How to Answer Client IT Security Questionnaires Without Panicking

You've just landed a meeting with a potential client — a corporate, maybe a listed company or a large medical scheme. The opportunity is real. Then the email arrives: a 12-page vendor due-diligence questionnaire asking about your IT security, data handling, backup processes, incident response and supplier controls.

If your stomach just dropped reading that, you're not alone. For many South African law firms, accounting practices, financial advisers and healthcare providers, the security questionnaire is becoming the new gatekeeper to bigger work. And most small firms are answering them on the fly, often with help from whoever happens to know the IT setup that week.

Here's a calmer way to handle them.

Why these questionnaires are showing up everywhere

Five years ago, only banks and government tenders asked these questions. Today it's everyone — corporate clients, medical aids, listed companies, even mid-sized businesses pushing POPIA compliance down their supplier chain. If your client gets breached through you, they carry the reputational and regulatory cost. So they're checking.

The questionnaires vary, but they tend to ask about the same areas:

• How you store and protect client data
• Who has access to what, and how that's controlled
• Backup, recovery and business continuity
• Incident response and breach notification
• Staff security training
• Whether your IT provider has any recognised security certifications
• Sub-processors and third-party suppliers

The firms that win this work aren't the ones with the most expensive IT — they're the ones who can answer confidently, with evidence, in 48 hours instead of two weeks.

Build your answer pack before you need it

The biggest mistake is treating each questionnaire as a one-off project. You'll answer the same 30 questions over and over for different clients. Build the pack once, update it quarterly, and you'll never scramble again.

Your answer pack should include short, plain-English responses on the following:

Data handling and storage. Where is client data stored (Microsoft 365, on-prem server, practice management system)? Is it encrypted at rest and in transit? Who is the data controller and who is the processor?

Access control. Do you use multi-factor authentication on email and core systems? How are user accounts created and revoked when someone leaves? Do you have separate admin accounts?

Backup and recovery. How often do you back up? Where are backups stored (and are they offsite or in a separate cloud region)? When did you last test a restore? What's your recovery time objective?

Endpoint protection. What antivirus or EDR is running on staff laptops? Are devices encrypted? Are they centrally managed and patched?

Email security. Spam filtering, phishing protection, DMARC/SPF/DKIM records, staff phishing simulations.

Incident response. Who do staff call if something looks wrong? What's the escalation path? How quickly would you notify a client of a suspected breach?

Business continuity. What happens if your office loses power, fibre, or burns down? Can staff work remotely? How long would it take to be operational?

Supplier management. Who is your IT provider? What security certifications do they hold? What happens to your data when they touch it?

The questions that trip people up

A few specific questions are catching SA firms off guard. Be ready for these.

"Does your IT supplier hold ISO 27001 or equivalent certification?" This one used to be optional. It's now a scoring item on many corporate vendor assessments — and sometimes a hard pass/fail. Working with a certified partner means you can answer yes with evidence, which can be the difference between making the shortlist and not.

"When was your last documented restore test?" Saying "we have backups" isn't enough anymore. They want to know you've actually proven the backups work. If you can't give a date, that's a red flag for the assessor.

"Do you maintain an asset register of devices accessing client data?" A spreadsheet of laptops, who has them, what's installed, when they were last patched. Most small firms don't have this. The ones that do, win the work.

"What is your breach notification timeline?" POPIA says "as soon as reasonably possible." Most clients want to see a specific commitment — within 24 or 72 hours of confirmation.

Practical steps to take this month

If you don't have an answer pack yet, here's a sensible order to build one:

1. Pull together what you already have. Microsoft 365 admin settings, your antivirus dashboard, your backup tool. Most of the evidence exists — it's just scattered.
2. Document your access policy in one page. Who has admin rights, how starters and leavers are handled, MFA requirements.
3. Schedule and document a backup restore test. Even a small one. Record the date, what was restored, how long it took.
4. Write a one-page incident response plan. Three columns: what happened, who to call, what we do in the first hour.
5. List your suppliers. IT provider, cloud services, practice management system. Note any certifications they hold.
6. Get an asset register going. Even a simple spreadsheet beats nothing.

None of this is glamorous, but it's the difference between a confident two-day turnaround on a questionnaire and a panicked week of guesses.

When you'd rather not do this yourself

Most partners and practice managers we speak to don't want to become security documentation experts. They want to focus on clients, not on whether their DMARC record is correctly configured.

That's a fair part of what we do at MiBOT Support. We're ISO 27001 certified ourselves, which means our processes are audited annually against an international standard — and that often translates directly into questions our clients can tick off their due-diligence forms. If you've got a questionnaire sitting in your inbox and you're not sure where to start, give us a call. We'd rather help you answer it properly than watch a good firm lose work over IT paperwork.