Security Questionnaire Requirements by Deal Size: What to Expect at $10K, $50K, $100K, and $500K+ ACV

The depth of a security review is remarkably predictable by deal size. Here's exactly what to expect at each ACV tier, with readiness checklists so you can prepare before the questionnaire hits your inbox.

· Neil Cameron · Security Questionnaires · 17 min read
The depth of a security review is remarkably predictable by deal size. Here's exactly what to expect at each ACV tier, with readiness checklists so you can prepare before the questionnaire hits your inbox.

Key Takeaways

  • Security review depth scales predictably with deal size: a $10K buyer runs a 10-30 question checkbox, while a $500K+ buyer runs a 300-500+ question gauntlet with live architecture reviews.
  • The jump between tiers is exponential, not linear. A $50K deal can require five to ten times the effort of a $10K deal, not twice.
  • Evidence expectations escalate fast: self-attestation at $10K, SOC 2 Type I at $50K, SOC 2 Type II at $100K, and SOC 2 Type II + ISO 27001 at $500K+.
  • Once you cross $50K ACV with any regularity, manual answering breaks down. You need a single source of truth and a repeatable system, not a Google Doc you copy-paste from.
  • Each tier below ends with a readiness checklist so you can honestly assess whether your team is prepared to sell at that price point.

You Can Predict the Security Review Before It Hits Your Inbox

If you have ever been two weeks from closing a deal and then received a 250-question spreadsheet from procurement, you already know the pain. The truth is, the depth of a security questionnaire by deal size is remarkably predictable. Buyers at $10K ACV run a different playbook than buyers at $500K ACV, and if you know what to expect at each tier, you can prepare before the deal is on the line instead of scrambling after.

This guide breaks it down tier by tier: the types of assessments you will face, the certifications and evidence buyers expect, realistic timelines for completing the review, and the internal resources you will need. At the end of each section, there is a readiness checklist so you can honestly assess whether your team is prepared to sell at that price point.

No theory. No hand-waving. Just what you are actually walking into.

How Security Review Complexity Scales With ACV

Before we get into the tiers, it helps to see the pattern at a glance. The vendor assessment by contract value follows a fairly consistent curve across B2B SaaS:

ACV RangeTypical Assessment TypeQuestion CountEvidence RequiredTypical Review Cycle
$10KGoogle Form, short custom questionnaire10-30 questionsSelf-attestation, privacy policy1-3 days
$50KSIG Lite, HECVAT Lite, vendor risk platform50-150 questionsSOC 2 Type I or letter of intent, pen test summary1-3 weeks
$100KFull SIG, HECVAT, CAIQ150-300 questionsSOC 2 Type II, pen test report, BCP/DR plans3-6 weeks
$500K+Custom enterprise questionnaire + architecture review300-500+ questionsSOC 2 Type II + ISO 27001, architecture diagrams, on-site or live review6-12 weeks

The jump between each tier is not linear. It is exponential. A $50K deal does not require twice the work of a $10K deal. It can require five to ten times the effort. Understanding what security questionnaire to expect at each stage lets you plan resources, set expectations with your sales team, and avoid stalled pipelines. (If you want a deeper primer on the assessment types themselves, see our complete guide to vendor risk assessment questionnaires.)

$10K ACV: The Lightweight Check

What Buyers Typically Send

At this price point, you are usually selling to small or mid-size companies with lean (or non-existent) security teams. Their “security review” is often a procurement checkbox, not a deep assessment.

Expect:

  • A short Google Form or Typeform with 10 to 30 questions
  • A basic custom questionnaire in a Word document or email
  • Occasionally, a simple third-party risk platform like Whistic or SafeBase where you can publish a trust profile

The questions are broad: “Do you encrypt data at rest and in transit?” “Where is customer data stored?” “Do you have a privacy policy?” There is rarely follow-up or challenge on your answers.

