires: how to structure responses, what buyers actually want, common mistakes, and real answer examples for the 10 most common question categories.

How to answer security questionnaires — step-by-step guide with examples

You just received a 200-question Excel file from your biggest prospect. The deal is worth $200K ARR. The buyer's security team needs it back by Friday. You have no template, no process, and the last person who answered one of these left the company six months ago.

This guide covers how to answer security questionnaires well — not just fast, but in a way that builds trust and closes deals.

What buyers actually want

Before diving into tactics, understand what the buyer's security team is evaluating:

  1. Accuracy — Are your answers factually correct and consistent with your documentation?
  2. Completeness — Did you answer every question, or skip the hard ones?
  3. Evidence — Can you back up your claims with documentation (SOC 2, policies, certifications)?
  4. Transparency — Did you acknowledge gaps honestly, or give vague non-answers?

A perfect score isn't the goal. Honest, well-documented answers that acknowledge limitations beat polished answers that can't be verified.

Step 1: Triage the questionnaire

Before answering anything, scan the entire questionnaire and categorize:

  • Standard security questions (60–70%) — Encryption, access control, incident response, certifications. These appear in every DDQ. If you've answered one questionnaire, you have these answers.
  • Compliance-specific questions (15–20%) — SOC 2 trust criteria, ISO 27001 controls, GDPR articles. These reference specific frameworks.
  • Product/company-specific questions (10–15%) — Your architecture, data flow, sub-processors, insurance. These require custom answers.
  • Irrelevant questions (5–10%) — Physical security for a SaaS company, mainframe questions, on-prem deployment details. Mark as N/A with a brief explanation.

This triage tells you how much work you're actually facing. The 60–70% standard questions should take minutes if you have a knowledge base. The 10–15% custom questions are where you'll spend real time.

Step 2: Gather your source documents

Good answers come from good sources. Before you start answering, collect:

  • SOC 2 Type II report — Covers 60–70% of standard security questions
  • Security policies — Information security, access control, incident response, data classification, acceptable use
  • Architecture documentation — Data flow diagrams, infrastructure overview, encryption details
  • Compliance certifications — ISO 27001, SOC 2, HIPAA, GDPR records of processing
  • Prior questionnaire responses — Your single best resource. Past answers, already reviewed and approved, in the questionnaire's own format.
  • Sub-processor/vendor list — Almost always asked. Have a current list with DPA status.

If you're missing any of these, that's your first action item — not answering the questionnaire.

Step 3: Answer with the right structure

Every answer should follow this structure:

[Direct answer] + [Supporting detail] + [Evidence reference]

Example: "Describe your encryption at rest"

Bad answer: "Yes, we use encryption."

⚠️ Mediocre answer: "We encrypt all data at rest using AES-256."

Good answer: "All data at rest is encrypted using AES-256 via AWS KMS. Encryption keys are managed through AWS Key Management Service with automatic annual rotation. Customer data in PostgreSQL (RDS) and S3 is encrypted by default — no unencrypted storage is permitted. Ref: SOC 2 Report §CC6.1, Information Security Policy §4.2."

The difference: the good answer tells the reviewer exactly what standard, what service, and where to verify it.

Step 4: Handle the 10 most common question categories

1. Encryption (at rest and in transit)

What they're asking: How is data protected from unauthorized access at the storage and network level?

Example answer: "Data at rest: AES-256 encryption via AWS KMS for all databases (RDS PostgreSQL) and object storage (S3). Encryption keys are AWS-managed with annual automatic rotation. Data in transit: TLS 1.3 enforced for all external communications. Internal service-to-service communication uses mutual TLS. Ref: SOC 2 §CC6.1, Encryption Policy §3.1."

2. Access control and authentication

What they're asking: Who can access what, and how do you verify identity?

Example answer: "Authentication: SSO via SAML 2.0 (Okta) for all employees. MFA enforced — no exceptions. Customer authentication: email/password with optional SSO (SAML 2.0 / OIDC). Access control: Role-based access control (RBAC) with principle of least privilege. Quarterly access reviews conducted by engineering management. Privileged access requires approval and is time-limited (JIT via Okta PIM). Ref: Access Control Policy §2.1, SOC 2 §CC6.3."

3. Incident response

What they're asking: What happens when something goes wrong? How fast do you respond?

Example answer: "Documented incident response plan with defined severity levels: P1 (critical): 1-hour response SLA, P2 (high): 4-hour SLA, P3 (medium): 24-hour SLA. Incident response team includes on-call engineering, security lead, and executive sponsor. Tabletop exercises conducted quarterly. Post-incident reviews (PIRs) completed within 5 business days. Customer notification within 72 hours for incidents affecting customer data (per DPA). Last incident drill: Q1 2026. Ref: Incident Response Plan §3, SOC 2 §CC7.3."

4. Business continuity and disaster recovery

What they're asking: Will you survive an outage? How fast can you recover?

Example answer: "Multi-region deployment on AWS (us-east-1 primary, us-west-2 DR). RTO: 4 hours. RPO: 1 hour. Daily automated backups with 30-day retention. Annual BCP tabletop exercise and DR failover test — last completed March 2026, failover achieved in 2.5 hours. Ref: Business Continuity Plan §4, SOC 2 §A1.2."

5. Compliance certifications

What they're asking: What third-party validation do you have?

