A security questionnaire with four hundred questions in length isnt appropriate or necessary. There is a difference between a full audit and trying to determine security controls. There should be a more standardized, reasonable, streamlined process to do so, says John Defterios. Some companies have opted to push this function out to a third party to deal with it, but in my experience, working through a. third party makes an already lengthy and frustrating process substantially longer as you now have to work through even more people who may lack the proper context.”]
Source: https://www.csoonline.com/article/3257227/the-security-questionnaire-conundrum.html