Free supplier security questionnaire. Covers data handling, access controls and compliance. Score your vendors and flag high-risk suppliers in minutes.
It is a set of questions a customer or tender sends before they trust you with their data or systems, covering how you protect information, who can access it, and how you would respond to an incident. This tool helps you draft structured answers, anchored to standards buyers recognise.
No. It produces a clear, honest draft anchored to recognised standards. Whether you pass depends on your actual controls and the buyer's bar. Treat it as a starting artefact, not a result.
Not always, but many buyers ask for it. Central government contracts handling personal information or certain ICT services have required suppliers to demonstrate cyber security controls since 2014. PPN 09/14 was superseded by PPN 09/23 (December 2023), which moved to a risk-proportionate model -- Cyber Essentials is a recognised way to evidence those controls, but the current expectation is proportionate cyber security rather than a blanket certification mandate. If you do not hold CE, the draft says so honestly and offers a route to certify.
Cyber Essentials is a focused UK government-backed scheme covering five technical controls, overseen by the NCSC and delivered through IASME. ISO/IEC 27001 is a broader international standard for an information security management system. Buyers may ask for either or both.
No. Where you answer no or not sure, the draft flags a gap and prompts you to be honest rather than inventing a claim. Overstating a control in a tender can become a binding commitment you may breach.
Your inputs generate the draft on screen and are not sent anywhere until you choose to continue. We capture only your name, work email and company so we can follow up once with anything that would help your bid. We do not sell or pass on your data.
Yes, and you should. Every answer is a draft to make true for your business, with the evidence to attach named under it. Copy it out and tailor it before you send anything.
Typically certificates, an information security policy, access and backup records, training records, and an incident response plan. The tool lists the evidence each answer should point to.
Only 14% of UK businesses review their immediate suppliers' cyber risk, according to the 2025 Cyber Security Breaches Survey, so the ones sending you a questionnaire are the more security-mature, higher-value customers. A solid answer protects the relationship.
No. It is a free drafting aid. It is not a certification, an audit, or legal advice. If you need to certify, or want a reviewed response for a major bid, Starkhorn provides independent advisory support.