Prospective questionnaires

These questionnaires can contain hundreds of questions and be quite intrusive, e. g. CAIQ (Consensus Assessments Initiative Questionnaire), or a questionnaire reviewing all ISO 27002 clauses.

This raises a confidentiality issue, since the request comes from a prospect and not from an existing client who can legitimately request an audit from us, the subcontractor. Not to mention the significant investment of time required to complete these questionnaires.

Of course, one solution would be to certify us to ISO 27001, but this is not yet on the agenda. We currently have ISAE 3402 for our hosting processes.

My question is what is your position on the above-mentioned issue, particularly with regard to the confidentiality of security information.

Answer: Indeed the confidentiality issue is a relevant one when considering filling or not such questionnaires, and considering ISO 27001 certification would represent a great option to treat such situa tions. But since ISO 27001 certification is not on your organization's agenda, then I'd recommend you to use some cost-benefit method or criteria to identify for which prospective customers filling these questionnaires would be worthy, considering the risks to the business regarding the confidentiality of the information provided, and then provide such assessments only in theses situations, asking to these prospective customers to sign a non disclosure agreement (NDA) before you send such confidential information.