Vendor security reviews

Your biggest client just asked for your security package.

Do not lose the deal because the package does not exist yet.

Kompflow is the governance layer that gives you everything a client's security team asks for: WISP, risk assessment, vendor inventory, training records, and incident response plan. Already written, current, and signed.

See pricingSee how it works

What a client security questionnaire usually asks.

Different companies send different forms, but the questions cluster into a familiar pattern:

"Show us your written security program."

They want your Written Information Security Plan (WISP). Not a template. Not a privacy policy. The actual written program that says what your firm protects and how.

"When did you last do a risk assessment?"

Most enterprise security teams want a documented risk assessment from within the last 12 months, covering the scenarios that apply to a professional-services firm.

"How do you manage access to our data?"

They are asking about MFA, least-privilege access, offboarding procedures, and audit logs. They expect proof, not assertions.

"Who has access to our data, including your subprocessors?"

They want your vendor inventory with data-flow context, DPAs or subprocessor agreements, and which vendors touch client data.

"What happens if you get breached?"

They want your Incident Response Plan (IRP) with specific timelines, notification procedures, and a named point of contact.

"Who on your team has been trained on security?"

They want training records: who, when, what modules, completion status.

"Who is accountable for your security program?"

For most mid-sized firms under the FTC Safeguards Rule, that is your Qualified Individual (QI). Name, title, and escalation path.

Why CPA firms lose these deals.

Three common ways this conversation breaks down:

The firm has nothing to send

The owner turns to the MSP and says “can you write this up for us?” The MSP says “we can give you a network architecture summary, but we do not write WISPs or do risk assessments.” The firm falls behind. Two weeks later, the prospect goes with a different vendor.

The firm has an old template

The owner sends a WISP template from 2022 that was not customized to the firm. The prospect’s security team flags it as stale. The deal stalls in security review.

The firm has the documents, but they are scattered

WISP on a shared drive somewhere. Training records in a separate system. Risk assessment from a consultant who left the firm two years ago. Putting the package together takes two weeks of someone’s time. The prospect waits, then stops waiting.

What Kompflow gives you.

A single place where every artifact a client or prospect might ask for is already generated, kept current, and ready to send.

The Security Package

Generated for your firm, kept current as your firm changes:

  • WISP: your Written Information Security Plan, updated as your software and team change.
  • Risk assessment: documented, scoped to professional services, refreshed on a schedule.
  • Incident Response Plan: including state-by-state breach notification.
  • Vendor inventory: with DPAs, subprocessor agreements, and data-flow context.
  • Training records: every person, every module, every completion date.
  • Audit trail: signed approvals, version history, date stamps on every decision.
  • Qualified Individual (QI): named and documented for firms that require one.

When the questionnaire lands, the package is ready. You send it the same day, not three weeks later.

The moments you need it most

New logo pursuit

You are bidding a large enterprise or public-company client and their procurement team is running a full vendor assessment.

Existing client expansion

A long-time client just got a new CISO, and suddenly all vendors are getting re-reviewed.

RFP response

The RFP includes a security attachment that needs 40+ questions answered.

Subpoena or litigation request

A client (or a regulator) asks for documentation under time pressure.

How AI helps without getting in the way.

The Insurance Gap Assistant(Starter and Professional) was built for cyber insurance questionnaires, but the same logic works when a client's security team sends a questionnaire. Ask it things like:

What is our answer to “describe your access management program”?
This question asks about data retention. What do we have documented?
Show me our current WISP summary I could paste into a vendor questionnaire.

The assistant reads your actual firm data and helps you draft responses grounded in what you have, not generic advice. You always review and approve before any of it goes to the client.

Which plan?

Starter

WISP, full risk assessment with reporting, data inventory, training records, incident response plan, vendor inventory, and the Insurance Gap Assistant for drafting questionnaire answers.

Professional

Everything in Starter, plus Microsoft 365 auto-sync, evidence-backed control testing, the controls register, task management, and ongoing compliance event tracking.

See full pricing

Common questions.

Can my MSP just answer these questions for me?

Some MSPs can answer the network-and-infrastructure questions. Very few can produce a WISP, a risk assessment, documented risk decisions, training records, or a vendor inventory. Those are governance artifacts that sit with the firm, not the MSP. That is where Kompflow fits.

What if the client's questionnaire asks something I do not have an answer for?

The Insurance Gap Assistant (Starter and Professional) can tell you whether you have it and where it lives. If you do not have it yet, it tells you what is missing and how to close the gap. Most client questionnaires map to artifacts Kompflow already produces.

Do you have an actual vendor questionnaire library?

Not a branded library today. The Insurance Gap Assistant is carrier-agnostic and questionnaire-agnostic, and it answers based on your firm's data rather than a pre-canned response set. Pre-built questionnaire templates are under consideration on the roadmap.

Can I customize the package I send to each client?

Yes. You choose which artifacts to include. Most firms send the same core package: WISP, risk assessment, IRP, training summary, QI identification, and add vendor-specific pieces (data-flow maps, specific control evidence) as requested.

Ready to stop losing deals on security review?

See pricingSee how it worksBuilt for cyber insurance too

30-day money-back guarantee on every firm plan.

Learn more

What your biggest client is actually asking for

The artifacts behind a polished vendor-security response.

What is a WISP?

The first artifact most enterprise clients ask for.

Glossary

Get your WISP for $499

Ship the WISP your client is asking for, in under an hour.

Feature

All Kompflow features

Risk assessment, training records, IRP, control register.

Feature

We use cookies to measure site performance. No data is sold to third parties. You can opt out at any time. Privacy Policy