What law firms should expect from supplier security questionnaires

Supplier security questionnaires have become a routine part of winning and keeping corporate clients, and law firms feel this more sharply than most because of the sensitivity of what they hold. A questionnaire that lands without warning, often with a tight deadline attached to a panel review or a live matter, is really the client's own regulator asking a question through them. Treating it that way, and preparing for it, turns a recurring scramble into a competitive advantage.

Why this is happening now

Corporate clients, particularly in financial services, are under their own obligations to understand and manage the security of their critical suppliers. FCA operational-resilience expectations and, for EU-facing business, DORA both require companies to assess the third parties they depend on. A law firm holding deal data, litigation files or personal data is squarely a supplier that must be assessed.

So the questionnaire is not box-ticking for its own sake. It is the visible end of a regulatory chain, and the client's procurement or risk team is judged on how rigorously they apply it. Vague answers do not just risk the questionnaire; they risk the relationship.

What the questionnaire typically asks

Most serious questionnaires cluster around the same themes:

• ·Certifications held: Cyber Essentials, Cyber Essentials Plus, ISO 27001, and any sector-specific standards.
• ·Access control: multi-factor authentication, least-privilege access, and how leavers are handled.
• ·Data protection: encryption at rest and in transit, and how client data is segregated.
• ·Backup and recovery: whether backups are isolated, tested, and how quickly the company could recover.
• ·Incident response: the plan, breach notification timelines, and whether it has been exercised.
• ·People: security awareness training and phishing-test results.
• ·Sub-suppliers: how the company manages its own third parties, including cloud and IT providers.

The trend is from attestation to evidence. "Yes, we have MFA" is increasingly met with "show us the policy".

The answers that win and lose confidence

Confidence is won by specificity and evidence. A questionnaire that says "ISO 27001 certified, certificate attached; MFA enforced for all users via conditional access; backups immutable and restore-tested quarterly, last test March 2026" reads as a company that has its house in order.

Confidence is lost by vagueness and over-claiming. "We take security very seriously" with no specifics reads as a company that has not done the work. Claiming controls you cannot evidence is worse: if the client audits, or if an incident later contradicts the answer, the reputational and contractual damage exceeds anything the honest "in progress" answer would have caused.

Turn the chore into a standing evidence pack

Because questionnaires overlap heavily, the efficient approach is to maintain a reusable pack rather than answer each one cold:

• ·Current certificates (Cyber Essentials Plus and, where held, ISO 27001).
• ·A one-page security overview written for a non-technical reviewer.
• ·Your core policies: information security, data protection, incident response, business continuity.
• ·A maintained answer bank for the questions that recur.

Maintained well, this turns each new questionnaire from a week of internal chasing into an afternoon of tailoring. A recognised certification does even more, letting you answer whole sections by reference instead of paragraph by paragraph.

Where certification fits

If large or regulated clients repeatedly ask, ISO 27001 answers most of a serious questionnaire by itself and signals a managed programme. For lighter demands, Cyber Essentials Plus is often sufficient. Either way, keeping the evidence current through continuous compliance means the pack is ready when the questionnaire arrives, not assembled in a panic against the client's deadline. We deliver certification through certified assessment partners and keep the evidence audit-ready in between.

For the sector context behind this, see our work with law firms. If a questionnaire is on your desk now, book a 30-minute call and we will help you answer it honestly and close any gaps it exposes.