Stop Crossing Your Fingers: What to Do When You Can't Verify a Vendor's Questionnaire Answers
A vendor questionnaire measures willingness to give the right answers, not truth. Here's which claims must be verified, what counts as verification, and how to document the ones you accepted on faith.
A vendor security questionnaire is a set of claims. “Yes, we encrypt data at rest.” “Yes, we enforce role-based access.” “Yes, we have an incident response plan, tested annually.” You read the answers, you score them, you file them — and if you're honest, for most vendors you have verified none of them. The vendor knows what the right answers are. The questionnaire measures their willingness to give them.
Every practitioner knows this. The phrase that comes up, in some form, is always the same: you're crossing your fingers that they're telling you the truth. Vendors decline to share underlying policies even under NDA; a right-to-audit clause exists for maybe a handful of your most critical contracts and gets exercised for fewer; and the security-ratings tools that promise independent signal produce letter grades whose methodology you can't inspect — a black box grading a black box.
Read the full whitepaper
Tell us a little about yourself and we'll unlock the full read.