[stuartleigh]

In my experience you won't need to answer yes to every question in order to "pass" the info sec, but their team will want to be able to understand the risk of doing business with you. Depending on exactly what it is you'll be doing together, will determine how much risk they are willing to take on.

[telesilla]

Most of the questions should not be answered, in my opinion - if the document got into the hands of a bad-actor it could be abused. I'll recommend they liberally use the N/A option and try and have a discussion with the customer security team.

[hluska]

Based on the example questions you posted, you are being paranoid. Neither one of those questions are terribly sensitive and it doesn't matter if the answers fall into the wrong hands. Your company isn't that special - many companies want to know the same things before they work with someone.

Three things:

1.) Security through obscurity never works.

2.) Based on the examples you posted, they aren't asking for anything special. In fact, they both seem like about the base level of security I would expect an enterprise ready company to provide. If you want to liberally enter n/a to cover up that you aren't big enough/don't have enough people/haven't implemented what they ask, that is dishonest.

3.) If questions like this cause you so much trouble, you need to seriously ask yourself whether working for a startup is for you. Due diligence processes (either initiated by an investor who wants to fund you, or a body that wants to acquire you) should be expected to go much deeper.

[hluska]

It's too late to edit this response, but I wanted to add something.

In my original, I said that security through obscurity never works. That isn't entirely true, because it might work great. The problem is that it makes it much harder to defend yourself after a breach has happened.