B2B pressure points
Excerpt: Supply chain security questions used to terrify me. Now I help businesses answer them. Here's what the big firms actually want to hear - and how to say it with confidence.
Big Clients, Tough Questions, Simple Answers
What I've learned from both sides of the supply chain conversation
The email arrived on a Tuesday afternoon.
"As part of our ongoing supplier review, we require all partners to complete the attached security questionnaire. Please return within 14 days."
Fourteen pages. Questions about firewalls, access controls, incident response plans, data encryption, staff training, business continuity. Words I barely understood. Checkboxes I couldn't honestly tick.
I remember the feeling exactly. Cold sweat. Racing heart. The absolute certainty that we were about to lose our biggest client.
That was three years ago.
Last month, I sat in a meeting helping a large firm design their supplier security requirements. I've been on both sides now. And I want to tell you what I wish someone had told me back then.
Why They're Asking
First, understand this: they're not trying to catch you out.
Large companies face enormous pressure around supply chain security. A data breach through a small supplier can cost them millions - in fines, reputation, lost business. Their insurers are asking questions. Their regulators are asking questions. Their clients are asking questions.
So they ask you.
It's not personal. It's not because they think you're dodgy. It's because they have to ask everyone. And honestly? The ones asking are the responsible ones. Be more worried about big clients who never ask.
What They Actually Want
Here's what I've learned from the other side of the table: they're not expecting perfection.
They know you're a small business. They know you don't have a dedicated security team. They know your setup isn't the same as a multinational corporation.
What they want is evidence that you take it seriously. That you've thought about it. That you have basic controls in place.
They want to see:
- Cyber Essentials certification (or equivalent)
- Basic policies documented
- Staff awareness of security
- A plan for when things go wrong
- Honesty about your limitations
They don't expect:
- A full-time Chief Information Security Officer
- Enterprise-grade security infrastructure
- ISO 27001 certification (usually)
- Perfection
The bar is lower than you think. But you have to clear it.
The Questions You'll Face
After three years of seeing these questionnaires from both sides, I can tell you they mostly cover the same ground.
Technical controls:
Do you have firewalls? Anti-virus? Encryption? Regular updates?
Access management:
Who can access what? How do you control it? What happens when someone leaves?
Policies and procedures:
Do you have documented security policies? Acceptable use? Password requirements?
Staff training:
Are your people aware of security risks? Do you train them? How often?
Incident response:
What happens if something goes wrong? Who do you contact? How do you recover?
Business continuity:
If your systems go down, can you keep operating? How quickly can you recover?
Third parties:
Who else has access to data you hold for this client? What's their security like?
That's it. That's most questionnaires. The wording varies, the detail varies, but these are the themes.
How to Answer Well
Be honest. If you don't have something, say so. Lying on a security questionnaire is worse than having gaps - it's a breach of trust that will end the relationship instantly if discovered.
Show your working. Don't just tick boxes. Add notes explaining what you actually do. "Yes - we use [specific product] and update weekly" is better than just "Yes."
Reference your certifications. If you have Cyber Essentials, say so prominently. It answers half their questions in one line.
Acknowledge limitations. "As a small business, we don't have dedicated IT security staff. However, we have implemented [specific controls] and work with [external support] for specialist requirements." Honesty plus mitigation.
Highlight improvements. "We achieved Cyber Essentials certification in [date] and are working toward Plus certification" shows trajectory, not just current state.
The Answers I Use Now
Here's how I respond to the common themes:
"Describe your cyber security certifications."
"Simpson & Sons holds current Cyber Essentials certification, achieved [date] and renewed annually. We are currently working toward Cyber Essentials Plus certification."
"How do you ensure staff are aware of security risks?"
"All staff complete security awareness training on joining and receive quarterly refresher sessions. We maintain a culture of security awareness, encouraging staff to report suspicious emails or activity without blame."
"Describe your incident response process."
"We maintain a documented incident response plan covering identification, containment, eradication, and recovery. The plan includes contact details for our IT support, relevant authorities, and affected clients. We test this plan annually."
"How do you manage access to sensitive data?"
"Access is granted on a need-to-know basis. We maintain a register of who has access to what systems. Access is revoked immediately when staff leave. We use [password manager] to ensure strong, unique passwords across all systems."
"Describe your backup procedures."
"We perform daily automated backups to encrypted cloud storage, separate from our main systems. Backups are tested quarterly by performing full restoration to verify integrity."
These aren't complicated answers. They're clear, specific, and honest. That's what works.
When You Don't Have the Answer
Sometimes the questionnaire asks for something you genuinely don't have.
Don't panic. Don't lie. Don't leave it blank.
Instead, explain what you do have and what you're working toward.
Example:
Question: "Do you hold ISO 27001 certification?"
Answer: "We do not currently hold ISO 27001 certification. We hold Cyber Essentials certification and follow security best practices appropriate to our size and risk profile. We would be happy to discuss specific security requirements for this engagement."
That's a professional response. It's honest, it shows what you do have, and it opens dialogue rather than slamming the door.
Building Your Arsenal
If you're facing these questionnaires regularly, build a library of responses.
Create a master document with your standard answers to common questions. Update it whenever something changes - new certification, new process, new staff training.
Keep evidence ready. Your Cyber Essentials certificate. Screenshots of your password policy. Training records. Having these on hand makes completing questionnaires faster.
Know your dates. When was your last certification? When was your last training session? When did you last test your backups? You'll be asked.
Review quarterly. Set a reminder to check your master document every three months. Is everything still accurate? Has anything changed?
The Conversation, Not Just the Form
Sometimes the questionnaire is just the start. They want to talk.
This used to terrify me. Now I welcome it.
A conversation lets you explain context. Lets you show your knowledge. Lets you demonstrate that you understand security, even if your setup isn't enterprise-grade.
Tips for security conversations:
- Be confident but not arrogant
- Admit what you don't know
- Ask what their specific concerns are
- Focus on how you protect their data specifically
- Follow up in writing with anything you promised
I've won work in these conversations. Clients who were uncertain after reading our questionnaire became confident after talking to us. Because they could tell we took it seriously.
What Happens If You're Not Ready
Let's be honest: sometimes you get the questionnaire and you're not ready. You haven't got certification. Your policies aren't documented. You can't answer half the questions.
Short term: Be honest. Tell them where you are and where you're heading. Ask if there's a timeframe to get compliant. Some clients will wait if you're actively working on it.
Medium term: Get certified. Document your policies. Build your arsenal. Every week you delay is another potential client lost.
Long term: Make this part of your business development. Supply chain security requirements are only going one direction - more demanding, not less. Get ahead of it now.
From Sweating to Advising
Three years ago, that email made me sweat.
Now I help other businesses answer the same questions. I've sat in rooms where large firms discuss what they're looking for from suppliers. I've seen questionnaires from both sides.
And here's what I know: the small business that takes security seriously, gets certified, documents their approach, and answers honestly will beat the small business that panics, fudges, or ignores the question.
The bar isn't impossibly high. It just requires preparation.
Big clients. Tough questions. Simple answers.
You've got this.
Jim Simpson is an SME Cyber Resilience Consultant with TransCrypt. He still keeps a copy of that first terrifying questionnaire in his desk. It's a reminder of how far a business can come in three years.
Ready to streamline your compliance?
Join hundreds of fast-growing fintechs building with Transcrypt today.
Join the WaitlistAbout the Author
"We are building the operating system for compliance. Transcrypt removes the ambiguity from regulatory frameworks, turning them into deterministic, executable code."
