Checklist

Security Questionnaire Intake Checklist

A checklist for capturing due dates, buyer context, file or portal constraints, evidence needs, and response ownership before work begins.

Use this when a new customer security questionnaire arrives and the team needs a consistent intake record before drafting answers.

Complete the intake fields before assigning reviewers. If the request is portal-based, capture access constraints and export limitations before any answer work begins.

Template

Copy this into your own doc

FieldYour entryWhat to put here
Buyer name *Use the customer or prospect name from the request.
Due date *Use the buyer requested submission date.
Questionnaire format *Spreadsheet, document, PDF, portal, or other.
Primary owner *Name the accountable internal owner.
Escalation notesList unsupported, sensitive, or ambiguous areas.

Request context

Capture the commercial and operational details that determine priority.

  • Buyer and opportunity loggedRecord the account, deal stage, renewal or expansion context, ARR, and sales owner.
  • Deal urgency confirmedConfirm whether the questionnaire is blocking a close, a renewal, or a go-live date.
  • Requesting contact identifiedCapture the buyer-side requester and who on their side reviews the answers.
  • Prior history checkedNote whether this buyer has sent a questionnaire before and reuse the prior response if so.

Scope and format

Understand exactly what is being asked and how it must be delivered.

  • Due date and SLA capturedRecord the buyer due date and any internal turnaround SLA.
  • Delivery format identifiedSpreadsheet, document, PDF, or buyer portal — note the exact format and version.
  • Portal access requestedIf portal-based, request logins early and capture export or copy restrictions.
  • Question count and sections scopedEstimate volume and flag any frameworks referenced (SOC 2, ISO 27001, CAIQ, HECVAT).
  • Custom or unusual questions flaggedIdentify questions that fall outside your standard answer library.

Ownership and routing

Assign accountability and pull in the right reviewers before drafting.

  • Primary owner assignedName the person accountable for final submission and buyer communication.
  • SMEs identified for routingPre-identify security, legal, privacy, and product reviewers for likely escalations.
  • Kickoff and checkpoints scheduledSet a start, a mid-point review, and a final approval slot against the due date.

Evidence readiness

Confirm the supporting evidence buyers will ask for is current and shareable.

  • Core compliance reports currentConfirm SOC 2, ISO, or pen-test reports are in date and ready to share.
  • NDA or sharing terms confirmedVerify whether sensitive evidence needs an NDA or a gated trust center link.
  • Answer library freshness checkedConfirm reusable answers were reviewed recently and still match current controls.

Risk and escalation

Surface anything that could block, delay, or commit the company.

  • Privacy and legal flags raisedFlag data residency, sub-processor, DPA, or contractual commitment questions for legal.
  • Unsupported or roadmap questions notedMark items you cannot answer affirmatively yet and decide how to position them.
  • Commitment language reviewedEnsure no answer promises a control or timeline that is not actually in place.