SIG Questionnaire

Name: Standardized Information Gathering (SIG) Questionnaire
Brand: Shared Assessments

Shared Assessments Standardized Information Gathering (SIG) Questionnaire allows organizations to build, customize, analyze, and store vendor assessments for managing third-party risk.

The SIG is available as a standalone product subscription and is included with all levels of Membership.

$6,500 / 1 Year

Corporate License

$12,300 / 2 Years

Corporate License

Demo

Standardized Information Gathering (SIG) Questionnaire

The SIG is a configurable solution enabling the scoping of diverse third-party risk assessments using a comprehensive set of questions used to assess third-party or vendor risk. The Shared Assessments SIG was created leveraging the collective intelligence and experience of our vast and diverse member base. It is updated every year in order to keep up with the ever-changing risk environment and priorities.

Direct Mappings:

Widely Accepted Regulations, Frameworks and Industry Guidance

The SIG aligns with the most updated domestic and international regulatory guidance and industry standards for risk management. Since its inception, the SIG has been regularly updated for emerging global risks, regulations, guidelines, and standards for a wide range of industries.

Technology Standards & Frameworks

Shared Assessments SCA 2024

ISO 27001:2022

ISO 27002:2022

ISO/IEC 27701 PIMS A 2019

NIST Artificial Intelligence 100-1 2023

NIST SP-800-161r1 2022

NIST SP-800-53r5 Sep 2020

NIST Cybersecurity Framework Apr 2018

NIST Privacy Framework Jan 2020

Cybersecurity Maturity Model Certification (CMMC) 2.01 2021

CIS Critical Security Controls v8 2021

NIST CSF 2.0

NIS2 Directive

Regulations, Statutes & Laws

EBA Guidelines on Outsourcing Arrangements Feb 2019

EU GDPR 2016/679

FedRamp May 2021

German Supply Chain Due Diligence Act

HIPAA Administrative Simplification Mar 2013

NYDFS 23 NYCRR 500 Mar 2017

Digital Operational Resilience Act (DORA)

Industry Sector Guidance

CSA CAIQ 3.1, 2020

CSA Cloud Controls Matrix v4, 2021

ISA 62443-4-1 and 4-2, 2018

NERC Critical Infrastructure Protection (CIP), 2020

PCI DSS V4.0

CMMC 2.0

CIS Controls v8

New York DFS’s Climate Guidance

Interagency Guidance on Third-Party Relationships

Regulatory Audit/Exam & Guidance Frameworks

FFIEC CAT Tool May 2017

FFIEC IT Exam Handbook: AIO Jun 2021

FFIEC IT Exam Handbook: Business Continuity Nov 2019

FFIEC IT Exam Handbook: Mgmt Nov 2015

FFIEC IT Exam Handbook: Outsourcing Jun 2004

Interagency Guidance on Third-Party Relationships

Learn about the regulations, standards, and guidelines to which the SIG currently (and historically) maps here >>

What’s Included In The SIG Questionnaire?

After purchasing the SIG, you will be able to immediately download the product and supporting materials.

REQUEST A DEMO

Learn more about which SIG you should use when scoping vendor risk questionnaires.

SIG Product

The SIG product itself (includes the SIG Manager).

SIG User guide

The SIG User Guide provides a summary of the action steps to create, analyze and manage SIG questionnaires.

SIG Manager Enhancement Document

This document covers the changes and revisions to the most recent version of the SIG.

SIG Version Delta

A workbook listing versions of the SIG from 2008 onward displaying the associations between question numbers, serial numbers, and identifying if a question is new or has been retired.

SIG Fundamentals Training

A 2-hour basic training on how to use the SIG to create questionnaires is included with SIG subscriptions and Shared Assessments memberships. Navigate here to learn more or to register for the training.

21 Risk Domains

The SIG measures security risks across 21 risk control areas, or “domains”, within a service provider’s environment.

Access Control
Application Security
Artificial Intelligence (AI)
Asset and Information Management
Cloud Hosting Services
Compliance Management
Cybersecurity Incident Management
Endpoint Security
Enterprise Risk Management
Environmental, Social, Governance (ESG)
Human Resources Security

Information Assurance
IT Operations Management
Network Security
Nth Party Management
Operational Resilience
Physical and Environmental Security
Privacy Management
Server Security
Supply Chain Risk Management (SCRM)
Threat Management

Looking for more details on Risk Domains covered by the SIG?