Example answer: "SOC 2 Type II: Active, last audit period Jan–Dec 2025 (auditor: [firm name]). Report available under NDA. ISO 27001: Not currently certified (roadmap: H2 2026). GDPR: Compliant — DPA available on request, EU data processing via AWS eu-west-1. HIPAA: Not applicable (we do not process PHI). Ref: SOC 2 Report cover page, GDPR Records of Processing."

Key tip: Be honest about what you don't have. "Not currently certified, roadmap H2 2026" is far better than silence or a vague "we follow ISO 27001 principles."

6. Data handling and classification

What they're asking: How do you categorize data and manage its lifecycle?

Example answer: "Data classification levels: Public, Internal, Confidential, Restricted. Customer data classified as Confidential by default. Data retention: 90 days post-contract termination, then automated deletion. Customer data deletion on request within 30 days. No customer data used for model training. Data processing locations: AWS us-east-1, us-west-2, eu-west-1 (EU customers). Ref: Data Classification Policy §2, Data Retention Policy §3."

7. Vulnerability management

What they're asking: How do you find and fix security vulnerabilities?

Example answer: "Automated dependency scanning via Dependabot (continuous). SAST scanning in CI/CD pipeline on every pull request. Annual third-party penetration test via HackerOne — last completed February 2026, no critical findings. Critical vulnerabilities: patched within 24 hours. High: 7 days. Medium: 30 days. Ref: Vulnerability Management Policy §4, SOC 2 §CC7.1."

8. Sub-processors and third parties

What they're asking: Who else touches the data?

Example answer: "Key sub-processors: AWS (infrastructure, us-east-1/us-west-2/eu-west-1), OpenAI (AI processing, data not used for training per DPA), Stripe (payment processing), PostHog (product analytics, EU hosting). Full sub-processor list with DPA status available on request. Sub-processor changes: 30-day advance notice. All sub-processors have executed DPAs. Ref: Sub-processor Register, DPA §8."

9. Employee security

What they're asking: Are your people a risk?

Example answer: "Background checks: Conducted for all employees pre-hire. Security awareness training: Annual, with phishing simulation exercises quarterly. Last completion rate: 98%. Acceptable use policy: Signed by all employees at onboarding, acknowledged annually. Offboarding: Access revocation within 4 hours of termination. Automated deprovisioning via Okta lifecycle management. Ref: HR Security Policy §3, SOC 2 §CC1.4."

10. Logging and monitoring

What they're asking: Can you detect and investigate security events?

Example answer: "Centralized logging via Datadog. All application, infrastructure, and access logs retained for 12 months. Real-time alerting for anomalous activity (failed logins, privilege escalation, data export). 24/7 monitoring with PagerDuty on-call rotation. SIEM correlation for security event investigation. Audit logs immutable and tamper-evident. Ref: Logging & Monitoring Policy §2, SOC 2 §CC7.2."

Step 5: Handle questions you can't answer

Three acceptable approaches:

  1. N/A with explanation: "Not applicable — FillBase is a cloud-only SaaS product and does not maintain physical data centers. Physical security is managed by AWS per their SOC 2 report."

  2. Honest gap with plan: "We do not currently have ISO 27001 certification. We follow ISO 27001 controls as documented in our ISMS policy, and certification is on our roadmap for H2 2026."

  3. Partial answer with flag: "Our current penetration testing is conducted annually. We are evaluating moving to semi-annual testing in 2026. Most recent report available under NDA."

Never leave a question blank. Never answer "yes" to a compliance question you can't evidence.

Step 6: Review before submitting

Before hitting send:

  • Every question has an answer (even if N/A)
  • Answers are consistent (don't say "annual" in one place and "quarterly" in another)
  • Source references are included for key claims
  • Dates are current (last audit, last pentest, last BCP test)
  • Sub-processor list is up to date
  • Someone other than the author has reviewed the responses

Automating this process

If you're completing more than one security questionnaire per month, doing this manually doesn't scale. The steps above — triaging, gathering sources, matching questions to answers, formatting responses — are exactly what DDQ automation tools do.

FillBase automates this by learning from your SOC 2, policies, and past questionnaire responses. It auto-fills ~90% of questions with source citations, flags the ones it can't answer, and returns the completed questionnaire in the buyer's original format. The first DDQ takes 30 minutes instead of 8 hours. By the fifth, it's 15 minutes.

FillBase handles all major formats: DDQs, SIG questionnaires, CAIQ, HECVAT, vendor risk assessments, ISO 27001, SOC 2, and general information security questionnaires. See all supported questionnaire types.

Want to see how it compares to other tools? Check out our comparison with Conveyor, Loopio, Vanta, and other alternatives.

Start with a free DDQ at fillbase.app — upload a questionnaire and your company URL to see how it works.

Related tools & resources

Security Questionnaire Tool Fill security questionnaires with AI DDQ Tool Fill DDQs online Autonomous Completion How FillBase auto-fills

Related articles

How to We analyzed 1,000 DDQ questions — Here are the 50 that always appear
We analyzed 1,000 DDQ questions — Here are the 50 that always appear The 50 most common DDQ questions across SIG, CAIQ, and custom questionnaires. Pre-write your answers once, reuse everywhere.
How to How to build a security knowledge base for questionnaires
How to build a security knowledge base for questionnaires How to build a centralized security knowledge base that cuts DDQ response time by 80%. DIY (Google Docs/Notion) and automated approaches.
Templates & resources Free security questionnaire response template (Excel + Word)
Free security questionnaire response template (Excel + Word) Free downloadable security questionnaire response template. Pre-written answers for the 50 most common questions. Excel and Word formats.

Your next enterprise deal shouldn't wait on a spreadsheet

Get started