---
name: client-due-diligence-responder
description: Paste a client's IT/security due-diligence or vendor-risk questionnaire and get back drafted answers in the language and format procurement teams expect, with evidence index, caveats, and gap flags.
version: 1.0.0
author: VantagePoint Networks
author_url: https://www.vpnetworks.co.uk
audience: IT Managers, CISOs, CIOs, Practice Managers, Sales Engineers, MSP Consultants, Solo Founders responding to enterprise clients
output_format: Formatted Markdown response pack with categorised draft answers, evidence index, gap register, caveats block, and cover letter.
license: MIT
last-reviewed: 2026-04
---

# Client Due-Diligence Responder

A Claude Code skill for small IT teams and SMB consultants who receive a 40-to-400-question vendor security questionnaire from a prospective or existing client and need to respond accurately, honestly, and fast — without copy-pasting marketing fluff that collapses under scrutiny.

## How to use this skill

1. Download this `SKILL.md` file.
2. Place it in `~/.claude/commands/` (macOS/Linux) or `%USERPROFILE%\.claude\commands\` (Windows).
3. In Claude Code, run `/client-due-diligence-responder`. Paste the questionnaire (or a selection of questions) plus a short context brief. Answer the clarifying questions. Receive a drafted response pack.

## When to use this

- A bank, law firm, or enterprise client has sent you a 50-200 question vendor assessment and wants it back in 10 working days.
- You're renewing a contract and procurement has resent last year's questionnaire with 30 new questions about AI, supply chain, or FCA operational resilience.
- Your insurer is asking a subset of the same questions and you want one canonical answer bank to reuse.
- You want to answer honestly where you can, flag gaps where you can't, and never get caught having overstated a control.
- You run a consultancy or MSP and need to respond on behalf of clients who've been asked these questions and panic-forwarded them to you.

## What you'll get

A single Markdown document containing:

- A **questionnaire-scope summary** with the number of questions per theme
- **Drafted answers** grouped by standard categories (info sec policy, access control, encryption, logging, incident response, BCP/DR, supply chain, data protection, personnel, physical security, etc.)
- An **evidence index** telling you which supporting document to attach for which question
- A **gap register** listing every question where your honest answer is "not yet" / "partial" / "no" — with the risk of answering dishonestly, a suggested phrasing for truthful-but-not-damaging, and a target date for remediation
- A **caveats block** (scope of the answers, version of your environment they apply to, contact for clarifications)
- A **cover letter** in professional tone for the client's procurement lead
- A **submission checklist** to run before you send

## Clarifying questions I will ask you

Before drafting answers, I will ask:

1. **Paste the questionnaire** — or the question set, or the top themes if the document is very long.
2. **What is your client's sector and regulator?** (bank / FCA, law firm / SRA, insurance / PRA, NHS / DSPT, public sector / G-Cloud, etc.)
3. **Who is the end recipient?** (procurement only, info-sec team, audit committee, combination) — affects tone and depth.
4. **What is the data / service scope you'll be delivering?** (SaaS access with no data, on-prem software, consultancy with PII exposure, hosting managed service)
5. **What existing certifications do you hold?** (Cyber Essentials / CE Plus, ISO 27001, SOC 2 Type I/II, IASME Gold, sector-specific)
6. **Do you have current versions of these documents?** Info Security Policy, Acceptable Use, Data Protection Policy, BCP/DR plan, Incident Response plan, DPA template, sub-processor list, staff screening policy
7. **Any questions you know will be a "no"?** — flag these up front so we phrase them honestly and flag for remediation rather than burying them.
8. **Submission deadline?**
9. **Who will review before sending?** (legal, sales lead, you)
10. **Are there answers from a previous year you want me to reuse / update?** (paste them if so)
11. **Is the questionnaire a fixed format (spreadsheet, web portal, PDF form) or free-form?** — determines whether drafts go into rows or as a response document.
12. **Any specific sensitivities?** (pending incident, recent leaver, known gap in a control they're asking about)

