Enterprise procurement teams have developed a particular talent for asking precisely the right questions in exactly the wrong order, at exactly the wrong time in the renewal cycle.
A SaaS vendor in the $8M–$12M ARR range — mid-market, B2B, not named here — entered a renewal cycle with a Fortune 500 customer and received a 94-item security questionnaire with a 14-day response window. The contract value was $1.4M annually. The vendor had a qualified CISO, a SOC 2 Type II report from 18 months prior, and a penetration test from 11 months prior. They had most of the evidence. They did not have it organized in the form the questionnaire required.
The stall happened because 23 of the 94 questions required either a specific artifact (a named document with a date and version) or a cross-reference to a named control in a specific framework. The vendor's security team had the underlying controls implemented, but the mapping between their internal control language and the questionnaire's framework references (which mixed NIST CSF, ISO 27001, and CIS Controls terminology in the same document) was not documented. Each of those 23 questions required someone to manually trace the evidence, write a response, and identify the supporting artifact — work that took four to six hours per question without an organized evidence base.
The response was ultimately delivered on day 19, five days late, after the vendor requested and received a brief extension. The buyer's procurement team flagged 11 responses as incomplete — not because the controls were absent, but because the responses lacked artifact citations. Seven of the 11 had supporting evidence that existed but was not referenced in the response. The vendor's team spent another week locating and attaching the artifacts.
The renewal closed. The total delay was six weeks from the original questionnaire receipt to contract signature. The primary cost was internal time — estimated at 180 to 220 hours across the security, legal, and revenue teams. The secondary cost was a 30-day slip in the renewal date that compressed the customer's budget cycle into Q4.
The CISO's post-mortem identified three failure points. First, the evidence base was organized by tool (scanner, GRC platform, audit report) rather than by control. Answering a questionnaire question required knowing which tool held which evidence and then cross-referencing multiple sources. Second, artifact versions and dates were not tracked centrally, so freshness validation was manual. Third, the framework mapping between the internal control language and the questionnaire's reference framework did not exist in a form that could be queried.
The vendor's remediation after the renewal was to build a lightweight evidence registry: a structured record of controls, the artifacts that support them, the frameworks they map to, and the date each artifact was last reviewed. The registry was not sophisticated — it was a structured document, not a dedicated platform. But it reduced the response time for a comparable questionnaire the following year from 19 days to 6, and eliminated the artifact-citation gap entirely.
The principle that held in both cycles: procurement questionnaires are answered at the speed of your evidence organization, not at the speed of your security posture. A vendor with strong controls but disorganized evidence loses time in the response cycle that it cannot recover. A vendor with evidence organized by control, with framework mappings current and artifacts versioned, can answer a 94-item questionnaire in the time a peer spends locating the SOC 2 report.
The gap is not between secure and insecure. It is between evidence that is ready to export and evidence that needs to be assembled under deadline pressure.