Questionnaires
Automatically answer security questionnaires using your existing compliance data. zGovern's keyword-matching engine searches your controls and policies to suggest accurate, confident answers in seconds.
Overview
Security questionnaires (SIG, CAIQ, custom vendor assessments) are a significant time burden for security and compliance teams. A typical enterprise security questionnaire contains 200–500 questions that can take days to complete manually.
zGovern's auto-answer engine analyses each question and searches your:
- Active compliance framework controls and their plain-English descriptions
- Published (ACTIVE) policies and their content
- Control statuses (COMPLETE controls contribute higher confidence)
Each answer suggestion comes with a confidence score (0–100%) indicating how closely the source material matches the question.
Supported Formats
| Format | Full Name | Published By | Notes |
|---|---|---|---|
| SIG | Standardised Information Gathering questionnaire | Shared Assessments | Most widely used enterprise vendor questionnaire |
| CAIQ | Consensus Assessments Initiative Questionnaire | Cloud Security Alliance (CSA) | Aligned with CSA Cloud Controls Matrix |
| Custom | Any free-form questionnaire | Your customers / partners | Paste raw question text — any format is accepted |
Importing a Questionnaire
zGovern accepts questionnaire questions as raw text. You can paste directly from a Word document, Excel export, or email thread.
-
Navigate to Questionnaires
Click Questionnaires in the sidebar and then click New Questionnaire.
-
Enter questionnaire details
Provide a title (e.g., "Acme Corp Security Review 2026") and optionally the name of the requesting company.
-
Paste the questions
In the Questions text area, paste the raw question text. Each question should be on its own line or separated by a blank line. Numbering is optional — zGovern will parse it automatically.
Example input format1. Do you enforce multi-factor authentication for all users? 2. How frequently do you conduct penetration testing? 3. Do you have a formal incident response plan? 4. Are employee background checks performed prior to hiring? 5. How is data encrypted in transit and at rest? -
Save and run auto-answer
Click Save, then click Auto-Answer. The engine will process all questions and return suggested answers within a few seconds.
Auto-Answer Engine
The auto-answer engine uses keyword matching to find relevant controls and policy content for each question. Here's how it works:
Keyword Matching
For each question, the engine:
- Extracts meaningful keywords (nouns, security terms, compliance concepts)
- Strips common stop words (the, is, do, you, etc.)
- Searches all controls'
plainEnglishfields and policies'contentfields - Ranks matches by term frequency and control completion status
- Returns the top 3 matching sources and synthesises a suggested answer
Confidence Scoring
Each suggested answer includes a confidence score from 0 to 100%:
| Score Range | Indicator | Meaning |
|---|---|---|
| 80–100% | High | Strong keyword match with a COMPLETE control or detailed policy section. Answer is likely accurate with minimal editing needed. |
| 50–79% | Medium | Partial match. The suggested answer is a good starting point but should be reviewed and expanded by a human. |
| 0–49% | Low | Weak match. The question may address a topic not well-documented in your controls or policies. Manual answer required. |
{
"success": true,
"data": {
"questionnaire": {
"id": "clxq7m3np0001lg9a",
"title": "Acme Corp Security Review 2026"
},
"answers": [
{
"questionIndex": 0,
"question": "Do you enforce multi-factor authentication for all users?",
"suggestedAnswer": "Yes. Multi-factor authentication (MFA) is mandatory for all user accounts accessing production systems, as defined in our Access Control Policy. MFA enforcement is monitored continuously via our Okta integration and verified quarterly.",
"confidence": 94,
"sources": ["CC6.1 - Logical Access Controls", "Access Control Policy v3"]
},
{
"questionIndex": 1,
"question": "How frequently do you conduct penetration testing?",
"suggestedAnswer": "We conduct annual penetration testing by an independent third-party security firm. Results are reviewed by senior management and critical findings are remediated within 30 days.",
"confidence": 71,
"sources": ["CC7.1 - System Operations"]
}
]
}
}Review and Edit Answers
After the auto-answer engine runs, you review each answer in the questionnaire editor:
- Each question shows the suggested answer, confidence score, and source controls/policies
- Click any answer to edit it directly in the text field
- Low-confidence answers are highlighted and sorted to the top for manual attention
- Mark questions as Reviewed once you've verified the answer
- Questions flagged Needs Review (low confidence) appear in a dedicated tab
Exporting Answers
Once all answers are reviewed, export the completed questionnaire as a .txt file:
Plain text file. Content-Type: text/plain. Each question and answer pair is formatted for easy reading and copy-pasting into the customer's form.
====================================
ACME CORP SECURITY REVIEW 2026
Completed: 2026-03-08
Total Questions: 47 | Answered: 47
====================================
Q1: Do you enforce multi-factor authentication for all users?
A: Yes. Multi-factor authentication (MFA) is mandatory for all user accounts
accessing production systems, as defined in our Access Control Policy. MFA
enforcement is monitored continuously via our Okta integration and verified
quarterly. [Source: CC6.1, Access Control Policy v3]
----
Q2: How frequently do you conduct penetration testing?
A: We conduct annual penetration testing by an independent third-party
security firm. Results are reviewed by senior management and critical
findings are remediated within 30 days. [Source: CC7.1]plainEnglish fields or to your ACTIVE policies. This trains the engine to answer similar questions better in future questionnaires.