We interact with current and prospective users of the Standardized Information Gathering Questionnaire (SIG) on a daily basis. Something we’ve both observed is segmentation on how Outsourcers and Vendors are using the SIG. We see organizations using the SIG as a Vendor Assessment (Outsourcers) or as a Response Document (Vendors) – but very often, not for both functions. Yet, most organizations are both Outsourcers and Vendors – it’s what makes the world go round.

In this blogpost, we briefly review the SIG use case for Outsourcers and the separate SIG use case for Vendors. Through this exercise, we want to further the idea that you can use the SIG for both functions within your organization!

The SIG acts as a bridge between vendors and outsourcers, offering value to both parties in managing third-party risk. Outsourcers use the SIG to assess their existing and prospective service providers, while vendors use the SIG to respond to these same customers. In this way, the SIG Questionnaire creates a common language for both vendors and outsourcers. The SIG streamlines the risk management process, promotes transparency, and ultimately fosters a more secure third-party ecosystem.

Using The SIG As An Outsourcer

Role In Risk Management: An outsourcer is a company that hires an external provider to handle tasks or create goods.

Focus: Assessing vendor’s ability to meet security requirements.

Goal: Outsourcers are Senders of the SIG. They use the SIG to assess their service providers, (or prospective service provider’s organization) as part of their third-party risk management (TPRM) program.

• Accepting vendor SIG responses drives efficiency and time-savings.
• Average vendor assessment time without SIG: 8 hours
• Average vendor assessment time with SIG: 2 hours

Key SIG Functionalities: License/pay annually, send unlimited questionnaires out to vendors across your portfolio!

• Create templates for products or services you are seeking.
• Send SIG Questionnaire to your service provider or prospective service provider to complete.
• Create a response template of answers you would expect to receive in the SIG Manager.
• Compare service provider SIG against expected answers to generate an actionable response report.
• Follow up on differences requiring attention.

Using The SIG As A Vendor

Role In Risk Management: Third-party company providing goods or services to outsourcing organizations. These vendors encompass a wide range of entities, including IT service providers, software vendors, data security firms, manufacturers, consultants, and suppliers.

Focus: Proving ability to meet customer’s internal controls, security policies, and data handling practices.

Goal: Vendors are Respondents to the SIG. Use the SIG to proactively assist your customers with their third-party management of your organization as their service provider or prospective service provider. Demonstrate security posture and compliance. Having a SIG response on-hand for your customers and prospects drives efficiency and time-savings.

Key SIG Functionalities: License/pay annually, then complete and share with many!

• Have a prefilled questionnaire ready to go when presented with an assessment
• As a service provider, you can use the SIG proactively as part of a RFP response, or to provide in lieu of your client(s) proprietary questionnaires.
• You can also use the SIG as a self-assessment tool to review your program’s risk controls.

Ready To License and Leverage The SIG? 

By leveraging the SIG for both Vendor Assessments and Responses, organizations can save time and resources, improve communication with vendors, and ultimately build a more secure third-party ecosystem.

If your organization already licenses the SIG, check in with other departments or counterparts to see if they could benefit from product use, too!

Ready to streamline your TPRM program? Download our free Guide To Using The SIG or connect with us to learn more about how your organization can use the SIG.