Evidence and Certifications Expected

Buyers at this level generally do not require formal certifications. They want to see:

  • A published privacy policy
  • A basic security page on your website
  • Self-attestation that you follow reasonable security practices
  • Possibly a link to your subprocessor list if GDPR is relevant

Having a SOC 2 at this stage is a bonus, not a requirement. Most buyers at $10K ACV will accept a clear, honest description of your security posture.

Timeline

1 to 3 days. Often you can turn this around same-day if you have your answers organized. The buyer usually reviews within a week and rarely comes back with follow-up questions.

Internal Resources Needed

One person. Typically the CTO or a technical co-founder. At this deal size, there is no reason to involve anyone else.

Readiness Checklist: $10K ACV

  • You have a published privacy policy that is current
  • You have a security page on your website covering basics (encryption, hosting, access controls)
  • You can describe your data handling practices in plain language
  • You know where customer data is stored (region, provider)
  • You have a subprocessor list available if asked
  • Someone on your team can respond to a short questionnaire within 24 hours

If you can check all six, you are ready. Most seed-stage SaaS companies can handle this tier with minimal effort.

$50K ACV: Where It Gets Real

What Buyers Typically Send

This is the tier where most SaaS teams get caught off guard. You are selling to mid-market companies that have a dedicated security or IT risk function, even if it is just one person. They take vendor risk management seriously, and SaaS security due diligence at this deal size means a structured assessment.

Expect:

  • SIG Lite (Standardized Information Gathering questionnaire, lite version): roughly 50 to 80 questions covering governance, access control, data protection, and incident response. (For a full breakdown, see what a SIG questionnaire is and how it works.)
  • HECVAT Lite (Higher Education Community Vendor Assessment Toolkit): common if you sell to education or government-adjacent sectors, around 100 questions
  • Vendor risk platforms: buyers may ask you to complete your profile on platforms like OneTrust, Prevalent, or SecurityScorecard, which can involve uploading documents and answering standardized question sets
  • Custom questionnaires in Excel or CSV format: 80 to 150 questions, often a mashup of SIG and internal requirements

Evidence and Certifications Expected

This is where self-attestation stops being enough. Buyers at $50K ACV want proof:

  • SOC 2 Type I (at minimum): a point-in-time audit showing your controls are properly designed. If you do not have a SOC 2, expect the deal to slow down or stall. Some buyers will accept a “letter of intent” or a bridge letter from your auditor confirming you are in progress, but this is a concession, not a standard. (Not sure which report you need? Here’s SOC 2 Type 1 vs Type 2 explained.)
  • Penetration test summary: not necessarily the full report, but a summary showing you have had an independent pen test within the past 12 months and that critical findings have been remediated
  • Business continuity and disaster recovery documentation: even a lightweight version that describes your backup strategy, RTO, and RPO
  • Incident response plan: a documented plan showing who does what if something goes wrong
  • Encryption details: specifics on encryption at rest (AES-256) and in transit (TLS 1.2+), not just “yes, we encrypt”

Timeline

1 to 3 weeks. The questionnaire itself might take 2 to 5 days to complete, but the back-and-forth with the buyer’s security team adds time. Expect at least one round of follow-up questions. If you are missing a SOC 2 or pen test, add another 1 to 2 weeks for negotiation around compensating controls.

Internal Resources Needed

This is where the CTO doing everything alone starts to break. You will need:

  • The CTO or head of engineering for technical questions
  • Someone who understands your data processing and privacy practices
  • Access to your cloud infrastructure documentation (AWS, GCP, or Azure configurations)
  • Ideally, a single person who owns the questionnaire and coordinates answers from others

For a team of 15 to 40 people, this typically means 15 to 25 hours of combined effort across the team for each questionnaire.

