Select Page


This is a quick reference guide. For more information and detailed instructions, use the How To Guide provided with the SIG. If you need a How To Guide, please email


Q1. How do I unlock the SIG Workbook?

Contact for instructions on how to unlock the SIG.

Q2What if my organization wants to perform a self-assessment? Where do I begin?

To perform a self-assessment, follow the instructions for an Outsourcer in the FOR THE OUTSOURCER: GETTING STARTED section in the SIG How To Guide. Send the scoped SIG to the person or staff within your organization who will provide the responses. We recommend that you draft an introduction email that contains details regarding the purpose and intended use of the SIG, detailed instructions on the process for completion and the required turn-around time.

Q3. Is the SIG workbook available in other formats besides Microsoft Excel, like XML?

The Shared Assessments Program only provides the SIG in Microsoft Excel at this time.

Q4. How do I remove or hide questions or other information I do not need?

You cannot delete or hide questions in the SIG. The SIG has macros embedded into the workbook which will break if you attempt to hide rows and columns.

The first step is to use the Scoping features on the SIG Creation tab to reduce the unneeded questions. If, after scoping a SIG there is not enough granularity, use the control categories and subcategories on the SIG Creation tab to reduce or refine the scope by deselecting the categories or subcategories that do not pertain to the services being assessed. You can also remove individual questions on the Content Library tab If there are still questions that you do not need to be sent to a service provider. Please review the SIG How to Guide to use this functionality.

Q5. Can I change the wording of a question?

According to the Terms of Use, questions may not be edited without written permission from The Santa Fe Group, Shared Assessments Program. Custom questions can be added to the Content Library.

Q6. Can I remove or hide tabs in the SIG?

Tabs can be hidden by using the basic MS Excel “Hide/Unhide” function: Right-click on Tab to be hidden-> choose Hide from the menu.

Tabs cannot be deleted. If tabs are deleted, the workbook will not function properly.


Scoping a SIG

Q7. What is ‘Scoping’ and how do I do it?

The term scoping is used to describe the act of creating a SIG questionnaire by choosing the type and level of questions that are appropriate to your assessment requirements on the Scoping tab. In the 2018 SIG, this is a REQUIRED step when creating a new SIG. There are detailed instructions on the Instructions tab and the Scoping tab on how to Scope the 2018 SIG. There is also a short video which briefly explains the Scoping feature.

Q8If I hit the Reset Scope button, will all of the answers to the questions be deleted?

Clicking the Reset Scope button resets ONLY the Scoping tab content. It does NOT remove any content that has been entered on other tabs. For example, the SIG will still retain previously entered business information, question responses, documentation and additional questions. Reset Scope will reset the Scoping tab back to its default state, all Categories and Subcategories are selected; chosen SIG Detail Level is removed; and Risk Domain tabs are hidden.

Q9. How do I know what SIG Detail Level to choose?

When scoping a SIG, a user is REQUIRED to choose a SIG Detail Level from the dropdown list on the Scoping tab. The SIG Detail Level determines the number and types of questions that will display. Each level has a number of questions associated with it. We’ve defined the levels as follows:

LITE: Designed to provide a broad but high-level understanding about an Assessee’s internal information security controls. This level is for Assessees that need a basic level of due diligence. It can also be used as a preliminary assessment before a more detailed review.

CORE: Designed for assessing service providers that store or manage highly sensitive or regulated information, such as consumer information or trade secrets. This level is meant to provide a deeper level of understanding about how a service provider secures information and services. It is meant to meet the needs of almost all assessments, based on industry standards.

FULL: This includes all of the questions in the SIG. It should be used as a library of potential situation-specific additions to a CORE or LITE SIG that address best practices and industry or service-specific requirements.

If you sent the FULL SIG to a high-risk Assessee in the past, we recommend using the CORE SIG.

