Security questionnaire checklist — answer 'yes' to every enterprise ask

The generic enterprise security questionnaire has 150-400 questions. This checklist covers the 60 most-asked. If you can answer yes to all of these, you can sell to enterprise.

For: Startups preparing for enterprise security review

Governance

  • SOC 2 Type 1 (or Type 2 if asked)critical
  • Privacy Policy + ToS + DPA published
  • Named CISO / Security Owner
  • Security policies signed

Access

  • MFA enforced on every admin accountcritical
  • SSO offered to enterprise
  • Access reviews quarterly
  • Offboarding revokes access same-day

Data

  • Encryption at rest (AES-256)
  • Encryption in transit (TLS 1.2+)
  • Data-at-rest keys rotated
  • Customer data segregated by tenant

Development

  • Secure SDLC documented
  • Every PR security-reviewed (Securie or equivalent)
  • Dependency scanning on every build
  • Pre-deploy gate

Operations

  • Logging + SIEM
  • Incident response playbook + test
  • Business continuity / DR documented
  • Vendor risk management for sub-processors