## Output template

```markdown
# Due-Diligence Response — <client name>

**Respondent:** <your organisation>
**Responding on behalf of:** <if not yourself>
**Date:** <YYYY-MM-DD>
**Applicable version of environment:** <snapshot date>
**Primary contact:** <name, role, email>

## 1. Questionnaire Summary
| Theme | Questions | Clean answers | Gaps flagged | Not applicable |
|---|---|---|---|---|
| Information Security Policy | | | | |
| Risk Management | | | | |
| Access Control | | | | |
| Identity & MFA | | | | |
| Encryption (at rest & in transit) | | | | |
| Logging, Monitoring & SIEM | | | | |
| Vulnerability & Patch Management | | | | |
| Incident Response | | | | |
| Business Continuity & DR | | | | |
| Supply Chain & Sub-processors | | | | |
| Data Protection / UK GDPR | | | | |
| International Transfers | | | | |
| Personnel (screening, training, leavers) | | | | |
| Physical & Environmental | | | | |
| AI / GenAI Use | | | | |
| Operational Resilience (FCA, DORA-aligned) | | | | |
| **Total** | | | | |

## 2. Drafted Answers (by category)

### Information Security Policy
**Q:** Do you maintain a documented Information Security Policy approved by senior management?
**Draft answer:** Yes. Our Information Security Policy is approved annually by <role> and reviewed by <role> in response to material changes. Current version: <N.N>, last reviewed <date>. Available on request under NDA.
**Evidence to attach:** `/evidence/IS-Policy-v<N>.pdf`
**Confidence:** High.

**Q:** Is the policy aligned to a recognised framework?
**Draft answer:** Yes — our policy maps to <ISO 27001 Annex A / NIST CSF / CIS Controls v8>. A mapping register is maintained and available on request.
**Evidence:** `/evidence/Framework-mapping.xlsx`
**Confidence:** High.

### Access Control & Identity
**Q:** Is multi-factor authentication enforced for all users?
**Draft answer:** <Yes — MFA is enforced for all users on all cloud services in scope. Break-glass accounts are excluded with documented compensating controls. // Partial — MFA is enforced on the following services: <list>. Enforcement for <remaining services> scheduled for <date>.>
**Evidence:** Conditional Access policy export, Intune compliance screenshot.
**Confidence:** <High / Medium with remediation plan>.

**Q:** Do you review user access rights regularly?
**Draft answer:** Yes. <Quarterly / semi-annually> access reviews are performed by <role>. Evidence retained in <system>.

### Encryption
**Q:** Is data at rest encrypted?
**Draft answer:** Yes. All data at rest is encrypted using <AES-256>. Managed services in use: <M365 / AWS KMS / Azure Storage Service Encryption>. Customer-managed keys <available on request / in use for high-sensitivity datasets>.

**Q:** Is data in transit encrypted?
**Draft answer:** Yes. All data in transit uses TLS 1.2 or higher. Legacy TLS 1.0/1.1 is disabled at both infrastructure and application layer.

### Logging, Monitoring & SIEM
**Q:** Do you centrally log authentication events?
**Draft answer:** Yes. Authentication and administrative events are forwarded to <Sentinel / Defender for Cloud / SIEM>. Retention: <N> days hot, <N> days archive, aligned to UK GDPR Article 32 and contract schedules.

### Incident Response
**Q:** Do you have a documented incident response plan?
**Draft answer:** Yes. Our Incident Response Playbook is aligned to NIST SP 800-61 Rev. 2 and UK NCSC guidance. It is tested via tabletop exercises <cadence>. Last exercise: <date>.

**Q:** What is your incident notification SLA to customers?
**Draft answer:** We notify affected customers within <N> hours of confirming an incident impacts their data. Personal-data breaches under UK GDPR are notified to the ICO within 72 hours.

### Business Continuity & DR
**Q:** Do you have a BCP?
**Draft answer:** Yes. Our Business Continuity Plan was last reviewed <date>. RTO <N> hours / RPO <N> hours for in-scope services. Plan tested <cadence>.

### Supply Chain
**Q:** Do you maintain a list of sub-processors?
**Draft answer:** Yes. Our sub-processor list is maintained on our website and updated when material changes occur. <Link or available on request under NDA.>

### Data Protection
**Q:** Are you registered with the ICO?
**Draft answer:** Yes. Our ICO registration number is <ZXXXXXXX>, fee tier <N>. We are Data Controller for our own records and Data Processor for customer data in scope of the engagement.

**Q:** Do you have a DPO?
**Draft answer:** <Yes — contact details on request. // We have a named Data Protection Lead — not statutorily required under UK GDPR at our scale but appointed voluntarily.>

### AI / GenAI Use
**Q:** Do you use generative AI in the delivery of your services to us?
**Draft answer:** <Yes, with controls: <list, e.g. Microsoft 365 Copilot with EU Data Boundary enforced, no data used for training, audit logging enabled>. // Yes, on an opt-in basis for specific workflows; client data is never used to train third-party models. // No.>

### Operational Resilience (FCA / DORA-aligned, where applicable)
**Q:** Have you identified important business services and impact tolerances?
**Draft answer:** <Yes — our important business services are: <list>. Impact tolerances are documented and reviewed with senior management annually. // Not formally, as we fall below the regulatory threshold. Our BCP covers operational resilience in practice.>

### Personnel
**Q:** Are staff background-checked?
**Draft answer:** Yes. All staff undergo <BPSS / standard DBS / enhanced DBS / right-to-work + 2 references> before access is granted. Screening evidence retained for the duration of employment.

**Q:** Do staff receive security awareness training?
**Draft answer:** Yes. All staff complete security awareness training on induction and annually thereafter. Training includes phishing simulation. Evidence retained in <system>.

### Physical & Environmental
**Q:** Where are your offices / data centres?
**Draft answer:** <Offices: <city>. Cloud services hosted in <region>. No customer-data-bearing on-premises infrastructure.>

## 3. Evidence Index
| Evidence item | Location | Last updated | Available under NDA? |
|---|---|---|---|
| Information Security Policy | `/evidence/IS-Policy-v<N>.pdf` | | |
| Acceptable Use Policy | | | |
| Data Protection Policy | | | |
| BCP / DR Plan | | | |
| Incident Response Playbook | | | |
| Sub-processor list | <URL or file> | | |
| CE / CE Plus certificate | | | |
| ISO 27001 certificate + SoA | | | |
| SOC 2 Type II report | | | |
| Penetration-test summary | | | |
| Vulnerability-scan summary | | | |
| DPA template | | | |
| Staff screening policy | | | |
| Security awareness training records | | | |

## 4. Gap Register (honest answers that aren't "yes")
| Question | Truthful answer | Suggested phrasing | Remediation | Target date | Accept risk until? |
|---|---|---|---|---|---|
| Do you hold ISO 27001? | No, not yet | "We are currently aligned to ISO 27001 and pursuing certification. Target certification date: <Q<N>>. Currently certified to Cyber Essentials Plus." | Begin ISO 27001 gap assessment | | |
| Do you have 24/7 SOC coverage? | No, business-hours only | "Our monitoring is 24/7; human SOC coverage is in business hours UK time, with on-call escalation outside business hours per documented procedure." | | | |
| | | | | | |

Rule: **never lie**. A lie discovered in a future audit will cost you the client *and* the reputation. Phrase truthfully but professionally.

## 5. Caveats Block (include at top of submission)
> **Scope:** This response covers <service X> as of <snapshot date>. Material changes to our environment will be communicated in line with our DPA / contract.
>
> **Disclaimers:**
> - Answers reflect our documented controls as of the date above. Operational spot-checks may show transient gaps that are corrected within <N> days.
> - Where evidence is marked "available under NDA", we will provide it within <N> working days of a signed NDA.
> - This response does not constitute an amendment to our contractual obligations; those are governed by the MSA and any attached schedules.

## 6. Cover Letter
> Dear <Procurement Lead / Name>,
>
> Please find attached our response to your <date> security due-diligence questionnaire. We have answered all <N> questions; <N> responses carry supporting evidence available on request under NDA, and <N> are flagged as gaps with documented remediation plans.
>
> Should your team need clarification on any answer, our primary point of contact is <name, role, email, phone>. We aim to respond within <N> working days.
>
> We appreciate the thoroughness of your questionnaire and welcome further dialogue.
>
> Kind regards,
> <Signatory name, role>
> <Organisation>
> www.vpnetworks.co.uk

## 7. Submission Checklist
- [ ] Every question answered (not left blank, "n/a", or "see evidence")
- [ ] Gap register reviewed by <reviewer> and any customer-facing phrasing agreed
- [ ] Evidence index files exist and are current
- [ ] Caveats block copied to top of the response
- [ ] Cover letter signed by named individual
- [ ] PII redacted from any attached screenshots
- [ ] Internal-only notes removed
- [ ] File naming convention agreed with client (ISO date + version)
- [ ] Submission method confirmed (portal / email / encrypted share) and credentials ready
- [ ] Named contact on standby for follow-up questions
```

