SaaS Security Questionnaire Prep — A Vendor's Playbook for SIG, CAIQ, and VSA

Published May 19, 2026 · By AxVeil Trust · 14 min read

Every SaaS vendor crossing the enterprise threshold hits the same wall: a 1,500-question SIG arrives from procurement on a Friday afternoon with a Wednesday deadline. The deal team panics, engineering cancels release planning, the CISO writes prose for forty hours, and the questionnaire still misses half the buyer's real concerns. This playbook is the workflow we hand customer security teams inside our SaaS practice. It turns the first questionnaire into a content investment so the next twenty take half a day each.

Know the questionnaires you will see

Four formats cover 90% of enterprise vendor reviews. Build your library against all four and you will handle almost anything a buyer hands you.

SIG Lite and SIG Core

  • Owned by Shared Assessments. Updated annually.
  • SIG Lite: a single-tab Excel, around 330 questions. The default first-pass screening tool for most enterprise procurement teams.
  • SIG Core: the full questionnaire, ~1,500 questions across 21 risk domains.
  • SIG Custom: a buyer-trimmed subset based on their own risk register.
  • Answer format: Y/N/NA with a comment column. Most buyers expect a reference to evidence (policy ID, SOC 2 TSC, ISO 27001 control).

CAIQ v4

  • Owned by the Cloud Security Alliance. Aligns 1:1 with the CSA Cloud Controls Matrix (CCM) v4.
  • ~260 questions across 17 domains, each tied to a CCM control.
  • Y/N/NA with explanation. Submitting your CAIQ to the CSA STAR Registry is a strong signal of maturity and often shortcuts the buyer's ask.

VSA (Vendor Security Alliance)

  • Community-led, smaller (~100 questions), aimed at startups assessing each other.
  • You will see this from mid-market SaaS buyers and most YC/Series-A companies.

Buyer-custom questionnaires

  • Banks, defence contractors, and large healthcare buyers maintain their own. Volume is similar to SIG Core; topics overlap 80%.
  • Expect bespoke clauses for data localisation (RBI), HIPAA BAA-related controls, FedRAMP-adjacent SP 800-53 references.

Build the content library — the only investment that compounds

A content library is a database (or, at minimum, a versioned Notion / Confluence space) of canonical answers to atomic questions, each linked to evidence. When a new questionnaire arrives, you map its questions to library entries instead of writing prose.

Schema for a library entry

{
  "id": "ENCR-002",
  "topic": "Encryption at rest",
  "canonical_question": "Is customer data encrypted at rest?",
  "short_answer": "Yes",
  "long_answer": "All customer data is encrypted at rest using AES-256-GCM
                  via AWS KMS customer-managed keys. Keys rotate annually.
                  See policy SEC-CRY-01 section 4.",
  "evidence_links": [
    "https://internal.wiki/policies/SEC-CRY-01",
    "https://internal.wiki/soc2/2026/cc6-7-evidence",
    "https://trust.example.com/encryption-overview"
  ],
  "control_mappings": {
    "soc2_tsc": ["CC6.7"],
    "iso27001": ["A.8.24"],
    "nist_csf": ["PR.DS-01"],
    "ccm": ["CEK-03", "CEK-04"]
  },
  "owner": "infrastructure-eng",
  "last_reviewed": "2026-04-12",
  "review_cadence_days": 90
}

With this schema you can wire AI retrieval (vector search over canonical_question + long_answer) to draft questionnaire responses in minutes. The human reviewer accepts or edits the suggested answer; the answer is committed back to the library if revised. The library stays the source of truth.

Coverage targets for the first library

  • 21 SIG risk domains covered with at least one canonical answer each.
  • 17 CCM domains covered.
  • 100% of SOC 2 Trust Service Criteria for your in-scope TSCs.
  • 100% of ISO 27001 Annex A controls if you hold a current certification.
  • Sub-processor list with each entry's SOC 2 / ISO 27001 status and data-flow description.
  • Data flow diagram per major service (ingress, processing, storage, egress).

Artefacts to publish on a Trust page

A public Trust page (e.g. trust.example.com) lets enterprise buyers self-serve the first 80% of the questionnaire before a sales rep is even involved. Items to publish:

  • Latest SOC 2 Type 2 report (gated behind email or NDA acceptance, served from a Trust portal like SafeBase, Vanta, or Drata).
  • ISO 27001 certificate.
  • CAIQ v4 (latest version).
  • Pentest executive summary letter (current calendar year).
  • Sub-processor list with country, service, data categories.
  • Data flow diagram.
  • Security whitepaper (10-15 pages).
  • Incident response and breach notification policy summary.
  • Encryption posture summary (at rest, in transit, key management).
  • Service-level objectives and uptime status (history, not just current).

Answering the questions that always trip vendors up

Pentest cadence and scope

Buyers want annual at minimum; mature buyers want continuous or quarterly for in-scope assets. Answer with: cadence, last completion date, vendor name (or "independent CREST-aligned firm"), scope summary, and remediation status. Reference your VAPT cadenceand offer a redacted executive summary on request. Do not share full technical reports.

Data residency and sub-processors

Maintain an up-to-date sub-processor list with country, service, and data categories. When a buyer asks "Where is my data stored?", the answer should be a region name, an availability zone list, and a link to your DPA. If you offer regional pinning, say so explicitly with the SKU details. DPDP Act 2023 and EU GDPR both require sub-processor transparency; treat the list as a contractual artefact.

