© 2026 White Arrow Technology

The questions your client will probably ask about security (and how not to fumble them)

May 25, 2026 | 9:23 am

Check your domain for FREE: Link

You’ve got a big meeting coming up. The client is in financial services, or healthcare, or runs something where downtime would be a serious problem. They’re polite, they like working with you, and somewhere between the agenda and the coffee they’re going to ask you something like:

“So — what’s your security posture?”

If your stomach just tightened a little, you’re not alone. Most small and medium-sized businesses we work with are brilliant at what they do. They’re builders, designers, advisors, suppliers. They are not — and shouldn’t need to be — fluent in the alphabet soup of acronyms that bigger clients now expect to hear.

The good news: you don’t need to become a cyber security expert. You just need to know what the question really means, and have a sensible answer ready. This post walks through the five things large clients ask about most often, in plain English.

The five things large clients tend to ask about Five icons in a row representing Cyber Essentials, email security (DMARC), data handling, ISO 27001, and breach response. What large clients tend to ask Cyber Essentials Email spoofing Data handling ISO 27001 Breach response None of them require you to be a security expert. They just need a clear answer.

1. “Have you got Cyber Essentials?”

Think of Cyber Essentials as the UK government’s equivalent of locking your front door, closing your windows and not leaving the key under a flowerpot. It’s a basic certificate that says your business has the everyday security hygiene in place — proper passwords, up-to-date software, firewalls switched on, accounts that get closed when people leave.

It is not a deep technical audit. It is not expensive. And it has quietly become the price of entry for working with most public sector bodies, larger corporates and anyone in a regulated industry.

When a client asks “have you got Cyber Essentials?”, what they’re really asking is: “Have you proved to someone independent that you’re not an obvious risk?”

A good answer sounds like: “Yes, we hold Cyber Essentials and renew it annually.” Or, if not yet: “We’re working towards it — here’s where we are.”

A bad answer sounds like: “What’s that?”

2. “What about DMARC?”

This one trips people up because the name sounds technical. It isn’t, really.

Imagine someone prints business cards with your name and company logo, then walks around town pretending to be you. That’s email spoofing — and it’s exactly what fraudsters do when they send fake invoices that look like they came from your address. DMARC is a setting on your email system that tells the rest of the internet, “If a message claims to be from us but didn’t actually come from our servers, throw it away.”

How DMARC blocks fake emails pretending to be from your domain A real email is delivered, while a fake email pretending to be from the same company is stopped by DMARC and sent to the bin. DMARC is the bouncer at your email’s front door From: you (actually you) Real email From: you (actually a scammer) Fake email DMARC Inbox Delivered Bin Rejected

Big clients ask about DMARC because they’ve been on the receiving end of fake invoices, fake purchase orders and fake “the CEO needs this paid urgently” messages. If your domain is wide open, it’s a liability for them, not just for you.

A good answer sounds like: “Yes, our domain is set up with DMARC. We can share the report if you’d like.”

You don’t need to know how the plumbing works. You just need to know it’s switched on.

3. “How do you handle our data?”

This is the one that feels the vaguest and turns out to be the most important. The client wants to know three things in particular:

  • Where their data sits (on a laptop? in the cloud? whose cloud? which country?)
  • Who in your team can see it
  • What happens to it when the project ends

You don’t need a 40-page policy. You need to be able to answer those three questions confidently. The clients who get nervous are the ones who get a different answer every time they ask — “oh, that’s on Mark’s laptop, actually” — because that signals nobody is really in charge of it.

If you’re already using Microsoft 365 or Google Workspace sensibly, with access controlled by role and shared drives instead of personal accounts, you’re most of the way there. The conversation is about being able to describe what you do.

4. “Are you ISO 27001 certified?”

ISO 27001 is the heavyweight cousin of Cyber Essentials. Where Cyber Essentials is “you’ve locked your doors,” ISO 27001 is “you have a documented, audited system for how you manage all the risks in your business, and you review it regularly.”

It’s a serious commitment — usually six to twelve months of work, ongoing cost, and an external auditor poking around once a year. Not every small business needs it. But once you start selling to banks, insurers, large healthcare organisations, or government, it stops being optional.

Three levels of security certification Three rising steps showing Cyber Essentials, Cyber Essentials Plus, and ISO 27001 in increasing order of rigour. Three levels of security credentials Cyber Essentials Self-assessed basics Cyber Essentials Plus Independently tested Someone checks the locks ISO 27001 Full management system Documented, audited, reviewed every year

A good answer sounds like: “We’re not ISO 27001 certified, but we work to its principles and we hold Cyber Essentials.” Or, if you genuinely have it: “Yes, certified since [year]. Happy to share the certificate.”

What a big client doesn’t want is bluffing. If they’re ISO certified themselves, they will know within thirty seconds whether you actually are.

5. “What happens if you have a breach?”

This is the question people most want to avoid thinking about, which is exactly why clients ask it. They want to know that if something goes wrong, you’ve thought about it in advance — not that you’ll panic and tell them three weeks later.

A sensible answer covers four things:

  • You’d know quickly that something had happened (because someone is watching)
  • You’d contain it fast
  • You’d tell the people who need to know, including the client, within a defined window — usually 24 to 72 hours
  • You’d report it to the ICO if personal data was involved

This isn’t about having a 50-page incident response plan. It’s about being able to say, “If something happened on a Friday night, here’s who picks up the phone and here’s roughly what happens in the first 24 hours.”

What this all adds up to

None of these five things requires you to become a security specialist. What they do require is honesty and a bit of preparation. The clients asking these questions aren’t trying to catch you out — they’re trying to protect themselves, and they need to know you’ve done the basics.

If you can walk into the meeting and say, in plain English, “Yes we have Cyber Essentials, our email is locked down, here’s how we handle your data, we work to ISO principles, and here’s what happens if something goes wrong” — you’ve already done better than most of the suppliers they’ll meet this quarter.

And if any of those five answers makes you wince a little, that’s useful information too. It tells you exactly where to spend your next bit of effort before the contract conversation gets serious.

Tags:

No tags
Previous

No responses yet

Leave a Reply

Latest Comments

No comments to show.

© 2026 White Arrow Technology. Created with ❤ By WAT3D Marketing