Rebootwe make IT work

The client security questionnaire, decoded

Last reviewed · July 14, 2026

Picture the version of this that lands most often. The email comes from your biggest client, sent by someone in procurement you’ve never met. Attached is a spreadsheet, a hundred and forty-seven rows of it, with a message that says some version of: “Please complete the attached vendor security assessment by the 30th. Responses become part of your engagement file.”

The first instinct is usually to forward it to the office manager, or to whoever set up the server, with a note that says “can you handle this?”

Look at the last page first. If the form ends in a certification block, and many do, the name it wants is yours.

Why your client is suddenly asking

Nothing has gone wrong. Your client has regulators and insurers of their own, and those obligations flow downhill.

A mortgage company or non-bank lender sits under the FTC Safeguards Rule, which tells it, in regulation text, to choose service providers capable of protecting customer information, to bind them to it by contract, and to check on them periodically. A bank hears the same thing from its own regulators. A healthcare client that hands patient information to its law firm is generally required to have a business associate agreement in place before the files move. Your client’s cyber insurer may ask at renewal how vendor data is handled, and the law firm is on that vendor list; a single matter can hold medical records, account numbers, deal terms, privileged communications. Outside counsel guidelines that used to be about billing format can now arrive with a security exhibit attached.

So the questionnaire is plumbing. It becomes part of your client’s audit trail, and your answers may be read the way audit evidence gets read: by an analyst comparing them with each other, and with whatever you attach.

Reading it without drowning

A hundred and forty-seven questions overstates the work. However long the form runs, most rows repeat the same eight questions in different wording, and each of the eight can be asked in plain English. They cover the technical center of the form. Expect a few sections they don’t reach (retention schedules, physical security, privacy, insurance, continuity, client-specific terms), and plan to answer those from firm policy rather than from reports. Here are the eight, with representative wording and what each is actually getting at.

Multi-factor authentication. “Is multi-factor authentication enforced for all users for email and remote access? (Yes / No / N/A)” The question behind it: if one of your passwords is stolen tonight, does the thief get in? “Enforced for all users” is doing the work in that sentence. If the rollout left a quiet exceptions list (the senior partner who found the prompts annoying), the honest answer is No.

Access control. “Describe your process for granting and revoking access, including upon termination.” Two honest tests. Could you say who can open a given matter, and would you be comfortable reading that list to the client? And when someone leaves the firm, is their access off the same day, or whenever someone remembers? If you review access quarterly, write quarterly. “Continuously” is a different claim, one your logs would have to back up.

Encryption. Usually the easiest family, because the platforms carry most of it. Microsoft 365 encrypts files in transit and at rest across its core services, and a laptop with BitLocker properly enabled keeps its drive unreadable to a thief, provided the machine was off and the recovery keys live somewhere sensible. Check the tenant settings and the device list before answering, then answer by naming the systems. “Everything, always” is the version that fails checking.

Backup and recovery. “Are backups maintained and restoration procedures tested? Provide the date of your most recent test.” That second sentence is the whole question. What the client wants to know, without writing the word ransomware, is whether there is evidence the firm can actually restore. If the firm has never rehearsed a restore, the true answer today is No. The fix is scheduling one.

Email security. Filtering, protection against spoofed senders, someone watching for compromised accounts. This family exists because so much of the expensive fraud aimed at professional firms arrives by email: redirected payments, imposter wire instructions.

Incident response. “Does your firm maintain a written and tested incident response plan?” One page that names who gets called first, where the insurer’s notice line is, and who can make decisions at 7 AM, walked through once a year, supports an honest Yes on most forms. Two cautions. “Tested” is sometimes a defined term; if the form doesn’t say what counts, ask the client what evidence they expect. And if the plan is a forty-page binder nobody has opened, schedule the walk-through before you answer.

Vendor management. They’re asking you what their regulator asked them, one level down. Who has administrative access to your systems? Your IT provider is the biggest answer on that list, so the honest way to complete this family is to put a few of these same questions to them and keep the answers on file.

Training. If the firm runs a yearly phishing refresher, write yearly, and note the date of the last session. “Ongoing security awareness culture” is not a frequency.

The floor rule

One piece of doctrine to carry into every row: answer with your floor, not your ceiling. The floor is what’s true every ordinary day and provable on your worst one. The ceiling is what you intend, once things settle down.

Nothing tests a ceiling answer on the day it’s written. The test comes later, when answers are set beside records: a client’s follow-up question, an insurance claim, an audit, litigation. If the last page is a certification your firm signs, the answers are attestations, and whoever signs (with counsel, on the high-stakes forms) should read them the way a stranger will.

The same answer, written both ways:

Ceiling: “All firm data is encrypted at all times and access is continuously monitored under our comprehensive security program.”

Floor: “Client files are stored in Microsoft 365, encrypted in transit and at rest. Firm laptops are encrypted with BitLocker. Access rights are reviewed quarterly; the most recent review was completed in April.”

The first version cannot survive a single follow-up question. The second can, because every clause names a system, a cadence, or a date that a reviewer can go check.

When the true answer is No, write No, then the owner and the date: “No. Restore testing is scheduled for October; [name] owns the result.” A truthful form from a small firm usually carries a few Nos, and reviewers know it; what they look for is whether each No shows its next step. The client may still treat a gap as material. A dated plan at least makes that a conversation about a timeline rather than about candor.

If the form asks for a SOC 2 report, don’t panic-buy one. SOC 2 is an examination framework for service organizations of many kinds, and whether your client actually requires it from a firm your size is worth asking before you spend the money. Answer the underlying controls honestly, then ask the client, in writing, whether that evidence satisfies the requirement.

Build the evidence folder

What separates the questionnaire that eats a week from the one that takes an afternoon is whether the evidence already exists on paper.

Four dated documents answer many of the technical rows on any of these forms: an MFA coverage report, endpoint protection status, the date and result of the last restore test, the date of the last access review. Keep them current in one folder and those rows become a lookup exercise. The folder doesn’t answer everything; policy, personnel, privacy, and contract rows stay with the partners. It answers the rows that otherwise mean a week of asking your IT provider for screenshots.

For the firms we support, the monthly plain-English report already carries those numbers, so the folder exists before any form shows up. When one arrives, our part is the evidence: current reports, plus the technical detail behind any row that needs it. The firm’s part is the rest, and it stays the firm’s: leadership answers the policy questions, resolves anything that doesn’t match actual practice, and signs. The attestation is the firm’s own; no vendor can make it for you.

None of this requires hiring anyone. A firm can build the same folder itself: each time a review or a restore test completes, drop the dated report in, and the folder assembles as the work happens. Keep the date, the source, and the scope on every page (which tenant, which tool, which month). Months later, that combination is what lets an answer point to a page instead of a memory.


If one of these is sitting in your inbox right now, pick the three rows you’re least sure how to answer and bring us those, redacted as much as you like. We’ll tell you what evidence each one needs and where it usually lives. However far the help goes, the signature stays the firm’s.

Built for the desks we describe here →Book a 15-minute call →