What is the SIG?

Table of Contents

What is a SIG Questionnaire?

The Shared Assessments Standardized Information Gathering (SIG) vendor risk questionnaire standardizes the initial assessment of vendors and other third parties. The comprehensive set of questions span 19 risk domains and provides a holistic risk management assessment of cybersecurity, IT, privacy, data governance and business resiliency.

The SIG functions as a questionnaire management tool that allows you to build, customize, analyze and store assessment questionnaires all in one place.

Shared Assessments follows the “Trust, but Verify” philosophy, with the SIG being the “trust” portion.

What is a security assessment questionnaire?

The SIG is a security assessment questionnaire is a set of standard questions sent to vendors with the purpose of discovering their risk posture against various risk domains. The outsourcer will gather the vendors’ security policies and procedures in order to discover any discrepancies.

Who created the SIG questionnaire?

The SIG questionnaire was created and is continually updated by Shared Assessments. That’s us! Shared Assessments is a membership-based organization of over 300 industry members across various industries and with different roles in the third-party risk community. Our members help inform and vet the questions in the SIG.
Shared Assessments has been serving third-party risk professionals since 2005 with best practices, certifications, solutions, networking opportunities, and third-party risk products such as the SIG.

What is a shared assessment?

The term “shared assessment” was born out of the need to create efficiencies when assessing vendors and is the origin of our program name – Shared Assessments. The idea was to complete once and share many times since the outsourcers (banks at the time) use the same vendors and need the same security questions answered.

Why was the SIG questionnaire created?

The Standardized Information Gathering (SIG) questionnaire was created to help outsourcers manage third-party risks, including cybersecurity risks, operational risks, data governance risks, and supply chain risks, among others.
Shared Assessments was formed in 2005 when five large banks, the big four consulting firms, and several critical vendors came together in an effort to standardize risk assessment questionnaires and create industry-wide efficiencies. Thus, the Shared Assessments membership program, and the products we develop, were born.

The Shared Assessments SIG exists not just to drive efficiency, but to reduce risk in third-party relationships. A majority of data breaches involve third parties. “It’s increasingly understood that third-party IT security risks can cause millions of dollars in loss and damage, and often unmeasurable harm to an organization’s reputation,” said Catherine Allen, former Chairman and Founder of The Santa Fe Group, managing agent of Shared Assessments.

The SIG has evolved with the changing risk landscape and today is used as a cross-industry standardized product for assessment of third-party risk, and into the vendor’s broader ecosystem through fourth-Nth party risk. The SIG questionnaire is also integrated into the software of over 30 technology partners.

Is the SIG questionnaire free to download?

The SIG is not free to download and requires agreement with terms and conditions. The SIG is freely available to all members of Shared Assessments in good standing. The SIG can also be used through an annual subscription.

Is there a SIG how-to guide?

The SIG download comes with help and other implementation guides including the SIG Getting Started Guide, SIG Implementation Checklist, and the SIG Documentation Request List.

Additionally, a new 2 hour SIG Fundamentals training course is now available.  Developed for novice users of the SIG questionnaire, this certificate-based training examines the organizational structure of the SIG, key differences between a SIG Core and Lite, and provides step-by-step instructions on how to create truly custom questionnaires to fit the needs of your vendor assessments

Where can I download a SIG Questionnaire?

The SIG requires agreement with terms and conditions as well as a subscription or membership. The SIG is freely available to all members of Shared Assessments in good standing. The SIG can also be used through an annual subscription.

What is the SIG Content Library?

The SIG functions as a questionnaire management product that allows you to build, customize, analyze and store assessment questionnaires all in one place. The SIG Content Library houses 1,855 risk control questions and can grow to accommodate new regulations, specific industry needs, and your own custom questions.

The Content Library contains mappings from many of the questions to the most applicable standard controls, frameworks and regulations such as NIST, ISO, GDPR, CCPA and more.

What is a SIG LITE questionnaire?

The SIG LITE questionnaire is designed to provide a broad, but high-level understanding of a third party’s internal information security controls. The SIG Lite is for organizations that need a basic level of assessment due diligence. It can also be used as a preliminary assessment before a more detailed review.

What is a SIG CORE questionnaire?