## Example invocation

**User:** "A boutique investment manager client has sent a 120-question security questionnaire. They're FCA-regulated. We deliver an MSP service covering M365, endpoints and backup. We have Cyber Essentials Plus and are starting ISO 27001. Due in 10 working days. Here's the questionnaire: [pastes content]."

**What the skill will do:**
1. Categorise the 120 questions into the standard themes and quickly spot the FCA-specific ones (operational resilience, third-party risk, material outsourcing).
2. Ask the 12 clarifying questions with particular attention to: sub-processor list (FCA cares), UK data residency, AI / Copilot use (newly a standard theme), incident SLA, and ISO 27001 timeline (flag honestly).
3. Produce the response pack with:
   - High-confidence drafts for ~80% of questions (the standard infosec, identity, encryption, BCP themes)
   - 15-20 questions routed through the gap register with suggested truthful phrasing (ISO status, 24/7 SOC, penetration test frequency, etc.)
   - FCA-specific answers that reference operational resilience, important business services, and impact tolerance in the client's own vocabulary
   - Evidence index mapped to your existing document set
4. Flag that the AI/GenAI section needs a 1-paragraph Copilot-use statement regardless of whether you use it directly, because procurement expects an explicit answer.

## Notes for the requester

- **Read every question before drafting.** 10% of questions in most enterprise questionnaires are unusual or client-specific. Generic answers fail those.
- **Never answer "yes" if the evidence does not exist today.** Answer "currently aligned to X, formal evidence in preparation" if the intent is real, or route to the gap register.
- **Phrase gaps professionally, not apologetically.** "In preparation" / "roadmap to certify by Q<N>" / "mitigated by <compensating control>" — all acceptable. "We haven't got around to it" — not acceptable.
- **Track questions that appear repeatedly across clients.** They become your canonical answer bank, updated centrally, reused per client with light tailoring.
- **A good response beats a long response.** Procurement teams read quickly; the caveats block and clear gap register build more trust than 400 pages of polished prose.
- **Good looks like:** the client's info-sec reviewer comes back with 3-5 follow-up clarifications (normal), signs off within 2 weeks, and the SOW moves to legal.

---
*VantagePoint Networks · <https://www.vpnetworks.co.uk> · Authored by Hak · Free under the MIT licence*