A Client Has Asked for Evidence of Your Cyber Security — What Do You Do?
More UK businesses are asking their suppliers to demonstrate cyber security standards before awarding contracts. Here's exactly what they're asking for and how to respond without hiring a consultant.
The supplier security questionnaire is becoming standard
If you work with larger businesses — as a contractor, supplier, or service provider — you may have already received one. A supplier security questionnaire, sometimes called a vendor risk assessment or third-party due diligence form, is a document asking you to describe your cyber security practices in detail.
These questionnaires have become significantly more common in the last two years. Larger organisations have learned the hard way that their security is only as strong as their weakest supplier. Several high-profile breaches — where attackers got into a large organisation through a smaller supplier with weaker security — have accelerated this trend.
For small businesses that have never thought systematically about their security, receiving one of these questionnaires can be alarming. Here's how to handle it.
What clients are typically asking
Most supplier security questionnaires cover the same core areas, even if the specific questions vary. Expect questions about:
Access to client data
What personal or confidential data will you have access to? How is it stored and protected? Who within your business can access it? These questions are driven by the client's own GDPR obligations — they need to know their data is safe with you.
Technical security controls
Do you use multi-factor authentication? Do all devices have antivirus software? Are software updates applied promptly? These are the same controls covered by Cyber Essentials.
Policies and procedures
Do you have a written security policy? A data breach response procedure? Do staff receive security training? Many small businesses don't have formal written policies — but having them matters more and more.
Certifications and assessments
Do you have Cyber Essentials certification? ISO 27001? If not, have you conducted any form of security assessment? This is where a documented self-assessment report becomes valuable — it shows you've taken the process seriously even without formal certification.
How to respond if you don't have certification
Most smaller clients are not expecting Cyber Essentials certification or ISO 27001. What they're looking for is evidence that you take security seriously and have thought about it systematically.
A professional security assessment report — showing your current posture, the controls you have in place, the gaps you've identified, and the actions you're taking to address them — is exactly what a client needs to satisfy their own due diligence obligations.
Being able to share a dated, reference-numbered report covering all five Cyber Essentials areas is a credible response to most supplier questionnaires from clients who don't formally require Cyber Essentials certification.
It shows you've done the work. That's often all that's needed.
When clients do require formal certification
Some clients — particularly larger organisations and those in regulated sectors — do require formal Cyber Essentials certification as a condition of their supplier contracts. Government contracts over £25,000 require it by law.
If this applies to you, the best first step is still a self-assessment — to understand your current position and identify what needs to be fixed before you go through the formal process. The Cyber Essentials self-assessment certification starts from around £300 plus VAT and is completed online through an accredited body.
Our assessment tool is designed to prepare you for exactly this — identifying your gaps against the Cyber Essentials standard before you apply for formal certification, so there are no surprises.
Find out where your business stands
Complete our 10-minute plain-English assessment and get a professional security report aligned to Cyber Essentials — suitable for insurance applications and client due diligence.
Start Your Free Assessment →£49 for the full report · No account required