Deal & contract office · Module 5 of 7
The questionnaire that froze your deal in procurement, answered.
Your first real enterprise client asks for a security questionnaire and the deal stops moving until it comes back. SIG, CAIQ, SOC 2, ISO 27001, NIST, HECVAT — or the 200-row spreadsheet their vendor-risk team invented. Morthn answers it from your approved facts, composed per question rather than pasted, and flags every question your real facts do not cover instead of inventing something plausible.
What this module does
Four capabilities that show up in week one.
01
Composed per question, not pasted
The same control gets asked six different ways across six frameworks. A pasted answer that does not quite address the question in front of it reads as evasive to a reviewer, and evasive is how a vendor-risk review turns into a second round. Each answer is composed against the specific question from your underlying fact base.
02
One fact base, every framework
Your policies, architecture, controls, sub-processors, incident history and certifications get captured once in onboarding, then mapped across SIG, CAIQ, SOC 2, ISO 27001, NIST 800-171 and CSF, HECVAT, and whatever bespoke spreadsheet arrives next.
03
Flags what is not covered
Where a question is not covered by a fact you actually gave us, it comes back as needing input. It is never answered plausibly. A confident wrong security answer is a lost deal at best and a misrepresentation at worst — and it gets found in the audit, not in the questionnaire.
04
Surfaces the gap before the reviewer does
The questions you cannot answer are a roadmap. You get them as a ranked list: the controls that keep blocking enterprise deals, in the order they keep blocking them. Most teams have three, and have never seen them written down together.
How it works
Onboarding builds the fact base: what you actually run, what you actually enforce, what you are actually certified for, and — just as important — what you are not. When a questionnaire lands, Morthn maps every question to that fact base and composes an answer per question, returned in the buyer's own format. Anything not covered by a real fact comes back as a short flagged list for you. You review and submit. A real person on our side owns the turnaround, because what you are actually buying is the deal unfreezing this week rather than next quarter.
Integrates with
Compliance + guardrails
Nothing is fabricated, ever. If you are not SOC 2 certified, no answer will imply that you are. If a control is not implemented, the answer says so or the question comes back for input. Morthn will not answer a question about a control you have not told us exists. Every answer carries a source back to the fact that produced it, so when a reviewer pushes on one you can show where it came from. Misrepresenting a security posture to an enterprise buyer is a contractual and legal exposure, not a growth hack.
Tier availability
Available on every tier
FAQ
Common questions about Security Questionnaires.
We are not SOC 2 certified. Is this useless to us?
No — and pretending otherwise is the exact failure mode we are guarding against. Plenty of questionnaires are answerable honestly by a company without a formal certification, and buyers routinely accept compensating controls when they are described precisely. What loses the deal is a bluff that unravels, or a two-month silence.
How long does a questionnaire take?
A standard SIG Lite or CAIQ typically comes back within a few business days of intake, once the fact base exists. Building the fact base is the real work; after that, each new questionnaire is mostly mapping.
Can you fill in the buyer's portal for us?
We complete their spreadsheet or template natively. Portals vary — some accept a bulk import, some require a human to key it in. Where a portal has no import path we hand you a paste-ready answer set in the portal's own question order.
The rest of the deal & contract office
⏳
Deadlines & Obligations
⏰
Renewals & Notice Windows
⚖
Commission Reconciliation
✎
Proposals & RFPs
⊘
Bid / No-Bid Qualification
◎
Marketplace Account Health
Module 13 of 15 in the Morthn operating layer · See all 15