Responding to security questionnaires

Over the past decade or so, 'supplier questionnaires' have become A Big Thing in the business world.

Organizations have long appreciated that there are risks associated with doing business (well, fancy that!) and most quite reasonably wish to mitigate those risks, particularly in business-to-business relationships. Increasingly that involves checking out prospective suppliers' information security and privacy arrangements* as part of the supplier evaluation, selection and contracting process. A common approach is to ask prospective and current suppliers to complete security/privacy questionnaires. Being self-assertions by organizations with an obvious interest in securing the business, the assurance value of questionnaires is limited although it may be reinforced by suitable legal wording in the contracts and agreements arising: essentially, the suppliers formally confirm that their questionnaire responses are accurate, complete and valid, and/or formally accept their security and privacy obligations going forward. 

That's all very well from the customer perspective, but what about the prospective suppliers? Aside from the administrative overhead of answering numerous and often lengthy questionnaires, there's the issue of being pressured into disclosing sensitive and valuable information. Remember, this step is often before contracting or building mutual trust through productive working relationships.

* By the same token, if an organization intends to disclose or share sensitive or valuable information with its partners, customers or the authorities, it ought to be every bit as concerned about the recipients' information security and privacy arrangements before proceeding.