Table of Contents
What is a SIG Questionnaire?
The Shared Assessments Standardized Information Gathering (SIG) questionnaire is a standardized security risk assessment tool used to perform an initial assessment of vendors and other third parties. The comprehensive set of questions span 18 risk domains and provides a holistic risk management assessment of cybersecurity, IT, privacy, data governance and business resiliency.
The SIG functions as a questionnaire management tool that allows you to build, customize, analyze and store assessment questionnaires all in one place.
Shared Assessments follows the “Trust, but Verify” philosophy, with the SIG being the “trust” portion.
What is a security assessment questionnaire?
The SIG is a security assessment questionnaire is a set of standard questions sent to vendors with the purpose of discovering their risk posture against various risk domains. The outsourcer will gather the vendors’ security policies and procedures in order to discover any discrepancies.
Who created the SIG questionnaire?
The SIG questionnaire was created and is continually updated by Shared Assessments. That’s us! Shared Assessments is a membership based organization of over 300 industry members across various industries and with different roles in the third party risk community. Our members help inform and vet the questions in the SIG.
Shared Assessments has been serving third party risk professionals since 205 with best practices, certifications, solutions, networking opportunities and third party risk tools such as the SIG.
What is a shared assessment?
The term “shared assessment” was born out of the need to create efficiencies when assessing vendors and is the origin of our program name – Shared Assessments. The idea was to complete once and share many times since the outsourcers (banks at the time) use the same vendors and need the same security questions answered.
Why was the SIG questionnaire created?
The Standardized Information Gathering (SIG) questionnaire was created to help outsourcers manage third party risk, including cybersecurity risk, operational risk, data governance risk and supply chain risk, among others.
Shared Assessments was formed in 2005 when five large banks, the big four consulting firms and several critical vendors came together in an effort to standardized risk assessment questionnaires and create industry-wide efficiencies. Thus, the Shared Assessments membership program, and the tools we develop, were born.
The Shared Assessments SIG exists not just to drive efficiency, but to reduce risk in third party relationships. A majority of data breaches involve third parties. “It’s increasingly understood that third party IT security risks can cause millions of dollars in loss and damage, and often unmeasurable harm to an organizations’ reputation.” said Catherine Allen, Chairman and Founder of The Santa Fe Group, managing agent of Shared Assessments.
The SIG has evolved with the changing risk landscape and today is used as a cross-industry standardized tool. The SIG questionnaire is also integrated into the software of over 30 technology partners.
Is the SIG questionnaire free to download?
The SIG is not free to download and requires agreement with terms and conditions. The SIG is freely available to all members of Shared Assessments in good standing. The SIG can also be used through an annual subscription.
Is there a SIG how to guide?
The SIG download comes with help and other implementation tools including the SIG Getting Started Guide, SIG Implementation Checklist and the SIG Documentation Request List.
Where can I download a SIG Questionnaire?
The SIG requires agreement with terms and conditions as well as a subscription or membership. The SIG is freely available to all members of Shared Assessments in good standing. The SIG can also be used through an annual subscription.
What is the SIG Content Library?
The SIG functions as a questionnaire management tool that allows you to build, customize, analyze and store assessment questionnaires all in one place. The SIG Content Library houses over 1600 questions and can grow to accommodate new regulations and specific industry needs.
The Content Library contains mappings from many of the questions to the most applicable standard controls, frameworks and regulations such as NIST, ISO, GDPR, CCPA and more.
What is a SIG LITE questionnaire?
The SIG LITE questionnaire is designed to provide a broad, but high-level understanding about a third party’s internal information security controls. This level is for organizations that need a basic level of assessment due diligence. It can also be used as a preliminary assessment before a more detailed review.
What is a SIG CORE questionnaire?
The Standardized Information Gathering (SIG) Core questionnaire is designed to assess third parties that store or manage highly sensitive or regulated information, such as payment card information or genetic data. This tool is meant to provide a deeper level of understanding about how a third party secures information and services. It is meant to meet the needs of almost all third-party risk assessments, based on industry standards.