The Standardized Information Gathering (SIG) Core questionnaire is designed to assess third parties that store or manage highly sensitive or regulated information, such as payment card information or genetic data. This tool is meant to provide a deeper level of understanding about how a third party secures information and services. It is meant to meet the needs of almost all third-party risk assessments, based on industry standards.

What is the difference between a SIG Lite and SIG Core Assessment?

The 2023 SIG LITE is a set of 126 risk control questions designed to give a basic level assessment due diligence. This can be used for an initial assessment or for less critical vendors. The 2023 SIG CORE addresses 855 risk control questions and is considered a comprehensive, risk-based assessment of a service provider.

Who uses the SIG questionnaire?

Thousands of companies across industries use the SIG, and more than 100,000 SIGs are exchanged yearly. Shared Assessments’ members all have access to the SIG, but many more companies use the SIG through independent purchase or license of the tool. Still more use the SIG as a vendor responding to SIG requests from their customers.

How can the SIG questionnaire be used?

The SIG questionnaire can be used in the following ways:

• To evaluate a service provider or vendors’ information security controls and risk posture.
• Completed by a third party vendor to be used proactively in response to risk assessment requests instead of completing multiple proprietary questionnaires
• Used by a service provider as a part of due diligence or as a request for proposal (RFP) response.
• Used by an organization for self-assessment of security posture.
• Incorporated as standardized content in a GRC or third party risk management software platform.

How often is the SIG questionnaire updated?

The Standardized Information Gathering (SIG) questionnaire questionnaire is updated at least annually to accommodate changing regulations, emerging threats, and new frameworks and standards.

The 2023 Standardized Information Gathering (SIG) Questionnaire’s new Nth Party Domain accounts for an increasingly complex supply chain, helping users scope a SIG supply chain risk assessment with more ease & precision.

Additionally, ESG (Environmental, Social, Governance) takes a prominent role in the 2023 SIG with 131 questions in a new ESG Risk Domain allowing users to easily scope an ESG-specific SIG. Risk practitioners can use an ESG-scoped SIG to self-assess their own organization’s ESG compliance, or to assess third-party ESG risk (and use responses to assist with ESG reporting and metrics).

The 2023 SIG has received important Privacy Updates to address pending CPRA/CCPA implementation in California, as well as EU GDPR updates, the GLBA Data Safeguard ruling, and impending U.S. State Privacy laws from Colorado, Utah, Virginia, and Connecticut.

Supporting details may be found within the Shared Assessments Glossary and in our Guide to Risk Domains.

How is the SIG questionnaire different from other vendor risk assessment questionnaires?

The SIG is an industry standard questionnaire that distinguishes itself from other questionnaires in several ways:

• It is backed up by 15 years of experience, and continually vetted and improved through our industry member involvement, taking into account frameworks, regulations and relevant experience.
• The SIG content library is inclusive of other frameworks and regulations such as NIST, ISO, GDPR, and CPRA as well as more industry-specific regulations.
• The SIG is more than a questionnaire – the SIG helps scope, assess and evaluate vendor risk.

What is in the Shared Assessments (including the SIG) Product Suite?

The SIG is just one of the products in a larger suite of third-party risk management products that allows risk practitioners to manage the entire third-party risk management assessment cycle. The product suite includes:

• Vendor Risk Management Maturity Model (VRMMM) Benchmark Products: VRMMM evaluates third-party risk assessment programs against a comprehensive set of more than 200 best practices. VRMMM Benchmark Products are free.
• Standardized Information Gathering (SIG) Questionnaire Products: Employs industry best practices for gathering and assessing 19 domains of risk. The SIG serves as the “trust” component for outsourcers who wish to use industry-vetted questions on a service provider’s controls.
• Standardized Control Assessment (SCA) Procedure Products: The SCA assists risk professionals in performing onsite or virtual assessments of vendors. This is the “verify” component of third-party risk programs.
• Third-Party Privacy Products: Built to track requirements from various privacy regulations, including CCPA/CPRA and GDPR. The Target Data Tracker (TDT) serves as a project management tool that streamlines the collection of information for data flows, and third-party disclosures. 

Why should you consider using security ratings alongside the SIG questionnaire?

The SIG can certainly be used as a standalone product for vendor risk assessment, but adding security ratings can make the use of the SIG more effective and efficient. Some organizations use data from security ratings to help narrow and target the areas that are weak and then scope a SIG accordingly. Security ratings can be used in this way prior to an RFP or when onboarding vendors.