Glossary
RFP, DDQ & security questionnaire terms, defined
Plain-English definitions for the vocabulary that shows up across RFPs, due-diligence questionnaires, and vendor security reviews.
RFP (Request for Proposal)
- A formal document a buyer sends to vendors asking them to propose how they would meet a defined set of requirements, usually with pricing and terms. Vendors reply with a structured proposal, and the buyer compares the responses to choose a supplier. The RFP response process→
RFI (Request for Information)
- An early-stage request a buyer uses to gather high-level information about vendors and options before they know exactly what they need. An RFI often comes before an RFP.
RFQ (Request for Quotation)
- A request focused on price for a well-defined product or scope. The buyer already knows what they want and is mainly comparing cost.
RFx
- An umbrella term for the family of formal buyer requests: RFP, RFI, and RFQ. Teams use it when they mean the whole category rather than one specific type.
DDQ (Due Diligence Questionnaire)
- A structured set of questions one organisation sends another to assess it before an investment, acquisition, partnership, or supplier relationship. It typically covers finances, operations, security, and compliance. What is a DDQ?→
Security questionnaire
- A set of questions a customer's security or procurement team sends to check how a vendor protects their data. It can be a standard template such as SIG or CAIQ, or a custom spreadsheet written by the customer. Respond to security questionnaires faster→
SIG (Standardized Information Gathering)
- A broad, industry-agnostic security questionnaire from Shared Assessments that covers many risk domains. It comes in a fuller version and a shorter SIG Lite for lighter or first-pass reviews. SIG vs CAIQ vs VSAQ→
CAIQ (Consensus Assessments Initiative Questionnaire)
- A cloud-specific security questionnaire from the Cloud Security Alliance. Its questions line up with the CSA Cloud Controls Matrix, so the answers map onto a recognised cloud control set. SIG vs CAIQ vs VSAQ→
VSAQ (Vendor Security Assessment Questionnaire)
- A lightweight, web-based security assessment, originally open-sourced by Google. It uses conditional questions that adapt to your earlier answers, so it only asks what is relevant.
TPRM (Third-Party Risk Management)
- The process of identifying, assessing, and monitoring the risks that come from the external vendors and suppliers an organisation relies on, across the whole vendor lifecycle from onboarding to offboarding. Third-party risk management guide→
SOC 2
- An independent audit report on how a service organisation manages data, based on the AICPA Trust Services Criteria (security, availability, processing integrity, confidentiality, and privacy). Vendors share it as evidence during security reviews.
ISO/IEC 27001
- An international standard for an information security management system (ISMS). Certification by an accredited body signals that an organisation manages information security to a recognised framework.
Knowledge base
- In the RFP and questionnaire context, a central, maintained library of approved answers and source documents that a team reuses to respond, so each new response is mostly reuse rather than rewriting from scratch.
Content library
- A curated store of approved, reusable proposal answers and assets. Keeping it current is the single biggest accelerator for responding to RFPs and questionnaires quickly and consistently.
Proposal management
- The process and tooling for planning, drafting, reviewing, and submitting proposals and bids. It usually involves a proposal manager coordinating subject-matter experts through defined review stages.
Bid/no-bid decision
- The qualification step where a team decides whether to respond to an RFP at all, based on how winnable it is, how well it fits, and the effort required. Good bid/no-bid discipline concentrates effort on the opportunities you can win.
Subject-matter expert (SME)
- A person with deep knowledge of a specific area, such as security, legal, or product, who provides or validates the answers to specialised questions in a proposal or questionnaire.
RAG (retrieval-augmented generation)
- A technique where an AI model first retrieves relevant passages from a knowledge source and then uses them to ground the answer it generates. Grounding answers in retrieved sources is how tools reduce hallucination on RFPs and questionnaires.
Go deeper
Read the practical guides on how these processes work, or see how the tools compare.