Readiness Checklist: $50K ACV

  • You have a SOC 2 Type I report (or Type II, even better) or a letter from your auditor
  • You have a penetration test report from the last 12 months
  • You have a documented incident response plan
  • You have a business continuity or disaster recovery plan, even a lightweight one
  • You can provide encryption specifics (algorithms, key management approach)
  • You have an access control policy describing how employees access production systems
  • You have a central place where previous questionnaire answers are stored and searchable
  • Someone on your team has 15+ hours available per questionnaire without pulling them off product work

If you are missing more than two of these, you are going to feel pain at this deal size. The security review complexity by ACV at $50K is where automation stops being a nice-to-have and becomes a real operational need. A single CTO answering the same 80 questions slightly differently each time, pulling answers from memory and scattered Google Docs, is a recipe for inconsistency and delays. This is the exact stage where small teams have to rethink how they handle security questionnaires.

$100K ACV: Full Enterprise Security Review

What Buyers Typically Send

At $100K ACV, you are selling to larger mid-market or enterprise buyers with a formal Third-Party Risk Management (TPRM) program. Their security team has a process, a scoring rubric, and a threshold you need to clear before procurement will release the contract.

Expect:

  • Full SIG (Standardized Information Gathering): 18 risk domains, 150 to 300+ questions covering everything from physical security to application security to human resources
  • HECVAT Full: the complete Higher Education version, approximately 200 to 250 questions with detailed sub-questions
  • CAIQ (Consensus Assessments Initiative Questionnaire): the Cloud Security Alliance’s standard assessment, roughly 250 questions mapped to their Cloud Controls Matrix. (Here’s what CAIQ is and how to approach it.)
  • Custom enterprise questionnaires: often 200 to 400 questions, potentially including questions about your software development lifecycle, third-party dependencies, and data residency

Some buyers at this level will also require you to complete their assessment within a specific vendor risk platform and grant their security team ongoing access to your responses.

Evidence and Certifications Expected

The enterprise security review requirements at this tier are significantly more demanding:

  • SOC 2 Type II (required, not optional): a report covering a 6 to 12 month observation period showing your controls are operating effectively over time. Type I is typically not sufficient here.
  • Penetration test report (full, not summary): the complete report from an accredited third-party testing firm, including methodology, findings, severity ratings, and remediation status
  • Detailed policies: information security policy, acceptable use policy, data classification policy, change management policy, vendor management policy
  • Architecture diagrams: network architecture, data flow diagrams showing how customer data moves through your systems
  • Evidence of security training: proof that your employees complete security awareness training, with completion rates
  • SLA and uptime data: historical uptime metrics and your contractual SLA commitments
  • Insurance: cyber liability insurance certificate, often with minimum coverage amounts specified by the buyer

Timeline

3 to 6 weeks. Plan for 1 to 2 weeks to complete the questionnaire, 1 to 2 weeks for the buyer’s security team to review and score your responses, and 1 to 2 weeks for follow-up questions and remediation discussions. If the buyer flags gaps (missing policies, insufficient controls), this can extend to 8 or even 10 weeks.

For your sales team, this means the security review needs to start early in the sales cycle, not after the buyer says “we want to move forward.” If you wait until verbal agreement to begin the assessment, you are adding 4 to 6 weeks to your close timeline.

Internal Resources Needed

Multiple people across the company:

  • CTO or VP of Engineering for architecture and infrastructure questions
  • Engineering lead for SDLC, code review, and deployment process questions
  • Someone from operations or HR for physical security, onboarding, and training questions
  • Legal or the founder for data processing agreements, insurance, and contractual terms
  • A dedicated coordinator (this is critical) to manage the process, track follow-ups, and ensure consistency

Estimate 30 to 60 hours of combined effort per questionnaire at this tier. That is nearly a full work week spread across your team.