What is the difference between a SIG Lite and SIG Core Assessment?
The SIG LITE is a set (for SIG 2021) of just over 300 questions designed to give a basic level assessment due diligence. This can be used for an initial assessment or for less critical vendors. The SIG CORE addresses 1,000+ questions (for SIG 2021) and is considered a comprehensive, risk-based assessment of a service provider.
Who uses the SIG questionnaire?
Thousands of companies across industries use the SIG. Shared Assessments’ members all have access to the SIG, but many more companies use the SIG through independent purchase or license of the tool. Still more use the SIG as a vendor responding to SIG requests from their customers.
How can the SIG questionnaire be used?
The SIG questionnaire can be used in the following ways:
- To evaluate a service provider or vendors’ information security controls and risk posture.
- Completed by a third party vendor to be used proactively in response to risk assessment requests instead of completing multiple proprietary questionnaires
- Used by a service provider as a part of due diligence or as a request for proposal (RFP) response.
- Used by an organization for self-assessment of security posture.
- Incorporated as standardized content in a GRC or third party risk management software platform.
How often is the SIG questionnaire updated?
The Standardized Information Gathering (SIG) questionnaire questionnaire is updated at least annually to accommodate changing regulations, emerging threats, and new frameworks and standards.
The 2021 SIG addressed increasing threats and operation risks that emerged with the pandemic – major shifts to work from home security and availability issues, vendor stability and socioeconomic uncertainty. The 2021 SIG expanded controls around resilience, privacy, data governance, data loss and remote risk. The SIG, and the entire toolkit, was updated to allow more automation and collaboration among teams.
How is the SIG questionnaire different from other vendor risk assessment questionnaires?
The SIG is an industry standard questionnaire that distinguishes itself from other questionnaires in several ways:
- It is backed up by 15 years of experience, and continually vetted and improved through our industry member involvement, taking into account frameworks, regulations and relevant experience.
- The SIG content library is inclusive of other frameworks and regulations such as NIST and ISO, as well as more industry-specific regulations.
- The SIG is more than a questionnaire – it is a tool to help scope, assess and evaluate vendor risk.
What is in the Shared Assessments (including the SIG) Toolkit?
The SIG is just one of the tools in a larger suite of third party risk management tools that allows risk practitioners to manage the entire third party risk management assessment cycle. The toolkit includes:
- Vendor Risk Management Maturity Model (VRMMM) Benchmark Tools: Evaluates third party risk assessment programs against a comprehensive set of more than 200 best practices. VRMMM Benchmark Tools are free and available at:sharedassessments.org/vrmmm.
- Standardized Information Gathering (SIG) Questionnaire Tools: Employs industry best practices for gathering and assessing 18 critical risk. The SIG serves as the “trust” component for outsourcers who wish to use industry-vetted questions on a service provider’s controls.
- Standardized Control Assessment (SCA) Procedure Tools: Assists risk professionals in performing onsite or virtual assessments of vendors. This is the “verify” component of third party risk programs.
- Third Party Privacy Tools: Built to track requirements from various privacy regulations, including CCPA. The TDT serves as a project management tool that streamlines the collection of information for data flows, and third party disclosures. Free Target Data Tracker is available:sharedassessments.org/privacy-tools.
Why should you consider using security ratings alongside the SIG questionnaire?
The SIG can certainly be used as a standalone tool, but adding security ratings can make the use of the SIG more effective and efficient. Some organizations use data from security ratings to help narrow and target the areas that are weak and then scope a SIG accordingly. Security ratings can be used in this way prior to an RFP or when onboarding vendors.
Third Party Risk Management Tools for Risk Management Professionals.
Shared Assessments’ thought leaders develop best practices based resources, including tools that are:
- Consistent, robust and cost-effective
Our tools help organizations better manage third party risk, using controls for cybersecurity, IT, privacy data security and business resiliency. Program Tools are kept current with industry need, regulations and the threat environment.