Select Page



This is a quick reference guide. For more information and detailed instructions, use the How To Guide provided with the SIG. If you need a How To Guide, please email


Q1. How do I unlock the SIG Workbook?

Contact for instructions on how to unlock the SIG.

Q2What if my organization wants to perform a self-assessment? Where do I begin?

To perform a self-assessment, follow the instructions for an Outsourcer in the FOR THE OUTSOURCER: GETTING STARTED section in the SIG How To Guide. Send the scoped SIG to the person or staff within your organization who will provide the responses. We recommend that you draft an introduction email that contains details regarding the purpose and intended use of the SIG, detailed instructions on the process for completion and the required turn-around time.

Q3. Is the SIG workbook available in other formats besides Microsoft Excel, like XML?

The Shared Assessments Program only provides the SIG in Microsoft Excel at this time.

Q4. How do I remove or hide questions or other information I do not need?

You cannot delete or hide questions in the SIG. The SIG has macros embedded into the workbook which will break if you attempt to hide rows and columns.

The first step is to use the Scoping features on the SIG Creation tab to reduce the unneeded questions. If, after scoping a SIG there is not enough granularity, use the control categories and subcategories on the SIG Creation tab to reduce or refine the scope by deselecting the categories or subcategories that do not pertain to the services being assessed. You can also remove individual questions on the Content Library tab if there are still questions that you do not need to be sent to a service provider. Please review the SIG How to Guide to use this functionality.

Q5. Can I change the wording of a question?

According to the Terms of Use, questions may not be edited without written permission from The Santa Fe Group, Shared Assessments Program. Custom questions can be added to the Content Library.

Q6. Can I remove or hide tabs in the SIG?

A SIG tab be created with entire tabs or domains not included. Refer to the SIG How to Guide under Custom Scoping.


Scoping a SIG

Q7. What is ‘Scoping’ and how do I do it?

The term scoping is used to describe the act of creating a SIG questionnaire by choosing the type and level of questions that are appropriate to your assessment requirements. In the 2019 SMT, this is a REQUIRED step when creating a new SIG. To use the Custom Scoping functions, refer to the SIG How to Guide. There is also a short video which briefly explains the Scoping feature.

Q8. How do I know which SIG to choose?

When creating a SIG, the basic scoping will allow you to create either a SIG CORE or a SIG LITE. 

LITE:  Designed to provide a broad but high-level understanding about an Assessee’s internal information security controls. This level is for Assessees that need a basic level of due diligence. It can also be used as a preliminary assessment before a more detailed review.

CORE: Designed for assessing service providers that store or manage highly sensitive or regulated information, such as consumer information or trade secrets. This level is meant to provide a deeper level of understanding about how a service provider secures information and services. It is meant to meet the needs of almost all assessments, based on industry standards.

Custom Scoping allows you to create a SIG with any questions from the content library.

Q9. Can I add additional questions?

Additional questions can be added during the scoping phase of the SIG creation with questions from the standard SIG Content or if you have any custom questions, they can be added to the Content Library tab to be included in a created SIG.  See the SIG How to Guide for Instructions on adding individual questions from the standard SIG Content or custom questions.


Master SIG

Q10. What is a Master SIG and how do I create one?

A Master contains the completed SIG questions and answers that an Assessor expects to receive from an Outsourcer. The Master SIG serves as the answer key against which an Assessee’s SIG responses are assessed. In the 2019 SIG, the Master responses are located on the Content Library tab.  Please see the SIG How To Guide to create a Master answer key.

Q11. Can I assign custom scoring values to the questions?

Yes. To add optional scoring values to a Master answer key, go to the Content Library tab and add the custom values in the Optional Scoring column.


SIG Management

Q12. Is there a way to transfer my responses from an earlier version of the SIG to the latest version of the SIG of SMT?

To transfer responses from one SIG to another or SMT, you can use the Migrate function on the SIG Management tab. Older versions of a completed SIG may be transferred to newer versions; and newer versions may be transferred to older versions. This function allows:

  • The user to transfer responses from a Master SIG to the SMT or a standalone SIG
  • The user to transfer responses from a previously completed SIG when a new version is released
  • A user who receives a SIG that is a different version than that of the Master, to transfer the responses from their Master to match the version received from the Assessee or vice versa.

The transfer responses function will work between any versions of the SIG back to Version 3.1.

For step-by-step instructions on how to use the Migrate function in the SIG Management tab, go to the Transfer Responses Function section of the SIG How To Guide.

Q13. I’m getting an error message when I use the Transfer Responses function in the SIG Management Tool. How do I fix it?

The SMT detects several errors and will notify you of the issue.  However if you receive a VBE error, please email


Regulation References

Q14. Where can I find regulatory references, particularly the European Union General Data Protection Regulation (GDPR)?

These references can be found on Content Library tab. The SIG is reviewed, updated and revised annually, mapping questions to industry regulations, guidelines and standards. These regulations and guidelines include several from the National Institute of Standards and Technology (NIST), the Federal Financial Institutions Examination Council (FFIEC) and the International Standards Organization (ISO). They also include specific regulations and guidelines, such as: COBIT 4.1.; U.S. Department of Health and Human Services Health Insurance Portability and Accountability Act (HIPAA); Payment Card Industry (PCI); and the EU General Data Protection Regulation 2016/679 (GDPR), which has an effective date of May 2018.