Readiness Checklist: $100K ACV

  • You have a current SOC 2 Type II report
  • You have a penetration test report (full) from the last 12 months
  • You have documented and approved policies: information security, acceptable use, data classification, change management, incident response, business continuity, vendor management
  • You can produce architecture and data flow diagrams on request
  • You have evidence of regular security awareness training for all employees
  • You have cyber liability insurance and can provide a certificate
  • You track and can report on uptime and SLA compliance
  • You have a formal change management process with evidence (pull request reviews, deployment logs)
  • You have a repeatable system for answering questionnaires, with a knowledge base of past answers that is searchable and version-controlled
  • You have a designated person who coordinates the end-to-end security review process

If you are missing more than three items, you are going to struggle at $100K ACV. Deals will stall, timelines will slip, and your sales team will start flagging security reviews as the top reason for delayed revenue. A well-maintained security questionnaire knowledge base is what separates teams that clear this tier in three weeks from teams that take eight.

$500K+ ACV: The Full Gauntlet

What Buyers Typically Send

At this level, you are selling to enterprise or large mid-market organizations with mature, well-resourced security programs. Their TPRM process is formalized, often managed by a dedicated team of analysts, and your assessment will be scored against an internal risk framework.

Expect:

  • Custom enterprise questionnaires: 300 to 500+ questions, often tailored to the buyer’s industry (financial services, healthcare, government). These frequently include questions that map to specific regulatory requirements (PCI DSS, HIPAA, FedRAMP)
  • Full SIG or HECVAT as a baseline, supplemented with additional custom sections
  • Architecture review sessions: live calls where the buyer’s security architects walk through your infrastructure, data flows, and access patterns with you. These can last 2 to 4 hours.
  • Evidence requests as a separate workstream: not just answering questions, but uploading 20 to 40 individual evidence artifacts (screenshots of configurations, policy documents, training completion logs, vulnerability scan results)
  • Ongoing monitoring requirements: some buyers will require you to maintain a profile on a continuous monitoring platform or submit to periodic reassessments

Some enterprise buyers at this tier also require a security addendum or custom contractual terms around breach notification timelines, data handling, and indemnification.

Evidence and Certifications Expected

  • SOC 2 Type II (absolutely required, no exceptions)
  • ISO 27001 certification: increasingly expected at this deal size, especially for buyers with European operations or global security programs. ISO 27001 shows you have an Information Security Management System (ISMS) that is independently certified and continuously maintained. (Deciding the order to pursue these? See ISO 27001 vs SOC 2: which to pursue first.)
  • Penetration test reports (full, from a named firm): some buyers will specify acceptable testing firms or require reports that follow specific methodologies like OWASP or PTES
  • Vulnerability management evidence: results from regular vulnerability scans, mean time to remediate by severity, patch management timelines
  • Third-party risk management: documentation of how you assess and manage your own vendors and subprocessors
  • Data Processing Agreements (DPAs) and contractual security terms reviewed by the buyer’s legal team
  • Compliance-specific certifications: depending on the buyer’s industry, you may need HITRUST, PCI DSS attestation, StateRAMP, or FedRAMP authorization
  • Architecture and network diagrams: detailed enough for a security architect to review and challenge
  • Incident response tabletop exercise results: some buyers want evidence that you have tested your IR plan, not just documented it

Timeline

6 to 12 weeks. This is not a single questionnaire. It is a multi-stage process:

  1. Initial questionnaire submission (1 to 3 weeks)
  2. Buyer security team review and scoring (1 to 2 weeks)
  3. Follow-up questions and clarification (1 to 2 weeks)
  4. Architecture review call or calls (scheduled 1 to 3 weeks out)
  5. Remediation discussion for any gaps identified (1 to 2 weeks)
  6. Final sign-off from security, then handoff to legal and procurement

At $500K+ ACV, the security review runs in parallel with legal review, and both need to clear before the deal closes. Build this into your forecast.

Internal Resources Needed

This is a team effort:

  • CTO or VP of Engineering (significant time commitment: 20+ hours)
  • Senior engineers for architecture review sessions
  • A dedicated security or compliance person (if you have one) or an external advisor
  • Legal for DPA and contract terms
  • Someone in an operational role for physical security, HR, and vendor management questions
  • A project manager or coordinator to run the process end-to-end

Estimate 60 to 120 hours of combined effort per questionnaire at this tier. For a team of 30 to 80 people, this is a meaningful resource drain, especially if you are fielding multiple enterprise deals simultaneously.