MASTER: A Master SIG documents what the Outsourcer feels should be the correct answer for each question. All of the SIG questions are displayed and two additional columns for Optional Scoring and Question Level information are provided. The Outsourcer can define their scoring in any way, such as a numerical score from 1-3 or 0-9, or qualitatively such as in
a High-Moderate-Low manner. The score can represent risk if the control is missing (a higher value on a failed answer is worse) or assurance if the control is present (a higher value on a correct answer is better).

The table below provides additional guidance on which SIG Detail Level is appropriate for your assessment needs.

Q10. Once I’ve scoped the SIG, how do I add additional questions?

Once you have scoped the SIG, go to the Z. Additional Questions tab to add additional questions. Tab Z. Additional Questions allows you to add questions in the fields provided. If you use the SIG Management Tool, any additional questions added on this tab will not appear in the SMT Outlier Report.

Q11. If I protect and hide the fields on the Scoping tab using the Disable Scoping button, does the Sheet Protection password provided on the Formula Notes tab unprotect and display the Scoping tab fields?

No. If the Scoping tab fields are disabled, the Sheet Protection password will NOT unprotect and display the Scoping Tab fields. You must select the Enable Scoping button and enter the same password you entered to disable and hide the scoping fields to re-display them.

Q12. How do I recover my Scoping Tab password if I lose it?

If you need to recover your Scoping Tab password, send an email to Please note that it may take up to three business days to respond to this request.


Master SIG

Q13. What is a Master SIG and how do I create one?

A Master SIG holds the completed SIG questions and answers that an Assessor expects to receive from an Outsourcer. The Master SIG serves as the answer key against which an Assessee’s SIG responses are assessed. In the 2018 SIG, there is a new way to create a Master SIG that differs from previous SIG versions. For detailed, step-by-step instructions on how to create a Master SIG, go to the CREATING A MASTER SIG section of the SIG How To Guide.

Q14. Can I assign custom scoring values to the questions?

Yes. To add optional scoring values to a SIG, go to the Scoping tab and select ‘Master’ from the SIG Detail Level dropdown list, then click the ‘Create SIG’ button. This will display all the Risk Domain tabs (and all domain questions by tab), as well as the Optional Scoring column.


SIG Management Tool (SMT)

Q15. Is there a way to transfer my responses from an earlier version of the SIG to the latest version of the SIG?

To transfer responses from one SIG to another, you can use the Transfer Responses function in the SIG Management Tool (SMT). This is a Microsoft Excel file included in your SIG Tools bundle. Older versions of a completed SIG may be transferred to newer versions; and newer versions may be transferred to older versions. This function allows:

  • The user to transfer responses from a Master SIG when a new version is released.
  • The user to transfer responses from a previously completed SIG when a new version is released.
  • A user who receives a SIG that is a different version than that of the Master, to transfer the responses from their Master to match the version received from the Assessee or vice versa.

 The transfer responses function will work between any versions of the SIG back to Version 3.0. See the Instructions tab to determine the SIG version you are using.

For step-by-step instructions on how to use the Transfer Responses function in the SIG Management Tool, go to the SMT Transfer Responses Function section of the SIG How To Guide.

Q16. I’m getting an error message when I use the Transfer Responses function in the SIG Management Tool. How do I fix it?

There is a list of common error messages and how to fix them in the SMT Common Error Messages section of the SIG How To Guide. If you still need assistance or have questions, please email


Regulation References

Q17. Where can I find regulatory references, particularly the European Union General Data Protection Regulation (GDPR)?

These references can be found either on each Risk Domain tab and/or on the FULL tab. The SIG is reviewed, updated and revised annually, mapping questions to industry regulations, guidelines and standards. These regulations and guidelines include several from the National Institute of Standards and Technology (NIST), the Federal Financial Institutions Examination Council (FFIEC) and the International Standards Organization (ISO). They also include specific regulations and guidelines, such as: COBIT 4.1.; U.S. Department, of Health and Human Services Health Insurance Portability and Accountability Act (HIPAA); Payment Card Industry (PCI)’ and the EU General Data Protection Regulation 2016/679 (GDPR), which has an effective date of May 2018.


Return to the SIG page