The security questionnaire that kills offshore deals.
Enterprise buyers hand offshore agencies a SIG or CAIQ and quietly disqualify half of them inside the first ten answers. Here is which questions actually decide the memo, which are theater, and what a substitute for SOC 2 looks like when the agency does not have one yet.
Somewhere in the second week of every mid-market and enterprise engagement, a security analyst emails your champion a spreadsheet. It is 200 to 900 rows, it has a version number in the filename, and it is either the SIG Lite from Shared Assessments or a CAIQ from the Cloud Security Alliance. The champion forwards it to the offshore agency at 5pm on a Friday and says "any chance we could turn this around by Wednesday."
The agency's founder opens it, scrolls for a minute, closes it, and books a call with the buyer's champion for Monday to say "we're happy to fill this out but we'll need some help understanding a few things." That call is where the deal usually dies. Not because the agency is insecure — most of them are running a perfectly sensible operation. Because the vocabulary mismatch reads as immaturity, and immaturity on a security questionnaire is what the procurement memo remembers.
Which questions actually decide the memo
The security analyst is not reading all 400 rows. She is reading about thirty of them, and everything else is present so that the ones she cares about are legally defensible when she signs the memo. The thirty rows are, roughly: written security policy dated within the last year, background checks on staff with access to customer systems, MFA on all admin surfaces including source control, encryption at rest and in transit with a named cipher, incident response runbook with a named on-call, backups with a tested restore date, subcontractor and subprocessor list, access review cadence, offboarding checklist that revokes credentials inside 24 hours, and a data residency answer that is a place name and not a paragraph.
Every one of these has a one-line answer if the agency's ops discipline is in order. Every one of them has a five-paragraph explanation if it is not. The security analyst is scanning for one-line answers. Five-paragraph explanations are how she decides which row to escalate to the CISO's team, and rows that get escalated are how mid-market deals become nine-month enterprise procurement cycles.
What a substitute for SOC 2 actually looks like
Most offshore agencies at the sub-100-person size do not have SOC 2 Type II. Some are working toward Type I. Most are not going to have either inside the buyer's decision window. The instinct is to answer the SOC 2 row with "in progress" or "planned Q3," and that answer is fine for a startup buyer and fatal for anyone with a legal or compliance department.
The substitute the buyer's security team will actually accept, in writing, is: a named framework being followed (ISO 27001 controls, NIST CSF, or the CIS Top 18), a most-recent penetration test report from a reputable third party dated inside the last 12 months, a cyber liability insurance certificate naming coverage limits, and a signed attestation from the agency's principal that the twelve or so control areas above are being enforced. That package will not clear a bank. It will clear most SaaS mid-market procurement teams, and it will hold the deal open long enough to complete the actual SOC 2 during onboarding.
The rows that are theater, and the rows that are traps
About 40 percent of a SIG is theater — questions inherited from prior industries, questions that apply to on-prem software vendors and not consultants, questions about physical data center security when the agency uses AWS. Answer these with "not applicable, provider inherits" and move on. Do not spend two hours writing a paragraph.
The traps are the rows that look like theater and are not. Two examples: any question about "customer data" residency when your engineers pull production dumps to laptops for debugging (that is customer data leaving the residency zone, and the honest answer is not the one you want to write). And any question about subcontractors when you occasionally hand a task to a freelancer through your network (that freelancer is a subprocessor and needs to be on the list, and the buyer's legal team will find out at contract review whether or not you disclosed it).
The eight rows to fix before you send the response
Written security policy — one document, one page is fine, dated inside the last 12 months, signed by a principal. Background checks — a stated policy plus evidence for the staff who touch this specific engagement. MFA — enforced on source control, cloud consoles, and email; screenshot the settings. Encryption — cipher names (AES-256, TLS 1.2+), not "industry standard." Incident response — a runbook with names in it and a phone tree. Backup restore — a date and a description of what was restored, not just a policy. Subprocessor list — including the freelancer network, the cloud provider, the email provider, the code hosting. Offboarding — the checklist itself, redacted if needed, showing credentials revoked in under 24 hours.
If those eight rows are one-liners and the rest of the sheet is filled out consistently, most security teams will sign off. If any of the eight are missing, the memo writes itself in a direction you cannot recover from.
- 01The security analyst reads about thirty rows out of 400. Everything else is present for legal defensibility, not for evaluation.
- 02SOC 2 substitute: a named framework, a recent pen test, cyber liability coverage limits, and a signed control-area attestation. This clears most SaaS mid-market procurement teams.
- 03About 40 percent of the SIG is theater. Answer "not applicable, provider inherits" and move on. Do not write paragraphs.
- 04The traps: production data on laptops (that is customer data leaving residency) and freelancers-as-subprocessors (they belong on the list).
- 05Eight rows carry the memo: policy, background checks, MFA, encryption ciphers, IR runbook, tested backup restore, subprocessor list, offboarding SLA. Fix these first.
Get vetted. Get listed. Get the paper that survives the memo.
Twelve-minute intake, three-day turnaround. A passing scorecard is the shortest path from a good deck to a serious shortlist.