Vendor Risk ManagementSecurity QuestionnairesThird-Party Risk

Your biggest customer just failed you on their vendor review. Here is what to fix first.

Behzad Motaghi28 June 202610 min read

The short version

A partial result on a vendor security review is not a verdict on the whole form. Enterprise risk teams weight the categories unevenly, and the form does not tell you which ones actually block the contract.
Three categories hold up the commercial relationship more than the other nine combined: access management and identity, incident response and breach notification, and data handling and subprocessor transparency. Fix these first, whatever order the form lists them in.
Fixing in 90 days does not mean building a full ISMS. It means producing evidence for the blocking categories: a named policy, a named owner, a date of last review, and a credible dated plan for any gap that takes longer.
The remediation is the short game. A documented vendor-risk posture and a reusable evidence pack turn the next review from a scramble into a couple of hours, and often leave you in a stronger commercial position than before the review.

The email arrives on a Tuesday. Your biggest prospect, or your biggest customer coming up for renewal, has run you through their vendor security review. The result is back. You scored “partial” on six of twelve categories, and there is a line at the bottom: please remediate within 90 days. The deal, or the renewal, is now sitting on those six partials, and the clock has started. Before you open that form and start at category one, it is worth knowing what the people who scored you actually do with it.

The instinct is to open the form and work down it in order, fixing category one, then two, then three. That is the wrong order, and it is wrong for a reason most of the advice on this misses. Most writing about vendor security reviews comes from people who have only ever filled them out. I have also been on the other side: running third-party risk from an interim CIO seat, and scoring other companies' vendors in private-equity diligence, against an internal rubric the vendor never sees. That rubric, which differs by buyer but rhymes across them, is what decides whether a partial blocks your contract. And these rubrics weight the twelve categories very unevenly.

The form is not the rubric

The form you fill out lists the categories flat, as if they all carried the same weight. The risk team on the other side does not score them flat. They score against an internal rubric that weights some categories as deal-blocking and others as advisory, and that rubric reflects what has actually hurt them: the breaches they have lived through, the audit findings their own regulators have raised, the controls their own customers ask them to prove down the chain.

So an incomplete access-control section is a critical finding. An incomplete business-continuity section, in a standard SaaS relationship, is usually an advisory note. Both show up on your result as the same word, “partial,” and the form gives you no signal about the difference. The predictable result is that vendors spread the 90 days evenly across all six partials, and spend most of it on the categories that were never going to block anything.

The move that changes the outcome is to stop treating the form as the scoring system. The form is the input. The rubric is the scoring system, and these rubrics share a shape you can mostly predict. You can test that claim yourself without taking my word for it: ask any enterprise risk lead whether they score every questionnaire category with equal weight. None of them do.

The three categories that actually block the deal

Across enterprise vendor reviews, three categories show up every time and get treated as blocking, at least when the buyer is an ordinary commercial SaaS customer. A partial in any of these three holds up the commercial relationship longer than partials in the other nine combined. Fix these first, in this order, whatever order the form happened to list them in. The regulated-buyer exception is real and I come back to it below.

1. Access management and identity

This is the category that maps most directly to the question the risk team is really asking: could this vendor be the way we get breached. They have read the same post-incident reports you have, and a large share of supply-chain compromises start with a vendor's weak access controls: a shared admin account, a service credential with no rotation, an offboarding process that left a leaver with live access for three months.

What the risk team wants to see is unglamorous and specific. Multi-factor authentication enforced, not just available. Single sign-on for the systems that touch their data. Role-based access with least privilege, not everyone-is-an-admin. A joiner-mover-leaver process that actually revokes access on the day someone leaves. Periodic access reviews with a date attached. Secrets managed in a vault, not in a shared spreadsheet. A partial here almost always means you do most of this in practice but cannot show the process or the last time anyone reviewed it. The fix is to write the one-page policy, name the owner, and run one access review so there is a date to point at.

2. Incident response and breach notification

Here the buyer is really asking one thing: when you get breached, will I find out in time to meet my own obligations? Their own notification clocks run under NIS2, under DORA if they are a financial entity, and under the contracts they have signed with their own customers. If you cannot commit to telling them inside a defined window, you are not just a risk to their data, you are a risk to their compliance. That is the version of vendor risk that gets escalated past the analyst to someone who can kill the deal.

