Security Questionnaires
Security Questionnaires turn painful procurement paperwork into a few minutes of review. Upload a questionnaire (SIG, CAIQ, custom spreadsheet), graph8 extracts the questions, matches them against your approved answer library, and drafts responses. You review and ship.
Why This Exists
A single security questionnaire can have 150–400 questions. Teams spend 8–40 hours per questionnaire manually copying answers from old questionnaires, security policies, and runbooks. This module reduces that to 30–90 minutes of review.
How It Works
- Go to Studio → Security Questionnaires → New Questionnaire
- Upload the questionnaire file (XLSX, DOCX, or PDF)
- graph8 parses it — extracts every question, section, and expected answer format
- AI matches each question against your approved answer library
- Review the drafted answers
- Export the completed questionnaire in the same format you uploaded
Supported Formats
| Format | Notes |
|---|---|
| XLSX | Most common — questionnaires with rows of questions. Output preserves original formatting |
| DOCX | Word docs with numbered questions. Output returns a fresh DOCX |
| Read-only input; output must be XLSX or DOCX | |
| Google Sheets | Import via Google Drive connection |
| SIG (Standard Information Gathering) | Native support — recognizes the standard SIG Lite and SIG Core formats |
| CAIQ (Consensus Assessments Initiative Questionnaire) | Native support |
Question Extraction
Parsing depends on format:
- Structured (XLSX) — graph8 identifies the question column, answer column, and any classification columns (category, control family, etc.)
- Semi-structured (DOCX) — detects numbered questions and preserves hierarchy
- Unstructured (PDF) — uses AI to identify question text; may require manual review for edge cases
After extraction, review the parsed questions. You can:
- Merge duplicates
- Reclassify category tags
- Mark questions as “skip” if they don’t apply
Answer Library
The answer library is your single source of truth for approved responses. Every time you review and approve an answer, it’s added to the library for reuse on future questionnaires.
Seeding the Library
Seed your library from:
- Previous completed questionnaires (bulk upload)
- Security policies (SOC 2 report, pen test results, ISMS docs)
- Engineering runbooks
- Compliance team’s canonical answer doc
Go to Security Questionnaires → Answer Library → Import to bulk-upload.
Library Organization
| Field | Purpose |
|---|---|
| Question pattern | The question (or paraphrased variant) this answer addresses |
| Canonical answer | The approved response |
| Alternate phrasings | Short, long, or spreadsheet-friendly variants |
| Tags | Category (access control, data protection, etc.) |
| Confidence level | High / Medium / Low — affects auto-approval thresholds |
| Last reviewed | Date the answer was last approved |
| Owner | Which team/person is accountable |
Library Governance
Answers have a review lifecycle:
- Pending review — drafted or imported, not yet approved
- Approved — ready to use
- Needs update — flagged after N months without re-review
- Deprecated — no longer applicable
Set review cadence at Library → Settings → Review Cadence (default: every 6 months).
Drafting Responses
Once a questionnaire is uploaded and parsed, click Draft Answers. graph8 iterates through every question and:
- Finds the best-match answer from your library
- Rewrites the answer to match the question’s format (short answer, long answer, Y/N/NA)
- Assigns a confidence score (0–100)
- Flags questions with no good match for manual review
Confidence Scoring
| Confidence | Meaning | Recommended Action |
|---|---|---|
| ≥90 | High-confidence direct match | Quick approve |
| 70–89 | Strong match with minor rewording | Review for accuracy |
| 40–69 | Partial match — some relevant library content exists | Deep review or re-answer |
| Below 40 | No good match in library | Write from scratch or reject |
Bulk Actions
From the review screen:
- Approve all ≥90 confidence — quick-approve obvious matches
- Flag all under 40 confidence — triage unknowns
- Reassign to owner — route specific categories to their owner (legal, security, eng)
Review Workflow
- Open the questionnaire’s Review screen
- Filter by confidence, section, or owner
- For each question:
- Read the drafted answer
- Edit inline if needed
- Click Approve to finalize
- Click Needs Input to route to someone else with a comment
- Once all questions are approved, click Export
Collaboration
Multiple reviewers can work on the same questionnaire simultaneously:
- Assign sections to owners (security, legal, engineering)
- Add comments on questions that need discussion
- See who’s currently viewing a section (presence indicator)
- Mentions (
@username) send email notifications
Versioning
Every edit is tracked. Roll back to any previous version of an answer at Review → [Question] → History.
Exporting
When all answers are approved, export the questionnaire:
- Click Export
- Choose format:
- Original XLSX — answers inserted into the original file structure
- Formatted DOCX — answers rendered into a formatted Word doc
- PDF — static, locked PDF
- CSV — raw question-answer pairs
- Click Download
Exports preserve:
- Original question order
- Section headings and formatting
- Any branding/headers in the original
Audit Trail
The export includes an optional audit trail page listing:
- Who approved each answer
- When it was approved
- Source from the answer library (canonical ID)
- Any edits made during review
Enable at Export → Include Audit Trail.
Reusing Across Questionnaires
After shipping 2–3 questionnaires, your library is strong enough that new questionnaires get 70–90% auto-matched with ≥70 confidence. Review time drops dramatically after the first few.
Typical Library Growth
| Questionnaires Completed | Library Size | Auto-Match Rate |
|---|---|---|
| 1 | ~200 answers | 20–30% |
| 3 | ~500 answers | 50–65% |
| 10 | ~1,200 answers | 75–85% |
| 25+ | ~2,000+ answers | 85–95% |
Integrations
| Integration | Use |
|---|---|
| Google Drive | Import questionnaires directly from Drive |
| Slack | Get notifications when questionnaires are assigned to you |
| Jira / Linear | Create tickets for questions that need engineering input |
| Vanta / Drata | Pull compliance controls directly into the answer library |
| SharePoint | Bulk-import historical questionnaires |
Configure integrations at Settings → Integrations.
Permissions
| Role | Capabilities |
|---|---|
| Admin | Upload questionnaires, manage library, approve answers, export |
| Reviewer | Review and approve drafted answers for assigned sections |
| Contributor | Add answers to the library (pending admin approval) |
| Viewer | Read-only access |
Set per-section permissions for sensitive questionnaires (legal, financial, HR).
Security
All questionnaire content and answer library data is encrypted at rest and in transit. Questionnaires are scoped to your organization — they’re never used as training data or shared across tenants.
Access logs track every view, edit, and export. Export logs at Settings → Audit → Security Questionnaires.
Troubleshooting
| Issue | Fix |
|---|---|
| Questionnaire parsing missed questions | Re-parse with manual section boundaries; or edit the extraction output directly |
| Low confidence on most questions | Library is too sparse — seed from previous questionnaires and policies |
| Export format doesn’t match original | Use “Original XLSX” mode; if still off, the original used non-standard templates |
| Answers contradict each other | Review library for conflicting entries; mark older ones deprecated |
| Reviewer can’t see a section | Check section-level permissions in the Review screen |
Related
- Global Context → — Brand and company details referenced by answers
- Custom Records → — Model related objects (policies, controls)
- Skills → — Answer drafting is powered by skills