Remember, we turn our clocks back the first Sunday in November as we fall into fall. And, we upgrade to the newest SIG the first Thursday in November as we rise above risk!

Every year, Shared Assessments updates its tools for the third-party risk management lifecycle, including the Standardized Information Gathering (SIG) Questionnaire.

Our talented product team works alongside practitioners and industry experts within our member community to refresh SIG content based on emerging global risks, regulations, guidelines, and standards for a wide range of industries. Since its inception, the SIG has been made by risk management for risk management and remains the industry-standard.

“The SIG Questionnaire is the number one tool that everybody in Risk Management uses. No questions asked!”

What Does The 2025 SIG Questionnaire Do?

The SIG Questionnaire is used to evaluate the risk controls of an organization’s vendors and service providers. Using the SIG helps organizations cover a wide breadth of risk areas across their vendor portfolios. Some organizations use the SIG as a starting point, customizing the SIG to fit their specific assessment needs. Organizations also use the SIG to evaluate their internal risk management controls, often using the result to demonstrate their risk posture to their own prospective customers.

The SIG Manager is the engine of the SIG product, giving users the ability to perform various SIG operations. These operations include the scoping and configuration of SIG Questionnaires to send out to vendors.

The SIG Manager provides two pre-configured questionnaires (the SIG Lite and the SIG Core). The SIG Manager gives users the ability to easily create customized assessments based on regulation or risk domain. (SIG Lite, SIG Core, regulations and risk domains are described in more detail later in this post.)

The SIG Manager automates the creation and analysis of SIG responses, allowing users to maintain SIG data. This brings efficiency to the assessment process.

Risk Domains In 2025 SIG Questionnaire

Risk domains are focus areas that guide Third-Party Risk Management (TPRM) programs.

Risk domains are used to scope questionnaires or to frame controls that should be evaluated during a third-party risk assessment. The SIG includes 21 of the most current and critical risk domains and corresponding controls within 4 key control areas including Governance & Risk Management, Information Protection, IT Operations & Business Resilience, and Security Incident & Threat Management.

For a detailed review of the 21 risk domains covered by the SIG, see our Guide To Risk Domains.

Regulatory Updates To 2025 SIG Questionnaire

This year brings the addition of significant frameworks to the SIG. These frameworks include Digital Operations Resilience Act (DORA), Network and Information Security Directive 2 (NIS2), and NIST Cybersecurity Framework (CSF) 2.0 (NIST 2.0). By incorporating these frameworks, the SIG offers enhanced assessment of vendor cybersecurity and, by extension, supports your organizational resilience.  Identify areas of concern in your third parties’ security profiles with SIG’s new mappings to:

• DORA, an EU-wide regulation aiming to improve financial sector’s resilience to cyber and infosec threats
• NIS2, an EU-wide legislation on providing legal measures to boost overall level of cybersecurity
• NIST 2.0, a set of guidelines and best practices to help organizations reduce cyber risk
• And many, many more regulations, guidelines, and standards – full list here

Functionality Updates To 2025 SIG Questionnaire

The 2025 SIG is replete with functionality updates recommended by Shared Assessments SIG users themselves.

Practitioners can now organize their workspaces with both minimizable sheets, questions, and tabs, and customizable spaces within questionnaires allowing for additional artifact requests or notes.

Shared Assessments has added efficacy to the custom scoping process in the 2025 SIG. When mapping references are selected by a user, a validation step prevents users from saving a template that has too many mappings selected, or no depth specified.

“The SIG gives us a standard approach and coverage which has been instrumental in providing the foundation for a robust third-party information security and business resilience assessment program and assess risks associated on behalf of our business partners.”

-New York Life

Question Count In 2025 SIG Questionnaire

We offer two versions of the SIG Questionnaire, which should be employed based on the level of assessment a vendor needs. These versions are the SIG Core and the SIG Lite. The primary differences are their length and the depth (or scope) of information they cover.

The SIG Lite Questionnaire provides a broad higher-level understanding of a third party’s internal information security controls. The SIG Lite is for vendors that need basic levels of assessment due diligence. It can also be used as a preliminary assessment before a more detailed review. The SIG Lite 2025 has 128 questions.

The SIG Core Questionnaire is meant to assess third parties that store or manage highly sensitive or regulated information, such as personal information or other sensitive data. The SIG Core provides a deeper level of understanding about how a third party secures information and services. The SIG Core 2025 has 627 questions.

The full SIG – also called the SIG Detail – has 1936 Questions. You can generate SIGs based on scope (as in the Lite and the Core), regulation, control family or risk domain.

See The 2025 SIG Questionnaire

The risk management future is now and it’s time to move on up to updated mappings and improved functionality in the 2025 SIG! Request your personalized demo here.

Or, join me for a deeper dive into updates in the 2025 SIG in my upcoming demo session Rise Above Risk: The 2025 SIG on November 7, 2024 from 11:00am – 11:30am ET – register here.