Check out our Guide To Risk Domains.

SIG Frequently Asked Questions

SIG Advanced Functionality

If I choose to exclude a question from the Content Library, would all the other questions related to it be excluded as well?

No. Choosing to exclude one question does not mean related questions will not apply. See page 21 in the 2024 SIG Manager/SIG Questionnaires User Guide.

What is a Control Family and how is it used?

A Control Family is a scoping method used to classify risk types and the way organizations control them. Control Families are at a program level and describe controls as a function or action (what does this mean taken from the user guide?) See page 19 in the 2024 SIG Manager/SIG Questionnaires User Guide.

What are Control Attributes?

The Control Attribute is associated with the question in the Content Library. It aligns with Control Families that identify potential control elements or artifacts that enable evidence of the control. See page 19 in the 2024 SIG Manager/SIG Questionnaires User Guide.

Can I add additional questions outside the Content Library inventory?

Yes. Up to 100 additional Custom questions can be added below the Content Library questions during the scoping phase of the SIG template (Domain Z: Additional Questions). After adding these custom questions to the Content Library worksheet, they will be included in the custom-scoped template and thereafter, in the Questionnaire you create from that template. See page 41 in the 2024 SIG Manager/SIG Questionnaires User Guide.

Can I exclude questions that I don’t need for my risk assessment?

Yes. Column A in the Content Library allows you to manually Include and Exclude questions that do not meet the requirements of your assessment. See page 42 in the 2024 SIG Manager/SIG Questionnaires User Guide.

What is a Response Template?

A Response Template is used to enter responses to questions (and other relative details such as Scoring) that an Outsourcer (as an Assessor) expects to receive from a Third-Party Service Provider. The Template would then be used to compare responses from a Service Provider’s SIG Questionnaire. A Response Template can also be used by a Service Provider to proactively fill in responses and all related details to send to the Outsourcer. See page 25 in the 2024 SIG Manager/SIG Questionnaires User Guide.

How do I compare the data in a returned SIG Questionnaire?

Compare SIG Data is available in its own section within the SIG Manager. You may Compare a received SIG Questionnaire to your Response Questionnaire or Compare a received Questionnaire to your Response Template (requires that a Response Template be created and saved first). See page 29 in the 2024 SIG Manager/SIG Questionnaires User Guide.

How do I gather responses from subject matter experts in our organization?

You may create one or more Subject Matter Expert (SME) SIG Questionnaires using saved SIG Scoping Templates (for the scope level) and Response Templates (to include any responses, comments, notes, or additional information you may have added in the Content Library). Thereafter, you can send the Questionnaire to SMEs in your organization—internal use only. See page 26 in the 2024 SIG Manager/SIG Questionnaires User Guide for further details.

How do I upload SME SIG responses into the SIG Manager?

When the Questionnaire is returned, you will use the Append function in the Recall/Modify Template section on the SIG Manager worksheet. See pages 27 in the 2024 SIG Manager/SIG Questionnaires User Guide for further details.

What is Tab Automation used for within the SIG Questionnaire?

The Tab Automation feature is available within a SIG Questionnaire on the SIG 2024 or individual Domain worksheets. It is Enabled by default to activate the dynamic function of the primary (parent) and subsidiary (parent/child/grandchild/great-grandchild) questions at all levels. See page 37 in the 2024 SIG Manager/SIG Questionnaires User Guide for further details.

Are the Shared Assessments Products available in multiple languages?

The only products available in languages other than English are related to the SIG. They are questionnaires and are not full translations, as only the questions have been translated. It’s worth noting that these translations were not verified by Shared Assessments, meaning that they can’t be guaranteed. If you require a translated product, please get in touch with the Product Support Team at https://sharedassessments.org/product-support-center/, and someone will contact you.

How do I protect the SIG Questionnaire workbook before sending it to a Third-Party Service Provider or Outsourcer?

The SIG Questionnaire workbook is already password-protected. However, to prevent changes to values that have been entered please contact the Product Support Team at https://sharedassessments.org/product-support-center/, and someone will contact you.

How can I obtain the SIG Manager Product password?

Modifications outside the intended use of any Shared Assessments Product may not be made without the express written consent of Shared Assessments LLC. This includes but is not limited to the adding, removing, or reformatting of the cells, rows, columns, or tabs within each product.

