How to Reply to a Request for Information (RFI) Request | A Practical Guide

strongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

You’ve gone through the rigorous process of completing your SOC 2 certification.  Your policies are thorough, you have airtight procedures, your staff is sufficiently trained, and if anybody so much as sneezes around your datacenter you’ll know about it before someone says, “Gesundheit!”

It’s time to kick back in your chair, throw your feet up on the desk and relax, right? But what if a customer sent over an RFI (Request For Information) this afternoon? Would you and your team panic, or be able to respond calmly, wholly and confidently?

First of all, try not to panic.  While it’s perfectly natural to feel your first RFI is an attempt to air your dirty laundry, it doesn’t do you any good to get your mind spinning full speed on unproductive thoughts and assumptions.  One of the reasons you achieved SOC 2 in the first place was so your organization could respond to these types of requests. Take a deep breath - you’ve got this. Once your blood pressure is back to a reasonable level, start by looking at the RFI itself and ask yourself some questions:

  • What is explicitly this RFI asking for?  Customers are often just doing their due diligence when they ask you security-related questions, but those questions often come in the form of an overly broad template someone found on the Internet and forwarded to you.  In other words, customers might not really know what they’re asking for, and it’s hard to blame since there is no standard or consortium to use a standard (though the Vendor Security Alliance questionnaire is worth a look).  So you might need to shoot back an email to your customer or set up a quick call to clarify the basis and intent of the RFI before responding in full.
  • Can I limit the scope and/or push back at all?  Definitely.  Because the RFI may be broad or overreaching, look for opportunities to limit the information you share.  For example, sharing your revenue level or the names on your cap table is an unreasonable request. You can also withhold information about your technical infrastructure that you regard as confidential.  In general, don’t be afraid to push back on requests that feel unusual.
  • Who else will this information be shared with?  Remember that while you make serious efforts to carefully handle any customer information, the responses you provide to an RFI may not be treated as carefully.  Write your responses as if they will immediately go on the front page of someone else’s Web site.
  • Can I template this for next time?  You might spend hours writing and editing your first RFI response, so keep a copy of it handy.  Next time you might just be able to respond with a slightly tweaked boilerplate to save time.

As you prepare the responses to your customer’s request, take another look at your policies and see if they need some tuning.  Many organizations, when they first sit down to write these policies, create them with only their internal staff in mind - a policy might contain some lighthearted language or an inside joke to make the policies more fun and easy to read.  While those efforts certainly help in the spirit of getting people to read your policies, it won’t do you any favors when it comes to an RFI. Ultimately, your customers will read these policies, so they should be professional in tone and quality.

Also, keep in mind these RFIs do not need to be answered “all or nothing.”  It is completely acceptable to answer “no” or “not yet” to items on your customers’ questionnaires.  As long as you are taking care of basic security and process hygiene, you should have a reasonable percentage of questions you can respond positively to.  But do not lie or attempt to cover up gaps that exist in the environment. The goal is to show improvement over time, so maybe you are doing 40 percent of what a questionnaire asks about today, but next quarter you will be doing 60 percent.  As a general rule, you don’t want to answer “yes” to all the items, nor do you want to say “no” to everything.

Receiving and responding to RFIs can get your pulse pounding.  But with a set of professionally written policies, a good understanding of the information your customers need - as well as information you should not share - you can respond to RFIs with ease.  Remember to save your responses and start building boilerplates so you can respond more quickly and thoroughly to future information requests.

Need to complete SOC 2 to close a deal? strongDM speeds up the work to enforce access controls & gather evidence to deliver SOC 2 on a tight timeline. See strongDM in action with a 15-minute demo or give it a test drive yourself with a free, 14-day trial.

To learn more on how strongDM helps companies with SOC 2 compliance, make sure to check out our SOC 2 Compliance Use Case.


About the Author

, Security Engineer / Podcaster, is the president of 7 Minute Security, an information security consultancy in the Minneapolis area. Brian spends most of his days helping companies defend their networks.

Since 2004, Brian has also run the blog/podcast called 7 Minute Security, where he shares what he has learned about information security into short, 7-minute chunks.

logo
💙 this post?
Then get all that strongDM goodness, right in your inbox.

You May Also Like

ISO 27001 vs SOC 2
ISO 27001 vs. SOC 2: Understanding the Difference
SOC 2 and ISO 27001 both provide companies with strategic frameworks and standards to measure their security controls and systems against. But what’s the difference between SOC 2 vs. ISO 27001? In this article, we’ll provide an ISO 27001 and SOC 2 comparison, including what they are, what they have in common, which one is right for you, and how you can use these certifications to improve your overall cybersecurity posture.
Answering auditor questions in a SOC 2 review
Answering Auditors’ Questions in a SOC 2 Review
We recently completed our own SOC 2 audit, so we thought we’d review how we dogfooded our own product. We’ll share tips and tricks to make the audit process a little easier, whether you’re wrapping up your own or about to dive into the coming year’s audit. Here are the questions auditors asked us during our own SOC 2 audit and the commands and strongDM tooling we used to gather the evidence they requested.
SOC 2 dashboard
What Would My SOC 2 Dashboard Look Like?
As your organization pursues your SOC 2 certification, organization is critical. ‍You will be busy actively managing dozens of ongoing daily tasks, which can bury you in minutiae. But at the same time, you need to keep your high-level compliance goals in focus in order to successfully move your certification over the finish line.
SOC 2 Audit
Everything You Need to Know About SOC 2 Audits
Whether you’re looking to achieve SOC 2 compliance, or just want to learn more about it, your Googling is bound to lead you to a wealth of articles chock full of buzzwords and acronym soup. ‍In this post, we will provide a guide with definitions, links and resources to gain a solid understanding of everything you need to know about SOC 2 audits.
SOC 2 Policies: Definitive Guide
A Definitive Guide to SOC 2 Policies
In this post, we will help you get started with a hierarchy to follow, as well as a summary of each individual SOC 2 policy.