When a Letterkenny accountancy firm landed a contract with a large Dublin-headquartered financial services company last year, the deal almost fell apart before it started. An email arrived from the client's procurement team: "Please complete the attached security questionnaire." The spreadsheet ran to eighty-seven questions covering multi-factor authentication, data encryption, vendor risk management, and incident response. The firm had no security team, no documented policies, and no idea where to begin. They called us two days before the submission deadline.
That scenario plays out across Ireland every week. Large organisations are under growing pressure — from regulators, insurers, and their own boards — to scrutinise the security of their supply chains. A 2023 report from NCSC Ireland highlighted the growing threat of supply chain attacks on Irish organisations.[^1] When your biggest client sends you a questionnaire, it is not a bureaucratic exercise. It is a risk assessment. Your answers determine whether they trust you with their data.
The good news is that the questions are not random. Almost every enterprise security questionnaire draws from the same pool. Here are the ten that appear most often, what each one is really asking, and how to answer with confidence.
WHAT: The Ten Questions You Will Almost Always See
Multi-Factor Authentication. This is question one on nearly every questionnaire. The client wants to know whether a stolen password alone can unlock your systems. A strong answer confirms MFA is mandatory for all staff on email, cloud platforms, and any system that touches client data, and names the authenticator method you use — Microsoft Authenticator, Google Authenticator, or hardware tokens.
Password Policy. Beyond MFA, the questionnaire asks whether you enforce password hygiene systematically. Mention minimum length (twelve characters is the current benchmark), complexity requirements, and that your policy is enforced through your identity platform rather than just written in a document.
Data Encryption. The client needs assurance that their data is unreadable if a laptop is stolen or a network connection is intercepted. Describe encryption at rest (BitLocker on Windows laptops, FileVault on Macs) and in transit (TLS 1.2 or higher for all data moving to and from your systems).
Incident Response Plan. What happens when something goes wrong? The client is not asking whether you will ever be attacked. They are asking whether you have a structured plan that includes detection, containment, recovery, and notification — including to the Data Protection Commission if personal data is involved.
Backup and Recovery Strategy. Ransomware has forced this question to the top of every list. Describe your backup frequency (daily as a minimum), where copies are stored (off-site or in an isolated cloud location), retention period, and — critically — that you test recovery regularly. Quote your Recovery Time Objective if you have one.
Is your business preparing for a supplier security audit? Book a free 20-minute strategy call — we help Irish SMEs build audit-ready security programmes without the enterprise price tag.
Staff Security Training. Human error remains the most common cause of successful attacks. The client wants to see that your staff receive regular, structured training — not just a one-off induction. Mention frequency, simulated phishing exercises if you run them, and that training is mandatory rather than optional.
Patch and Vulnerability Management. Unpatched software is one of the most common entry points for attackers. Describe how you apply security patches — ideally automated deployment within seven days for critical patches — and whether you run any form of vulnerability scanning.
Network Security. This question is asking whether an attacker who gets inside your network can move freely. Describe your firewall, whether you segment your Wi-Fi (staff vs. guest networks), and how remote workers connect — ideally via a VPN that requires MFA.
Third-Party and Vendor Risk. Under NIS2, supply chain security is now a formal regulatory obligation for many Irish businesses.[^2] The client wants to know whether you apply the same scrutiny to your own suppliers that they are applying to you. Describe any due diligence process you have for vendors who handle your data.
Physical Security. For remote-first businesses, this is often straightforward: your data lives in ISO 27001-certified cloud data centres, and physical access to your office is limited. For businesses with on-site infrastructure, describe access controls, visitor management, and clean-desk policy.
WHAT NOW: Preparing Your Answers Before the Deadline Arrives
The businesses that answer these questionnaires well do not improvise. They maintain a living security evidence pack that they update quarterly. This pack includes policy documents, screenshots of system configurations, training completion logs, and backup test results. When a questionnaire arrives, they can assemble a credible response in a day rather than a panic-driven week.
If you do not yet have a particular control in place, honesty combined with a concrete remediation timeline is far better than a vague or evasive answer. Procurement teams have seen every variation of "we are working on it." What they respect is a specific date and a credible plan. "MFA is not yet deployed to all accounts. We have completed the pilot with IT staff and will roll out to all users by 30 April" is a confident answer. "We are exploring our options" is not.
WHY IT MATTERS: Regulatory Pressure Is Only Growing
NCSC Ireland has made supply chain security a priority in its published guidance for organisations.[^1] An Garda Síochána's National Cyber Crime Bureau investigates an increasing number of attacks that originate through supplier compromise.[^3] The Data Protection Commission has the power to fine organisations for breaches that result from inadequate vendor due diligence — not just for their own security failures.
Beyond regulation, the commercial stakes are straightforward. Failing a security questionnaire costs you the deal. Passing it — especially passing it well — signals maturity and trustworthiness that is increasingly a differentiator in competitive Irish markets.
A documented security programme does not just protect your business — it makes your business more attractive to the clients who matter most.
WHAT NEXT: Three Actions to Take This Week
Conduct an honest gap assessment against the ten questions above. For each one, note whether you can answer "yes with evidence," "partial," or "not yet." That assessment is your starting point.
Begin assembling a security evidence pack. Create a folder containing your password policy, MFA configuration screenshots, backup job reports, and any training completion records. Even if the documents are incomplete, starting the folder is the most important step.
If a questionnaire has already arrived and you need support, do not wait. We work with Irish SMEs across Donegal and the North-West to build audit-ready responses quickly — and to put the underlying controls in place so that the next questionnaire is easier than the last.
Related Reading
- Building a Security Evidence Pack for Customer Audits
- 12-Month Cyber Governance Roadmap for Donegal SMEs
- NIS2 Compliance Roadmap: A 12-Month Plan for Irish SMEs
[^1]: NCSC Ireland. Advice for Organisations. https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána. Cyber Crime. https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission. Guidance for Organisations. https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.