What types of Product training and personalized assistance do you offer?

You may request to join a live demonstration or take the SIG Fundamentals course using the links below. A written reference is the 2024 SIG Manager/SIG Questionnaires User Guide with supplemental documents provided in your download after purchase.

Live demo: https://sharedassessments.org/live-demo/
SIG Fundamentals: https://sharedassessments.org/sig-fundamentals/

Do you offer free usage of your Products for educational purposes?

No. Products are provided to Members, Subscribers, and via a license (Licensee). Refer to the Copyright tab on the SIG Manager Product.

Can I map to another regulation that is not showing in the SIG Manager?

Yes. You can add up to two Custom Policies to the Content Library. When selecting the four Mapping References you wish to identify in your Custom SIG Scoping Template and related Questionnaire, you may check off those boxes on the SIG Manager worksheet before you save the Template. See page 43 in the 2024 SIG Manager/SIG Questionnaires User Guide for further details.

SIG Regulations, Standards, Frameworks, References

Can I map to another regulation that is not showing in the SIG Manager?

SIG Basic Functionality

What is the SIG Manager?

The SIG Manager is the engine of the Product with the functionality to perform Standardized Information Gathering (SIG) operations. Built within the MS Excel spreadsheet application, it allows users to create, customize, store, compare, and recall customized templates as well as manage SIG data. See page 2 in the 2024 SIG Manager and Questionnaires User Guide.

What is a SIG Questionnaire?

The SIG Questionnaire is the Excel document created by the SIG Manager from the stored template. You may create a Questionnaire from a Standard SIG Scoping Template or customize your own Template (Custom SIG Scoping Template) and create a Questionnaire. See page 2 in the 2024 SIG Manager and Questionnaires User Guide.

The SIG Manager was downloaded, so how do I get started?

Since SIG Manager operates within Excel, there may be security measures in your organization’s shared environment. Move the Product to a local environment. When you open the SIG Manager, enable content and editing when prompted. Start with page 3 in the 2024 SIG Manager/SIG Questionnaires User Guide for complete instructions.

Why do I need to enter my company name?

Access to the SIG Manager Product is licensed to Product Subscribers and Members. Entering a company name enables the functionality of the Product. Moreover, it is the company name you enter that will transfer to each worksheet within the SIG Manager, and each document you output. See the Copyright tab on the SIG Manager for more information, and page 3 in the 2024 SIG Manager/SIG Questionnaires User Guide.

May I change the Company Name?

Yes. There is a button to “Change Company Name” on the Common Options worksheet in Column B. Save appropriately. See page 25 in the 2024 SIG Manager/SIG Questionnaires User Guide.

Why am I getting a message about macros?

Macros are necessary to run the SIG Manager Product. Check with your organization’s IT Security team. Ensure that the Product has been moved to a secure but local environment. See page 11 in the 2024 SIG Manager/SIG Questionnaires User Guide.

Will the SIG Manager function properly if macros are disabled?

No, the SIG Manager requires macros to function properly.

Will the SIG Questionnaire function properly if macros are disabled?

Yes, macros are not required for the completion of a Questionnaire. However, disabling macros will then display all questions on the SIG 2024 or Domain worksheet(s) that may not apply to the scoped services. The ‘Jump To’ and ‘Export JSON’ functionalities will also not work if macros are disabled.

After creating a SIG scoping template, can I rename it?

Yes. The Recall/Modify function allows you to save a template under the same or a different name. See page 23 in the 2024 SIG Manager/SIG Questionnaires User Guide.

How do I download the most recent version of the SIG Manager?

You will receive instructions with your Membership or Product Subscriber purchase, associated with your new login to the website. Any new versions of the Product are posted on the website. On the Member Portal, scroll down to the Products section, and download from there.

How do I upgrade from a previous SIG Manager Product to a more current version?

On the SIG Manager worksheet, click Upgrade in the Manage SIG Data section (Line 21) and select the file to upgrade from, then click Open. This action will take all information saved in the previous version and transfer it to the updated version (e.g., custom templates, response templates in the Content Library, etc.) See page 31 in the 2024 SIG Manager/SIG Questionnaires User Guide.

Is there a way to transfer my responses from an earlier version of a SIG Questionnaire to the latest version of the SIG Questionnaire?

