Like everything in the sales cycle, RFPs and Security Questionnaires are trending towards standardization. The buyer has more and more control, which means potential vendors and solution partners must align with these new steps in the buyer journey and sales process.
Another byproduct of this shift is response templates created by third-parties to cater to this standardization. Below, we’ve compiled the top four templates we see come through Ombud Rx, who uses them, and additional resources so you’re prepared for a quick turnaround when one of these lands in your inbox.
CAIQ (Consensus Assessments Initiative Questionnaire)
What is it?
The CAIQ (Consensus Assessments Initiative Questionnaire), created by Cloud Security Alliance (CSA), is currently on version 3.1. According to CSA, the CAIQ offers an “industry-accepted way to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency.
It provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance with the Cloud Controls Matrix (CCM). Therefore, it helps cloud customers to gauge the security posture of prospective cloud service providers and determine if their cloud services are suitably secure.”
Who uses it?
If you’re in the business of selling a cloud-based software application, you’ll likely see this come across your desk.
SIG (Standard Information Gathering) Assessment
What is it?
According to Shared Assessments, the SIG (Standard Information Gathering) Assessment, uses a comprehensive set of questions (content library) and gathers information to determine how security risks are managed across 18 risk control areas, or “domains”, within a service provider’s environment. The library houses comprehensive risk and cybersecurity frameworks as well as industry-specific controls.
Who uses it?
Anyone responding to RFPs or Security Questionnaires at a software company has likely been asked to complete a SIG.
VRMMM (Vendor Risk Management Maturity Model)
What is it?
According to Shared Assessments, the VRMMM (Vendor Risk Management Maturity Model) evaluates third-party risk programs against a set of best practices and industry benchmarks. Broken into eight categories, the model explores more than 200 program elements that should form the basis of a well-run third-party risk management program.
Who uses it?
Although less widely-used than the SIG or CAIQ, those who respond to RFPs or Security Questionnaires at a software company will likely encounter the VRMMM.
HECVAT (Higher Education Community Vendor Assessment Tool)
What is it?
The HECVAT (Higher Education Community Vendor Assessment Tool), created by the Higher Education Information Security Council (HEISC), generalizes higher education information security and data protection questions and issues regarding cloud services for consistency and ease of use.
Who uses it?
Any organization selling software to the higher education industry (whether in the LMS industry or sophisticated data encryption software) will likely encounter this template during sales cycles. If higher education is a key vertical within your business, it’s worth adding this template to your repository.
Maximizing Template Responses
Preparing responses for these templates before you even get them on your desk is just one of the many ways you can arm your team to be more responsive and remove friction in the sales cycle. You’ll also prime your team to understand any gaps these templates may illuminate, and prepare them to handle the surrounding objections and questions.
As you work on building out your response library and reference documentation, these templates are only a piece of the puzzle. For more places and source material to utilize when building out your response library, check out our recent blog on the topic.