Background checks and personnel security

India-headquartered vendors selling to US/UK buyers consistently lose points on this. Run background checks (criminal record, education verification, employment verification) through a recognised provider for any employee with access to customer data. Document the provider, the scope of the check, and the re-screening cadence. A "yes, all employees with customer data access undergo BGV by AuthBridge covering criminal records, education, and employment for the prior 7 years; re-screened on role change" sentence saves a back-and-forth.

Incident notification SLA

Be specific. "We will notify affected customers without undue delay" reads like a dodge. Better: "We will notify affected customers within 48 hours of confirming a personal-data breach affecting their tenant, via the contractually designated security contact, with subsequent updates every 24 hours until closure." Map the language to your DPA, your DPDP Act obligations, and your internal runbook so the answer is reproducible.

AI / LLM disclosures

Newer questionnaires include 10-30 questions on LLM usage. Have ready-made answers for: which models you use, whether customer data is sent to third-party model providers, data retention by those providers, opt-out posture, training-data inclusion, prompt logging, and your model-risk policy. Reference our OWASP LLM Top 10guide for the framework most buyers map to.

The response workflow

  1. Intake. Questionnaire received. Log it, assign a single owner, capture the deadline and the buyer's named security contact.
  2. Mapping. Map every question to a library entry. Anything unmapped becomes a new library entry candidate.
  3. Drafting. Auto-fill from the library. Reviewer accepts or edits.
  4. Subject-matter review. Route unanswerable questions to the right owner (engineering, HR, legal, IT).
  5. Quality pass. CISO or delegate reviews every Y/N and every comment for accuracy and tone.
  6. Submission. Send as the buyer requested (Excel, OneTrust, ProcessUnity, Vendorpedia, SafeBase).
  7. Library update. Anything you learned or edited gets committed to the library before close.

Tools and platforms

  • SafeBase, Whistic, TrustCloud, Conveyor — Trust portals plus questionnaire response automation.
  • Vanta, Drata, Secureframe, Sprinto — Compliance automation; most include questionnaire AI now.
  • OneTrust, ProcessUnity, Archer, ServiceNow GRC — Enterprise GRC platforms; if your buyer uses one, they may want you to respond in-platform.
  • RiskRecon, BitSight, SecurityScorecard — External risk ratings; not questionnaires but often referenced. Worth knowing your score before procurement runs it.

Measuring success

Three metrics tell you whether your questionnaire programme is healthy:

  • Time-to-response. From intake to first draft. Target: SIG Lite < 24h, SIG Core < 5 business days, CAIQ < 2 business days.
  • Library coverage. Percentage of questions auto-mappable. Target: 80% in the first quarter, 95% by quarter four.
  • Closed-lost rate tied to security. Procurement provides this in their CRM. If > 5% of enterprise deals lose on security, your story or your evidence (not your security posture) is the gap.

Customer-facing artefacts also drive top-of-funnel conversion. Most enterprise buyers shortlist vendors by the existence and quality of a trust page before any conversation; the questionnaire programme and the trust page are the same investment.

FAQ

What is the difference between SIG, SIG Lite, CAIQ, and VSA?

SIG (Standardized Information Gathering) is Shared Assessments' master questionnaire — SIG Core is the full version (~1,500 questions), SIG Lite is the screening subset (~330 questions). CAIQ (Consensus Assessments Initiative Questionnaire) is the Cloud Security Alliance's cloud-specific equivalent (~260 questions in v4). VSA (Vendor Security Alliance) is a smaller community questionnaire. Most enterprise procurement teams use SIG; cloud-native buyers prefer CAIQ; some use a custom blend.

How long should a SIG questionnaire take to complete?

First-time response to a SIG Core: 40-80 hours across engineering, legal, HR, and IT. Second response (if you have a content library): 6-10 hours. SIG Lite first time: 8-16 hours; with library: 1-3 hours. The library is the difference between a quarter-long fire drill and a one-day turnaround.

Do we need SOC 2 Type 2 before answering questionnaires?

No, but it shortens almost every answer. With SOC 2 Type 2 you can attach the report and reference TSCs (CC6.1, CC7.2, etc.) instead of writing prose for each control. Without it, every answer needs supporting evidence — policy excerpts, screenshots, audit logs. Plan to get SOC 2 Type 2 within 12-18 months of your first enterprise deal and use it as the anchor artefact for every questionnaire afterwards.

How do we handle questions about pentesting in a SIG?

Buyers want three things: cadence (at least annual), scope (every internet-facing app and any system handling their data), and a current report. Maintain a redacted executive summary of your latest pentest, written for non-technical procurement readers. Do not share the full technical report; offer a screen-share review under NDA if a buyer insists on detail.

Can we use an AI tool to auto-fill SIG and CAIQ?

Yes, but with guardrails. AI assistants are excellent at retrieval from a curated content library and weak at inventing facts about your environment. Use them in suggest-and-approve mode, not auto-submit. The legal risk of an AI hallucinating a control that does not exist is material — every answer goes on the record.

Further reading

Build your questionnaire library with AxVeil.

We design the schema, seed the canonical answers from your SOC 2 / ISO 27001 evidence, and integrate with your Trust portal.

Talk to us about scoping →
Share