What unblocks it: a written incident-response plan, severity classes that distinguish a minor wobble from a reportable breach, a named decision-maker for each class, and a notification commitment the buyer can rely on. That commitment is often “without undue delay,” sometimes a hard clock the buyer writes into the contract. Evidence that the plan has been tested, even once, in a tabletop exercise, moves you from “we have a document” to “we have a capability.” A partial here usually means the plan exists as a draft in someone's folder with no severity model and no test behind it.

3. Data handling and subprocessor transparency

The buyer has to map their own data flows to answer their own customers and their own regulators. If they cannot see where their data goes once it enters your system, they cannot sign without taking on a risk they have no way to manage. This is the category where “trust us” fails hardest, because the buyer is not allowed to just trust you; they have a paper trail of their own to produce.

What they need is a clear description of the data flow, a subprocessor list with each subprocessor's purpose and processing location, your data processing agreement, the transfer mechanism for anything leaving the region, and your retention and deletion positions. None of this is exotic. Most growing companies have the underlying reality; what they are missing is the documented, current, customer-shareable version of it. A partial here is usually a documentation gap, not a controls gap, which is good news, because documentation closes inside 90 days.

And the other nine

Business continuity, secure development, physical security, security-awareness training, cryptography, the rest. They matter, and a mature security programme covers all of them. But in a standard SaaS relationship most of them are advisory-weighted in the rubric, which means a partial there is a note for next time, not a blocker now. The exception is the regulated buyer, and it is a real one: if you are selling to a financial entity bound by DORA, or to a NIS2 essential entity, then continuity, exit, and secure development can move from advisory to blocking, because their own regulator treats them that way and the obligation flows down the contract to you. If that is your buyer, re-rank these categories with them, not with this article. Otherwise, fix them after the deal is unblocked, or as part of the real management-system work that a serious buyer relationship eventually justifies. Spending week three of your 90 days writing a business-continuity plan while your access-control evidence sits at “partial” is the most common self-inflicted delay I see.

What “fixing” actually means in 90 days

Here is the misconception that wastes the most time: that a 90-day remediation means building a full information security management system. It does not. The risk team is not asking you to be certified in 90 days. They are asking for two things: evidence that the control exists, and a credible plan for the parts that do not yet.

For each blocking category, that breaks down into four concrete artefacts. A named policy, where a tight one-page document beats a fourteen-page template copied from somewhere. A named owner, a real person who is accountable, not “the security team.” Evidence of a last review, which is just a date and a name showing the thing is alive and not written-once. And a dated plan for any gap that genuinely takes longer than 90 days to close, with named milestones the buyer can hold you to. All four assume the control is genuinely there. A policy written over something you do not actually do is not evidence, it is a liability waiting for the buyer's second question.

That last one is the part people are most afraid of and least need to be. A 90-day plan with real milestones is usually enough for a commercial unblock even where the control is not fully built yet. The honest answer, “this is not fully in place; here is the dated plan to get there,” almost always beats the overclaim that falls apart on the buyer's first follow-up question. Risk teams have read a thousand questionnaires. They can smell an answer that will not survive a second question, and a vendor who overclaims and gets caught is in a worse position than one who was straight about a gap.

One caveat, because it matters. Sometimes the partial is not a paperwork gap at all. Sometimes you genuinely do not enforce MFA everywhere, or you really do have shared admin accounts. When the gap is real, documentation will not save you, and writing a policy over a control you do not run is how you fail the second review worse than the first. The honest move there is the same dated plan with named milestones: name the gap, commit to a date, and meet it. A buyer will usually accept that for a commercial unblock. What a buyer will not forgive is being told a control exists when it does not.

The conversation to have before week four

Most companies never ask the buyer's risk team the two questions that would have saved them most of the work: what would move these partials to satisfied, and what evidence format do you accept. They spend eight weeks producing a 40-page document for categories the buyer had marked advisory, when the buyer wanted a one-page control summary and a link to the policy.

Ask. Risk teams answer this more often than you would expect, because a vendor who asks what would actually close the gaps is a vendor taking the review seriously, not one looking for shortcuts. To be clear, this is not about finding the categories you can skip. Every category still has to be true. It is about not spending three weeks writing forty pages on something the buyer wanted in one. The answer tells you exactly where to spend the 90 days, and it stops you building evidence nobody asked for while the things that block the deal stay open. Have this conversation before week four, while you still have time to redirect the effort.

