SaaSFort A vendor security questionnaire arrived with a two-day deadline. Your deal depends on it. You do not have a security team. Here is what to do.
Understand What They Are Actually Asking
Most vendor security questionnaires are long. Yours might have 80, 150, or 300 questions. But underneath the volume, almost every enterprise questionnaire checks three things:
- External posture. What does your domain expose? TLS version, security headers, exposed admin panels, email authentication, certificate validity.
- Attestations. Do you hold SOC 2, ISO 27001, or NIS2-aligned controls? If not, what is your plan?
- Data handling. Where is data stored, who can access it, how is it encrypted in transit and at rest?
That is the map. The questionnaire uses different phrasing across every vendor’s template, but the answers you need fall into those three buckets. Knowing this lets you prioritize.
What You Can Answer in the First Hour
Start with attestations and data handling, because you already have those answers.
If you hold SOC 2 or ISO 27001, attach the report and write one sentence per relevant question: “We hold SOC 2 Type II as of [date], issued by [auditor]. Report available on request.” Done.
If you are pre-certification, write what you have: “We follow OWASP Top 10 and NIS2 Article 21 controls. We encrypt all customer data in transit via TLS 1.2+ and at rest via AES-256. Subprocessors: [list them].” Concrete, short, honest. Reviewers accept this for mid-market deals more often than vendors expect.
For data handling questions, copy your privacy policy’s data-flow description and adapt it per question. If you do not have one written, write three sentences: where data lives (country, cloud provider), who at your company can access it (role-based, with approval), how long you keep it (retention policy). That covers 80% of what reviewers need.
The Section That Slows Deals: External Posture
The external-posture section is where most responses stall. Questions like “Describe your SSL/TLS configuration,” “Do you enforce HSTS?”, or “How do you handle exposed administrative interfaces?” require you to know the live state of your domain, not just your policy.
You have two choices.
Option 1: Answer from memory. You write that you believe TLS 1.2 is enforced and that HSTS is enabled. The reviewer asks for evidence. You go find it, which takes two days.
Option 2: Scan your domain first. A 60-second external scan tells you exactly what is live: TLS version, headers present, certificate chain, DNS configuration, exposed paths, JavaScript CVEs. You answer every external-posture question with a specific result, not a belief. And you attach the scan report as evidence on the first response.
For a complete list of what auditors look for in this section, our guide to what NIS2 auditors ask for technically maps each check to its Article 21 control.
The second option takes 60 seconds.
The 48-Hour Playbook
Here is the order that works:
Hour 1. Run the free external scan at saasfort.com/scan. Read the results. Note the grade and any failing checks.
Hours 1-2. Answer the attestation questions and the data-handling questions using the approach above. These do not need the scan.
Hours 2-3. Work through the external-posture section using your scan results. Answer each question with the specific finding: “TLS 1.3 enforced, 1.0 and 1.1 blocked, verified [date]. HSTS header present with max-age=31536000.”
Hours 3-4. Fix anything that failed and that you can fix in an afternoon: add missing security headers, disable deprecated TLS versions, remove exposed files. Re-scan to confirm. Your grade can move from C to A in an hour for header-related gaps.
Hour 4. Attach the final scan report as evidence. A dated audit pack gives the reviewer an A-F grade, a control-mapped PDF, and 60 specific findings mapped to NIS2 Article 21 and ISO 27001 Annex A. That is the document procurement files, not a paragraph you wrote.
Send the questionnaire with the PDF attached. Most reviewers do not ask follow-up questions when the evidence is already there.
What the Audit Pack Contains
The €39 one-time audit pack is a branded PDF with:
- Your domain’s A-F grade, calculated from 60 external checks across 25 categories
- Every finding mapped to its NIS2 Article 21 control and ISO 27001 Annex A reference
- Pass/fail status per check, with remediation guidance for anything that failed
- A dated certification line a reviewer can cite in their vendor file
You can get the free scan first to see your grade before purchasing. For the wider picture of what enterprise security teams check at each stage, see what enterprise buyers check before signing a SaaS vendor.
FAQ
The questionnaire has 200 questions. Do I have to answer all of them? Skim for the three clusters: attestations, external posture, data handling. Those are the questions that block deals. Boilerplate questions about data center physical security often have a standard answer: “Hosted on AWS/GCP/Azure. See their compliance page.” Mark those first, then focus on the specific technical questions.
The reviewer asked for a penetration test report. I do not have one. Say so directly: “We have not completed a penetration test. We use continuous external scanning mapped to NIS2 Article 21 and OWASP Top 10, report attached. We plan to engage a penetration tester in [quarter].” Reviewers accept this more often than vendors expect, especially if your external posture is clean.
We have 48 hours and our TLS is broken. Can we fix it in time? Usually yes. TLS configuration on most hosting platforms (AWS, Cloudflare, Nginx) takes minutes to update. Security headers take 30 minutes to add via your CDN or server config. Removing an exposed admin panel takes an afternoon. A broken grade is fixable before the deadline in most cases.
Is the audit pack the same every time? No. It reflects your domain’s live state at the time of the scan. If you fix findings and re-scan, the next report shows the improvement. Some vendors buy a second pack after remediation to show the before-and-after in their questionnaire response.
Von der Theorie zur Praxis
Scannen Sie Ihre Domain kostenlos. Erste Ergebnisse in unter 10 Sekunden — ohne Registrierung.