Most SaaS InfoSec teams hit the questionnaire wall around customer ten. Before that, every SAQ is bespoke and someone in compliance writes it from scratch. After it, every SAQ is mostly the same fifty questions, but the team is still writing each one from scratch because nothing was ever properly indexed.
The fix is not a bigger template. The fix is a real evidence library, indexed by control rather than by document, with every claim sourced. This piece is the practical playbook for building one.
Start with the controls, not the questionnaires
The instinct is to copy your last submitted SAQ and call it a library. Do not. The questionnaire format is downstream of the actual controls you operate. Start with the controls themselves: every Annex A control in ISO 27001 (or every CC-series control if you live in SOC 2 land), every commitment in your Data Processing Agreement, and every security claim you make on your website or in your sales pitch.
For each control, capture three things:
- The statement. One sentence in plain English describing what you do. Not the policy heading, not the standard's text, the actual operational description.
- The evidence. The specific document, log export, screenshot or ticket that proves the statement is true. Cite the section number.
- The freshness date. When was this last validated. Evidence rots, and the freshness date is the most important field in the library.
This structure is the library. Everything else (questionnaire responses, audit evidence packs, customer security pages) is a view onto it.
Map the questions you actually get asked
Pull the last twenty questionnaires you have answered. List every distinct question. Cluster the variants. You will end up with about eighty distinct questions, which feels manageable.
For each clustered question, link it to one or more controls in your library. The question "how do you encrypt data at rest" maps to your encryption control plus your key management control. The question "describe your incident response process" maps to your IR control plus the link to your runbook.
This mapping is the asset. Once it exists, any new question that matches an existing cluster is a retrieval, not an authoring task.
Treat evidence as living, not static
The biggest reason questionnaire libraries decay is that the source evidence moves on. The SOC 2 report is replaced annually. The pen-test provider changes. The encryption library upgrades. A library that does not track this becomes a liability faster than a benefit.
Two practical moves:
- Set a freshness threshold per control type. Penetration test results are stale after twelve months. Cloud provider attestations are stale after their next reissue. A policy is stale once the version date is more than eighteen months old.
- Schedule a quarterly review where someone walks the library, checks the freshness dates, and either refreshes the evidence or marks the answer as requiring rewrite. Thirty minutes a quarter beats six hours when an enterprise SAQ lands.
Separate "what we do" from "what we say we do"
A library that only contains the externally facing claims is a marketing artefact, not a security artefact. Capture the operational truth alongside the customer-facing statement.
For each control, hold the internal description and the external description separately. The internal description is what the engineering team actually does. The external description is the language you use with prospects. They should be aligned, but they will not always be word-for-word identical, and the library should be honest about which is which.
Auditors care about the internal description. Prospects care about the external one. Both come from the same source.
Make retrieval the work, not authoring
Once the library exists, the average SAQ should be 80 to 90 per cent retrieval. New question lands, library returns the matching controls, drafted answers come back with the source attached. InfoSec reviews the 10 per cent that genuinely needs novel thinking.
Two principles for retrieval:
- Always attach the source. A drafted answer without a citation back to the controlling evidence is a future audit problem.
- Flag the gaps. If a question has no matching control in the library, that is an output to triage, not a failure of the system. Either the control exists but is not yet indexed, or it does not exist and that is a useful thing to know.
Where Bidwell fits
Bidwell is the drafting layer on top of an evidence library structured this way. You bring the controls, the policies and the certificates. Bidwell indexes them, maps each incoming questionnaire question to the right controls, and drafts the response with the source attached. New SAQs go from days to hours. Gaps are surfaced as a clean list with the question context attached, so the right person answers once and it lands in the library.
The same library that fills security questionnaires also fills the security and risk sections of public sector tenders, the supplier sections of customer DDQs, and the evidence pack for your next ISO surveillance audit. Build it once, run it everywhere.
If you are mid-cycle on a renewal and the next SAQ is sitting in your inbox, the practical first move is to do the controls inventory. The questionnaire after that one will pay for the work in the time it saves.
