You are close to signing your biggest customer yet. The contract is basically agreed. Then their procurement team emails you a spreadsheet with 120 rows, or a PDF titled “Third-Party Information Security Assessment,” and says the deal cannot move forward until you fill it out. You open it, and it asks whether you have a documented incident response plan, how you encrypt data at rest, and what your policy is for revoking access when an employee leaves. You are a six-person company. You do not have a security team. You are not even sure you have answers.
This is one of the most common panics I hear from small business owners, and it is a natural follow-on to something I wrote about earlier: why enterprise clients send 40-page questionnaires in the first place. That post explained the why. This one is the how: how a small business actually answers one of these things, honestly and credibly, without hiring anyone.
You are not being singled out¶
First, the reassuring part. The questionnaire is not a sign that the enterprise distrusts you specifically. It is a sign that they distrust every vendor, by policy, as a matter of routine. A big company that connects to hundreds or thousands of outside vendors has learned, usually the hard way, that their weakest supplier is their weakest link. Some of the largest breaches in the last decade started at a small vendor (an HVAC contractor, a chat widget, a billing service), not at the enterprise itself.
So their answer is a process: before any new vendor touches data or systems, that vendor fills out a security questionnaire. The person who sent it to you is not judging you: they are checking a box they are required to check. Your job is not to be perfect. It is to give them enough credible, documented answers that they can approve you and move on. That is a much lower bar than “have an enterprise security program,” and it is one a small business can clear.
What these questionnaires actually are¶
They mostly come in one of three flavors. Knowing which one you have in front of you tells you what you are dealing with.
The SIG¶
The SIG (Standardized Information Gathering) questionnaire is published by a group called Shared Assessments. It is the heavyweight. The full version (SIG Core) runs to hundreds of questions across roughly 20 risk domains; a shorter version (SIG Lite) trims it to the highest-priority items. If a mid-sized or large enterprise sends you a giant, professionally formatted Excel workbook with tabs, it is very likely a SIG. The good news: because it is standardized, the same answers can be reused the next time another customer sends you a SIG.
The CAIQ¶
The CAIQ (Consensus Assessments Initiative Questionnaire) comes from the Cloud Security Alliance and is aimed at cloud and SaaS providers. It is mostly yes/no/not-applicable questions mapped to the CSA’s Cloud Controls Matrix. If you run a software product hosted in AWS, Azure, or Google Cloud, expect to see a CAIQ. It tends to be more checkbox-oriented than the SIG, which makes it faster to complete once your documentation is in order.
The custom spreadsheet¶
The most common one for small vendors is neither of the above: it is a homegrown spreadsheet or web form the enterprise’s security team built themselves. It borrows heavily from the SIG and from frameworks like NIST and ISO 27001, but it is worded in-house. There is no answer key online for it. This is the one that feels most intimidating, because it looks unique, but underneath, it asks the same handful of questions everyone asks. Learn the categories once and you can answer any of the three.
Why the enterprise is asking¶
It helps to answer these things well if you understand what the person on the other end is trying to protect. They are not curious about your firewall for its own sake. They are trying to answer one question for their own boss and their own auditors: “If we give this vendor access to our data, are we taking on a risk we cannot defend?”
Everything on the questionnaire is a proxy for that. When they ask whether you have a written incident response plan, the real question is “if you get breached with our data inside your systems, will you tell us, and do you have any idea what to do?” When they ask about access control, the real question is “can a random ex-employee of yours still get into the system that holds our data?” Once you see the questions this way, the answers stop being a compliance riddle and become a plain description of how you run your business, and the single most convincing thing you can point to, over and over, is a written policy that says you thought about this before they asked.
The question categories, and what they really want¶
Strip away the formatting and almost every questionnaire clusters into the same six or seven categories. Here is what each one is really asking, and what a small business can credibly say.
- Access control. Who can log into what, how you handle passwords and multi-factor authentication, and (the one they care about most) how fast you cut off access when someone leaves. The credible answer is a written access control policy plus the fact that you use MFA and remove accounts on the day someone departs.
- Data handling and classification. What data you collect, where it lives, how long you keep it, and how you dispose of it. They want to know you have thought about their data specifically. A data classification and retention policy covers this.
- Encryption. Whether data is encrypted in transit (in practice: do you use HTTPS/TLS everywhere) and at rest (is the disk or database encrypted). For most small SaaS businesses on a major cloud provider, the honest answer is “yes, by default”; you just have to say so and know why it is true.
