Free plan available·25 AI-generated answers per month — no credit card, no setup needed.Start free
SecureFlow logoSecureFlow
← Blog

April 9, 2026

ISO 27001 Vendor Questionnaire: How to Answer Common Questions

How B2B SaaS vendors with ISO 27001 certification (or working towards it) should answer customer security questionnaires about their ISMS, controls, and audit status.

ISO 27001 vendor questionnaireISO 27001 security assessmentISO 27001 controls questionnaireISMS vendor due diligenceISO 27001 B2B SaaS

ISO 27001 is the international standard for information security management systems (ISMS). If your company is certified, or working towards it, buyers will ask specific questions about your controls, audit history, and scope. Here is how to answer them well.

"Are you ISO 27001 certified?"

If yes: state the certification body, certificate number, certification scope, and expiry date. Offer to share the certificate on request.

If no, but in progress: state where you are in the process (gap assessment, internal audit, certification audit) and your expected timeline. Do not overstate your readiness.

If no: be honest. ISO 27001 is valuable but not mandatory for every context. A mature information security policy and SOC 2 report often satisfy the same buyer concerns.

"What is the scope of your ISMS?"

The scope defines what systems, processes, and locations are covered by your ISO 27001 certification. Buyers want to know if the scope covers the product and data they care about. State this clearly: "Our ISMS covers the development, operation, and support of [product name] including [relevant infrastructure and data processing]."

"When was your last surveillance audit?"

ISO 27001 certifications require annual surveillance audits and a full recertification every three years. Buyers will ask for the most recent audit date and outcome. Have this information on hand and be prepared to share a summary or attestation letter.

"What Annex A controls do you have in place?"

Annex A contains 93 controls across 4 domains in ISO 27001:2022. Buyers sometimes ask about specific ones: access control (Clause 8.2), cryptography (Clause 8.24), incident management (Clause 8.16), or supplier relationships (Clause 5.19). Map your controls to Annex A references in advance so you can answer precisely.

Keeping your answers current

ISO 27001 controls evolve — especially when your product or infrastructure changes. The safest approach is to upload your Statement of Applicability (SoA), your ISMS scope document, and your most recent audit summary to your knowledge vault. When a questionnaire asks about a specific control, your AI or team can retrieve the exact clause reference rather than guessing.

SecureFlow lets you upload these documents and draft ISO 27001-aligned answers automatically. Start free.

Not legal or compliance advice. Consult a qualified ISO 27001 lead auditor for certification guidance.