Home » Blog » Why bother getting ISO 27001 and SOC 2 when you still have to fill in Security Questionnaires?

Why bother getting ISO 27001 and SOC 2 when you still have to fill in Security Questionnaires?

by FeHa International Consulting
September 9, 2022

Many organizations ask what’s the importance of obtaining ISO 27001 certification or SOC 2 Type II assurance audit if they still receive security questionnaires from their potential customers? Maybe that’s your question too. 

Why SOC2 if every customer still wants security questionnaire filled?
Someone asks such a question in the social media

Your team is overwhelmed with security questionnaires coming from every customer. You are thinking of cutting this job out by having ISO 27001 or SOC 2. Unfortunately, you may still get security questionnaires even though you hold ISO 27001 or SOC 2. But this time, you will deal with the questionnaires differently!

Going through ISO 27001 and SOC 2 Type II assurance audits is not easy. But we argue that they are worth the bother despite the fact that they don’t completely eliminate your chance to still get the questionnaires. Here are the reasons:

  1. When you go through the ISO 27001 or SOC 2 audit, you will get inputs from external auditors. Coming from auditors who have wandered in various companies, those inputs will strengthen your Information Security Management System (ISMS). Without those inputs, your business process may already be secure. But experts’ suggestions will upgrade your security management to a level that you won’t reach without. You will do business with more confidence afterwards. For example, human resource security is one of the mandatory controls in ISO 27001. As stated in the ISO 27001 document, you have communicated that your employees’ responsibility for information security remains valid after termination of employment. The auditors will then probably share their knowledge on how to do this more effectively to make sure that your organization’s interest is protected. In short, keeping the security questionnaires issue aside, you'll always benefit from the implementation of ISO 27001 & SOC 2.
  2. You have had the ISO 27001 or SOC 2. But many customers still require you to complete the security questionnaires. The good news is that the security professionals in your customers’ organizations might rely on the certification(s) that you have earned. For example, suppose the questionnaire asks about business continuity management in adverse situations. You check ‘Yes’ on it. The security officers might not ask you further questions on that subject as they know that your certification means you have a business continuity plan which has been tested and reviewed. Thus, having ISO 27001 or SOC 2 will save you a lot of time during the handling of security questionnaires. 
  3. Filling in questionnaires is burdensome because you have to answer many similar questions repeatedly. And to do that, you often have to search a variety of documents which are all over the office. If you pass through the ISO 27001 or SOC 2 audit, you can copy the answers you've given in the ISO 27001 or SOC 2 audit and paste them onto the security questionnaires. You can most likely be able to do this because:
    • ISO 27001 and SOC 2 are global security standards. Therefore the questions in the questionnaires won't be far different from the ISO 27001 and SOC 2. 
    • All answers for the ISO 27001 or SOC 2 assessments are examined by the auditors. This means they are certainly good-quality answers. 
    • During the assessment process of ISO 27001 or SOC 2, one has to collect all the ISMS-related documents. If you have had the certificate and later on you need some of the documents for any of your security questionnaires, you already know where they are and hence can access them easily.
    In brief, you can handle those questionnaires with less effort
  4. Seeing your ISO 27001 or SOC 2 audit report, your customers may completely relieve you of the security questionnaires. This is possible when their questionnaires cover the same subjects as the report. Only when they have specific business requirements or they are unclear with information in your audit report, they’ll still ask you some questions with less quantity. For example, if the ISO 27001 document states that your data is encrypted, your customer will probably ask you which cryptographic key your company uses.Again, having ISO 27001 and/or SOC 2 saves your time and energy in the due-diligence process.If you are now struggling with the security questionnaire, we have written 4 tips to manage the questionnaires without stress.If you are uncertain whether you should pursue ISO 27001 or SOC 2, let us give you our insights here. If you’d like to ask, discuss, or anything at all, don’t hesitate to reach us out.
FeHa International Consulting is an international IT GRC, cybersecurity, and privacy management consultant with expertise and experience ranging from startups, small business, up to large corporations.
Evert van de Beekstraat 354, 1118 CZ,
Amsterdam, Netherlands