Readiness Checklist: $500K+ ACV

  • You have a current SOC 2 Type II report from a reputable auditor
  • You have ISO 27001 certification (or are actively in the certification process with a defined timeline)
  • You have a full suite of security policies, reviewed and updated within the last 12 months
  • You have detailed architecture and data flow diagrams that your engineers can present and defend live
  • You have full penetration test reports from a named, accredited third-party firm
  • You have evidence of regular vulnerability scanning and can report mean time to remediate
  • You have a formal vendor/subprocessor risk management program
  • You have cyber liability insurance with coverage levels appropriate for enterprise contracts
  • You have tested your incident response plan (tabletop or simulation) within the last 12 months
  • You have a Data Processing Agreement template reviewed by legal counsel
  • You have someone who can dedicate 20+ hours per deal to the security review process
  • You have a system for managing questionnaire responses that supports collaboration, version control, and consistent answers across multiple concurrent assessments

If you are missing more than two items, you need to invest before pursuing deals at this price point. Walking into a $500K+ sales cycle without ISO 27001 progress or tested IR plans will result in a stalled deal or a lost one.

The Pattern You Should Notice

Look at the resource requirements across these tiers:

ACVHours Per QuestionnaireConcurrent Deals TypicalTotal Hours Per Quarter
$10K2-4 hours5-1010-40 hours
$50K15-25 hours3-545-125 hours
$100K30-60 hours2-460-240 hours
$500K+60-120 hours1-360-360 hours

At $10K ACV, one person can handle questionnaires as a side task. At $50K and above, you are talking about hundreds of hours per quarter. That is product velocity you are not getting back. Features that do not ship. Bugs that sit in the backlog. Candidates you do not have time to interview. We break this down in detail in the real cost of manual security questionnaire responses.

The math is straightforward: once you cross the $50K ACV threshold with any regularity, you need a system. Not a Google Doc with answers you copy-paste from. Not a shared drive where version three and version seven of the same answer coexist. A system that stores your policies, generates accurate answers grounded in those policies, cites the exact source, and lets you review and approve instead of writing from scratch every time. The 5-layer response stack is a useful framework for what that system needs to cover.

How to Use This Guide

If you are a CTO or technical founder: use the readiness checklists to evaluate where you stand right now. If your pipeline has deals at a tier you are not ready for, you have two options: invest in readiness before the questionnaire arrives, or accept that those deals will take longer and may not close.

If you lead sales or revenue: share the timeline estimates with your team. Security reviews are not a “quick thing at the end.” At $100K+ ACV, they need to start in the first half of the sales cycle. Build them into your forecast and your deal stages.

If you are scaling from one tier to the next: this is where preparation pays off most. Going from $10K to $50K deals means you need a SOC 2, a pen test, and a way to handle 100+ question assessments without your CTO disappearing for a week. Going from $50K to $100K means policies, architecture docs, and a repeatable process. Going from $100K to $500K+ means ISO 27001, a tested IR plan, and a team that can handle live architecture reviews.

Stop Scrambling. Start Preparing.

Every hour you spend scrambling to answer a questionnaire you did not anticipate is an hour you are not spending on closing deals, shipping product, or building your team.

ResponseHub was built for exactly this progression. Upload your policies, and AI generates draft answers grounded in your actual documentation, with citations to the exact page, section, and sentence. Your team reviews and approves instead of writing from scratch. Whether you are handling your first SIG Lite at $50K ACV or fielding three concurrent enterprise assessments at $500K+, you work from the same system, the same source of truth, and the same consistent answers.

Get started in under 5 minutes. No sales call needed. Completely self-serve, free trial, try it right now.

Back to Blog

Related Posts

View All Posts »