12 Things to Fix Before a Customer Sends a Security Questionnaire
A security questionnaire feels stressful when the business has to build the answer and find the evidence at the same time.
The best preparation is to organise the obvious foundations before the questionnaire lands. That way, you can answer with confidence instead of guessing under deadline pressure.
Before a customer sends a security questionnaire, fix the basics that make answers easier to evidence: system ownership, access controls, MFA, vendor records, security policies, risk tracking, incident response and a simple evidence folder.
Fix These First
- Create a central evidence folder.
- Document who has admin access to key systems.
- List vendors that process customer or business data.
- Make sure MFA is enabled on important accounts.
- Separate what is already implemented from what is planned.
How to Use This List
Identify
Name the issue clearly so it does not stay vague or hidden.
Evidence
Gather proof of what exists today before answering customers.
Prioritise
Decide which gap creates the most commercial or operational risk.
Improve
Assign an owner, set the next action and review progress.
12 Things to Fix Before a Customer Sends a Security Questionnaire
Use each item as a practical diagnostic point. If it applies to your startup, capture the issue, assign an owner and decide whether it needs a quick fix, a roadmap item or a deeper security review.
1. Your system list
Create a simple list of the tools, platforms, SaaS apps and infrastructure your startup uses. Include who owns each system and whether customer data is stored or processed there.
2. Your access list
Record who has access to key systems, especially admin access. This makes it easier to answer questions about least privilege, privileged access and how access is approved or removed.
3. MFA coverage
Check whether multi-factor authentication is enabled on email, cloud platforms, customer data tools, code repositories and admin consoles. If MFA is not consistent, fix the highest-risk systems first.
4. Leaver process
Write down how access is removed when someone leaves. Include employees, contractors, agencies and freelancers. Customers often want to know that access does not continue indefinitely.
5. Supplier list
List your key vendors and note what they do, whether they process customer data, and whether you have reviewed their security or privacy information.
6. Policy pack
Collect the policies you actually use. Start with access control, acceptable use, incident response, data handling, supplier security and backup expectations. Keep policies practical and aligned to reality.
7. Incident response route
Define who should be contacted if something goes wrong, how the issue is escalated, how customers are notified if needed and where decisions are recorded.
8. Risk register
Capture key security risks in one place. A simple register should include the risk, owner, current controls, rating, next action and review date.
9. Evidence folder
Create folders for screenshots, exports, review notes, policy approvals, access checks, vendor checks, training records and incident test notes. Evidence should be easy to find under pressure.
10. Security roadmap
If you cannot fix everything immediately, write down what is planned. Customers may accept a clear improvement plan more readily than vague promises.
11. Ownership map
Assign owners for access, vendors, evidence, policies, incidents and risks. Security is easier to explain when accountability is visible.
12. Answer boundaries
Decide what you can honestly say. Do not overstate maturity. Separate current controls, planned improvements and areas where the business needs further review.
Quick Comparison: Issue, Risk and First Action
| Issue | Why It Matters | First Action |
|---|---|---|
| Your system list | Create a simple list of the tools, platforms, SaaS apps and infrastructure your startup uses. | Assign an owner, document the current state and decide the next step. |
| Your access list | Record who has access to key systems, especially admin access. | Review access, remove what is not needed and keep evidence. |
| MFA coverage | Check whether multi-factor authentication is enabled on email, cloud platforms, customer data tools, code repositories and admin consoles. | Review access, remove what is not needed and keep evidence. |
| Leaver process | Write down how access is removed when someone leaves. | Assign an owner, document the current state and decide the next step. |
| Supplier list | List your key vendors and note what they do, whether they process customer data, and whether you have reviewed their security or privacy information. | Create a supplier record and identify who owns the review. |
| Policy pack | Collect the policies you actually use. | Make the policy practical, current and aligned to actual work. |
Next step
Turn questionnaire panic into prepared answers.
Use the Startup Security Toolkit to organise the policies, checklists and records customers ask about first.
Get the Startup Security ToolkitSecurity gaps
Not sure what to fix first?
Take the security quiz to identify the gaps most likely to make questionnaire answers harder.
Take the security quiz to identify gapsRelated Startup Security Resources
Startup Security Quiz
Find the gaps that are most visible before customer or audit pressure builds.
Explore →Implementation Kit
Turn templates into an operating system with ownership and review cadence.
Explore →References
NCSC: Small organisations guide to cyber security
NCSC: Cyber Essentials overview
Frequently Asked Questions
What should a startup prepare before a security questionnaire?
Prepare a system list, access list, supplier list, policy pack, evidence folder, risk register and incident response process.
Should founders answer security questionnaires themselves?
Founders can answer early questionnaires, but they should avoid guessing and should involve someone who understands the controls, evidence and risk implications.
What if a control is not yet implemented?
Be clear. State what exists today, what is planned, who owns it and when it will be reviewed or implemented.