Document it once, answer it forever

The partial scores in front of you are not just a remediation list. They are the outline of a reusable evidence pack. Do this work once, structured by control family, with each answer linked to the evidence behind it, a policy, a runbook, a screenshot of a setting, a vendor certificate, and you have an asset that answers most of the next buyer's review out of the box.

The pattern is consistent. In what I have seen, the first serious questionnaire eats something like 10 to 15 hours of senior engineering time, the kind of time the CTO does not have. With a library in place, the next one drops to two or three hours, because most of the questions are variations on ones already answered. The vendor review that started as a fire drill turns into a standing capability. That is the difference between dreading the next enterprise deal's security stage and treating it as routine.

The long game

The 90-day remediation is the short game. The long game is that a documented vendor-risk posture is a commercial asset, not a compliance cost. The company that comes back from a partial vendor review with a credible, dated fix plan and a refreshed evidence pack often ends up in a stronger position than before the review, because the buyer's risk team has now watched them handle scrutiny well, and the next enterprise conversation starts from a library instead of a blank form.

Handled right, the review that felt like a failure is the cheapest enterprise-readiness audit you will ever get. Someone with real buying power just told you, in writing, exactly where your security posture is thin, and gave you 90 days to fix it before it costs you anything. The companies that win from this are the ones that fix in the order the rubric weights, not the order the form lists, and keep the evidence so they never start from zero again.

If you have a vendor security review or a customer security questionnaire in front of you right now and the deal is stalling on it, the direct fit is the Security Questionnaire Sprint: 45,000 DKK fixed, ten business days. It produces a founder-reviewed answer pack for the questionnaire that is blocking you, a reusable answer library you keep, and a prioritised gap memo that separates must-fix-now from must-fix-soon. Scope and process are on the services page.

If you would rather start with a second pair of eyes on where you actually stand, a scoping call is free. Thirty minutes, no deck, straight answers.

Related reading: the NIS2 supplier audit for non-regulated SaaS covers what to do when the pressure is coming through your supply chain rather than a single buyer. the five security jobs your Head of IT is quietly doing covers who actually owns this work inside a growing company. the ISO 27001 guide for growing SaaS covers the certification track that a Sprint-worthy questionnaire usually foreshadows.

Frequently asked

What does a "partial" score on a vendor security review actually mean?

It means the risk team found some evidence for the control but not enough to mark it satisfied: you do the thing in practice but cannot show a policy, an owner, or a recent review, or you do part of it. Partials are not equal. A partial on a high-weight category like access control can block a contract on its own; a partial on a low-weight category in a standard SaaS relationship is often just an advisory note. The form rarely tells you which is which.

Which security questionnaire categories matter most to enterprise buyers?

Across enterprise vendor reviews, three categories are treated as blocking far more often than the rest: access management and identity (the route most supply-chain breaches take), incident response and breach notification (because the buyer has its own notification clocks to meet), and data handling and subprocessor transparency (because the buyer has to map your data flows to answer its own customers and regulators). A partial in any of these three usually holds the deal longer than partials in the other categories combined.

Do we need ISO 27001 or SOC 2 to pass a vendor review?

No. A certificate makes the conversation shorter, but it is not a precondition for unblocking a deal. What the buyer needs is honest answers backed by evidence and a credible plan for the gaps. You can pass a vendor review with no certification if you can show real controls, name the owners, and give a dated plan for what is not yet in place. Certification is the longer track that a Sprint-worthy questionnaire usually foreshadows, not a gate you have to clear first.

How long does it take to fix a failed vendor review?

For the blocking categories, 90 days is usually enough to reach a defensible position, because the goal is evidence and a plan, not a fully built and audited management system. Some gaps genuinely take longer than 90 days to close; those are handled with a dated plan and named milestones, which is normally sufficient for a commercial unblock. Building the full management system behind the evidence is a longer programme that runs after the deal is unblocked.

How do we stop the next vendor review being just as painful?

Build the answer once and keep it. The partial scores from this review are the outline of a reusable evidence pack: structured by control family, each answer linked to its evidence (a policy, a runbook, a screenshot, a vendor certificate). The first questionnaire is the expensive one, often 10 to 15 hours of senior time. With a library in place, most of the next one is already answered, and the work drops to a couple of hours. The fire drill becomes a sales asset.

Next step

Let's work out what you actually need.

30-minute scoping call. Free and non-binding. One live trigger is enough to start. If it's not a fit I'll tell you, and point you somewhere that is.

Book a scoping call