Yes. You can transfer responses from any version of the SIG Manager back to version 2021 using the Migrate function within the Manage SIG Data section of the SIG Manager. You need an answered SIG Questionnaire as a source file, and another SIG Questionnaire as a destination file to migrate. See page 32 in the 2024 SIG Manager/SIG Questionnaires User Guide for further instructions.

Is the SIG Manager available in other formats besides Microsoft Excel, such as XML?

The Shared Assessments Program only provides the SIG Products for user interfaces in Microsoft Excel currently. The SIG Manager can export custom-scoped and response templates in a standardized technical format called “JSON” (JavaScript Object Notation) that is recognized by various types of software and interfaces. See page 32 in the 2024 SIG Manager/SIG Questionnaires User Guide.

What is “Scoping” and how do I do it?

Scoping is the act of configuring or creating a SIG Template by choosing the type and level of questions that are appropriate to your assessment requirements. You must scope or create a SIG Scoping Template before you can save it or use it to generate a Questionnaire. See page 8 in the 2024 SIG Manager/SIG Questionnaires User Guide.

How do I know which scope level of a SIG to choose for my assessment?

The level of SIG to choose is based on the depth and breadth of due diligence you need based on the third-party risk rating and vendor classification. Two default Standard SIG Scoping Templates are provided. The SIG Lite provides a foundation of low-risk level questions for third parties, while the SIG Core provides a comprehensive set of questions for third-party service providers that pose a higher risk. See page 8 in the 2024 SIG Manager/SIG Questionnaires User Guide.

Is there a case where a Service Provider would need to respond to all the questions in the Content Library?

Not typically. The SIG Content Library provides an inventory of vetted questions that are available for Outsourcers to choose from when scoping a detail-level risk assessment for a Service Provider, or “deep-dive” assessment on a specific industry sector topic. Detailed scope-level questions are not included in Standard SIG Questionnaires since they are designed for more customized assessments. See page 5 in the 2024 SIG Manager/SIG Questionnaire User Guide.

Can I change the wording of a question?

No. According to the Shared Assessments Terms of Use, questions may not be edited without written permission. However, custom questions can be added. The SIG Manager allows you to add up to 100 custom questions within the Content Library for inclusion in your custom-scoped Questionnaires. See page 41 in the 2024 SIG Manager/SIG Questionnaires User Guide.

Can I move or remove tabs, worksheets, columns, or rows in the SIG Manager or SIG Questionnaire?

Attempting to move or remove anything from the SIG Manager Product is not possible because it is password-protected to maintain the integrity of the Product and applies to the Terms of Use. You may, however, hide and unhide columns and rows on the Questionnaire but the recipient of that document will be able to unhide it at any time. See page 13 in the 2024 SIG Manager/SIG Questionnaires User Guide.

When creating a Custom SIG Scoping Template what formats are available?

You may create your Custom SIG Scoping Templates with single or multi-worksheet formats and generate Questionnaires from them. Standard SIG Scoping Templates create Standard SIG Lite and Standard SIG Core Questionnaires with a single worksheet format only. See page 17 in the 2024 SIG Manager/SIG Questionnaires User Guide.

Can I choose different scope levels when custom-scoping a template, such as for Risk Domains or Control Families?

Yes. You may choose any number of Risk Domains or Control Families that meet the needs of the assessment, whether you are an Outsourcer preparing to send a risk assessment to a Third-Party Service Provider or a Service Provider preparing an internal assessment to send to the Outsourcer. You may also mix scope levels (Lite, Core, Detail) for each Domain or Control Family. See page 17 in the 2024 SIG Manager/SIG Questionnaires User Guide.

Why can’t I choose more than four mapping references for scoping?

The SIG Questionnaire cannot accommodate more than four mapping references at this time, due to space limitations in Excel. For more information on Mapping References, see page 17 in the 2024 SIG Manager/SIG Questionnaires User Guide.

Which SIG Should I Use?

The SIG Questionnaire is used to evaluate the risk controls of an organization’s vendors and service providers. We offer two preconfigured, templated versions of the SIG Questionnaire, the SIG Lite and the SIG Core, which should be engaged based on the level of assessment a vendor needs. The primary differences between the two SIG templates are length and depth of information covered. The SIG also offers an option for users to create a customized SIG by regulation, risk domain, or control family. Read more about which SIG best fits your program needs here.