One of your major customers wants to know how you protect their information. This is a challenge many security and risk professionals face every day. Here are our Top 7 Tips to approaching this the right way, every time!

To solve the first challenge we have set out the most common sticky areas and our suggestion for solving this so your business can get on with growing and not get stuck in the details.

1. What is the level of detail you are willing to share with your customers?

Agree with your management team if there is any information about your security controls you are not willing to share and if so what other statements can you make to give your customers the confidence you are doing the right thing.

2. Do you understand the questions?

Review the questions and make sure you ask the customers for further information if the question is not clear.  We have seen many cases where customers are writing questions that do not make sense and should not be answered until clarified.

3. Do you have the answers?

Decide where you will store the answers you write. Decide if you will sanitise the answers so you can provide them again in the future to the same client or other clients or potential auditors of your organisation.

4. Who do you engage with to get the answers?

Ensure you have a register of organisations in your supply chain and business units within your organisation who are a part of your information security broad governance team.  List the key contacts in these businesses who are experts at providing you answers you may wish to ask.

5. Do you know how best to write the answer?

Engage a security consult like Cyber Security Consulting Pty Ltd to help you write professional answers that everyone can understand and not filled with jargons or acronyms which can’t be understood when reviewed a year later.

6. What do you do when you find your security controls aren’t going to cut it?

Ensure you document any control gaps you find along the way.  No-one has perfect security controls and you will inevitably find areas which you or your customer may be concerned about.  By documenting the gaps you can report this to management and start to plan what, if any remediation you will take to reduce control gaps.  

7. How do you explain gaps to your important customers and your business stakeholders?

Be honest and don’t try to hide the gaps you may have.  Your clients deserve the truth and if the truth is that you don’t have great password controls then let them know but make sure you do something about it and let them know your plan to improve your controls over time.

In summary here are our top 7 tips to answering security questionnaires:

1. Agree with your management team what your company is willing to share with the market
2. Review the questions and make sure you ask the customers for further information if the question is not clear.  
3. Decide where you will store the answers you write
4. Have a register of organisations in your supply chain and business units within your organisation who are a part of your information security broad governance team and can help answer specific questions when needed.
5. Ensure you document any control gaps you find along the way and report back to management
6. Be honest and don’t try to hide the gaps you may have (but do secure this information when you share it back with your customer)