In an ideal world, these are mostly reasonable questions, even if a bit specific to the OP's requirements, but unless you are purchasing SaaS software on a large, enterprise-style license (i.e., 6 figures or more), it probably won't be cost-effective for most vendors to gather and collate this documentation, as well as answering these questions, just like it's not worth it to ink a custom contract on a smaller deal, where legal fees alone might eat up the entire profit margin or even push it negative. Engineering time is expensive and some of these questions are technical or "special" in nature.
There's a reason why standardized third-party audits like SOC-2's and ISO-27001's exist: to reduce the time required to document your veracity and security as a vendor for a potential customer. Since even large customers rely on the statements (independently audited, unlike in these questions) of a security attestation to make purchases, why should a customer request that extra time should be taken away from other responsibilities, like making better products or providing customer support?
I freely admit that I'm a bit biased against ad hoc security questions, even though I used to do it myself when working on large security teams. ;) My security-focused SSH key management company, https://userify.com, went through the time and expense to achieve AICPA SOC-2 certification from an independent third-party auditor to reduce the time and costs involved in responding to smaller RFP's, and to provide fully documented, standardized, and legally binding proof of our security bonafides. We still try our best to intelligently respond to any and all questions, especially about security, from any customers at all, even free-tier customers and hobbyists, but it's harder to do that when presented with a big list of questions that are mostly answered in our SOC-2 audit already.
> it probably won't be cost-effective for most vendors to gather and collate this documentation, as well as answering these questions, just like it's not worth it to ink a custom contract on a smaller deal, where legal fees alone might eat up the entire profit margin or even push it negative.
Indeed. I get these security "wall of questions" for my $10/lifetime SaaS product (it's a dumb little puzzle maker). I can't fathom why anyone thinks a vendor would spend the time answering their questions for that kind of money.
In their defense, it's probably a standard part of the procurement process and they don't even look at the app before sending the questionnaire.
At the risk drawing fire from everyone, I don't really think ISO27001 is a security certification. We get audited annually against 27k Annex A (basically ~95% of full one) + UK Gambling Commission extras.
The audit focuses far more on technical aspects of business continuity than actual security. There's certainly plenty of overlap, but other than the parts about access controls and "who watches the watchmen" aspect, ISO27k is almost entirely about your ability to recover from even the most devastating disaster. The pragmatic security parts have a bolted-on feeling to ensure the recovery path remains largely uncorrupted.
and to be fair, Information Security is generally accepted to cover Confidentiality, Integrity, and Availability (see: CIA Triad)... so DR/BC are definitely within scope.
SOC2 and ISO27001 are just the conversations starters. Companies that take security seriously will send you a questionnaire like OPs. It's commonly referred to as a Vendor Security Assessment (VSA).
Source: I worked on compliance management software for a while and VSAs were a major pain point for our customers (small to mid market companies trying to sell to enterprises).
I did the analysis and looked at the costs of a security questionnaire. They run anywhere from $250-$4500 each. The main problem is that there has become a race to longer and longer questionnaires. "Oh, your questionnaire has 1000 questions, I am going to make mine 1100!." I like the author's intent here. Maybe 10 questions is a little short, but let's end the gaming of this process and keep it straight forward. As one commenter noted, some of this information is confidential and should be obscured, not sent around via email attachments to people who may or may not enter into a contract at some point.
IMO, ask for the company's SOC-2 once you've demonstrated that you are a legitimate prospective customer with a budget and not a competitor or social engineer.
That should address most concerns, or at least make the questions more salient, and it has the added benefit of being vetted by a third party.
If they don't have one, then proceed with the dumb questions, but as you quite correctly point out, no one should be surprised if some questions are rebuffed.
We are doing some work in this domain to make security questionnaires less of pain à la at https://securitypalhq.com/. Would love to get your inputs or on ways if we could help you out.
If every customer asked the same questions, such as these, it would be worthwhile compiling the answers once for everybody and keeping them up to date.
Exactly, that set of standard questions and responses (ie controls) is exactly what a VSA is.
However, SOC2 takes it a step further and requires an formalized audit from a AICPA certified security auditing firm[0].
Therefore, a security questionnaire should be for follow-up items that the customer feels were not adequately addressed in one or more of the vendor's compliance attestations.
Otherwise, the customer is asking the vendor to step through redundant check-the-box busywork that actually requires a higher level of skill that can not be adequately completed by a junior engineer. To wax hyperbolic, it's like an engineering DoS attack which serves neither the customer nor the vendor well (unless the goal is to slow down the vendor from making new and better products)
There is a value to just human responses, answering someone's questions can help you look inwards to your service/product as well.
For example, as far as I can tell, "HIPAA" is spelled "HIPPA" on your website – this indicates a lack of familiarity with the Act (and potentially professionalism) to me as a first-time user, regardless of the multiple kinds of certifications you might have.
Is it possible you could have caught that when replying to a simple set questionnaire like the one in the link but focused on HIPAA?
> There is a value to just human responses, answering someone's questions can help you look inwards to your service/product as well.
We do respond to every single email, and hopefully fairly intelligently most of the time ;), even if the customer is a hobbyist or free tier user, especially with regards to security questions. (Although internal stats are slightly meaningless, and survey responses are relatively uncommon for the volume of emails we receive, we do have >99% customer support satisfaction based on our internal tracking.)
> Is it possible you could have caught that when replying to a simple set questionnaire like the one in the link but focused on HIPAA?
Ha, looks like we mispelled it in one place and spelled it correctly in another! Are you asking if we'd have caught a misspelling or other oversight on our website on the basis of an emailed questionnaire? Good question, but, to be honest, doubtful (but thank you for bringing it to my attention -- fixed!)
We've had wall-of-questions requests like that before, and we either respond with our other certs/attestations, or negotiate a BAA, once we get down to more specific questions. For HIPAA, we're providing on-premise security software, and not working with PHI in any way (we're deployed in some hospital systems in the US), so generally customers are just looking to understand our general security stance and how we can help them meet the Security Rule with login accounts.
There's a reason why standardized third-party audits like SOC-2's and ISO-27001's exist: to reduce the time required to document your veracity and security as a vendor for a potential customer. Since even large customers rely on the statements (independently audited, unlike in these questions) of a security attestation to make purchases, why should a customer request that extra time should be taken away from other responsibilities, like making better products or providing customer support?
I freely admit that I'm a bit biased against ad hoc security questions, even though I used to do it myself when working on large security teams. ;) My security-focused SSH key management company, https://userify.com, went through the time and expense to achieve AICPA SOC-2 certification from an independent third-party auditor to reduce the time and costs involved in responding to smaller RFP's, and to provide fully documented, standardized, and legally binding proof of our security bonafides. We still try our best to intelligently respond to any and all questions, especially about security, from any customers at all, even free-tier customers and hobbyists, but it's harder to do that when presented with a big list of questions that are mostly answered in our SOC-2 audit already.