- Incident response. Do you have a documented plan for what happens when something goes wrong, including how and how quickly you would notify them. This is the category where “we have a written policy” carries the most weight, because most small vendors have nothing.
- BYOD and endpoint security. If your team uses personal laptops and phones for work, what rules govern that: screen locks, disk encryption, the ability to wipe a lost device. A short BYOD / acceptable use policy answers the whole section.
- Vendor and subprocessor management. Which third parties you rely on (your cloud host, your email provider, your payment processor) and how you vet them. Enterprises care because your vendors become their vendors by extension. A one-page vendor management policy plus a list of your key subprocessors does the job.
- Business continuity and backups. Whether you back up data, whether you have tested restoring it, and how you would keep operating after an outage. A backup and recovery policy, plus the honest truth about your last restore test, covers it.
That is the whole exam. A 200-question SIG is mostly these seven ideas asked seven different ways each.
The magic phrase: “we have a written policy for that”¶
Here is the thing that changes everything, and it is the whole reason I keep telling small business owners to write policies before they need them. A questionnaire reviewer is not standing over your shoulder watching you configure a server. They are reading answers on a page. The strongest possible answer to most questions is not a paragraph explaining your setup. It is a short, direct statement backed by a document: “Yes. This is governed by our Access Control Policy, last reviewed May 2026, available on request.”
That single sentence does three things at once. It answers yes. It proves the answer is a standing rule your business already operates under, not something you invented on the spot to close a deal. And it hands the reviewer a document they can file as evidence, which is exactly what their auditor will eventually ask them for. A written policy converts “trust me” into “here is proof,” and proof is the currency these reviews run on.
This is why a small business without a security team can still pass. You do not need a Security Operations Center or a full-time analyst. You need a set of written policies that map to the categories above, plus the discipline to actually follow them. Ten to twelve solid documents will answer the overwhelming majority of any questionnaire you are handed. The policies do the work the headcount otherwise would.
Answer honestly, do not over-claim¶
The temptation, when a deal is on the line, is to answer every question the way you think they want to hear. Do not. Over-claiming on a security questionnaire is the one move that can genuinely blow up the deal, and worse, it can come back on you legally.
These questionnaires frequently get attached to the contract. When you write “yes, all data is encrypted at rest,” you are making a representation the customer is relying on. If you get breached later and it turns out that was not true, you did not just lose a customer: you made a false statement in a contract. Reviewers also read these for a living. A vendor that answers “fully implemented” to all 200 questions looks less credible, not more, because nobody is perfect and they know it.
The honest approach is stronger and easier. If you do something, say yes and point to the policy. If you do not do something yet, the right answer is not a lie and not a flat no. It is: “Not currently, but it is covered by our written policy and planned for [timeframe].” Reviewers respect “in progress with a plan” far more than they distrust it. If a question genuinely does not apply (a physical data center control when you are entirely cloud-hosted), mark it not applicable and say why in one line. Honest, specific, and backed by documentation beats confident and vague every single time.
The shortcut: a policy set built for this¶
By now the pattern is obvious: nearly every credible answer traces back to a written policy you either have or you do not. So the real question for a small business staring at its first questionnaire is not “how do I answer 200 questions?” It is “how do I get the ten or twelve policies that answer those questions?”
You can write them yourself. It is genuinely doable, and a worthwhile education in how your business handles risk. It also takes most owners a long weekend or two, and the questionnaire is usually due Friday. That is the gap our Cyber Essentials policy set was built to close. It is a bundle of the core written policies these questionnaires ask for (access control, data handling, incident response, acceptable use and BYOD, vendor management, encryption standards, backup and recovery, and more) written in plain language, mapped to recognized standards, and ready to put your business name on. It is the exact set of documents that lets you answer “yes, we have a written policy for that” and mean it.
Either way, the point stands: the questionnaire is not testing whether you have a security team. It is testing whether you have thought about this and written it down. A small business absolutely can. And once the policies are in place, the next questionnaire (and there will be a next one) takes an afternoon instead of a panic.
If you are staring at one right now and are not sure where to start, email support@breachsecurity.io with the questionnaire attached and a line about what your business does. I will tell you honestly whether you can answer it with what you have, what policies you are missing, and whether the deal in front of you is worth the effort.