Standardized Information Gathering Questionnaire

The SIG is a comprehensive set of questions used to assess third party, vendor risk. The Shared Assessments SIG was created leveraging the collective intelligence and experience of our vast and diverse member base. It is updated every year in order to keep up with the ever-changing risk environment and priorities. Learn about the regulations, standards and guidelines to which the SIG maps here.


Used the SIG to evaluate their service providers’ risk controls


Include a SIG with RFP responses or in lieu of proprietary questionnaires


Used to assess third party risk as well as self-assessments

50+ Government Regulations

The SIG aligns with the most updated domestic and international regulatory guidance and industry standards. It is regularly updated for emerging risks, regulations, guidelines and standards for the wide range of industries. 

What’s Included In the SIG Questionnaire?

After purchasing the SIG, you’ll be able to immediately download three files. Let our team of experts show you how to implement the SIG into your third party risk program.

SIG Management Tool

The SIG Management Tool is a Microsoft Excel Workbook where you will build your SIG questionnaires, drawing from the bank of questions in the SIG Content Library. You will also use the SIG Management Tool to compare an Assessee’s SIG responses to a Master SIG and create a report that lists any gaps from prior SIGs for further analysis and follow up. You can also transfer responses from one SIG file version to another version. This feature makes it easy to update responses to a newer version of a SIG without starting from scratch. The SIG Management Tool is the archive where you will store the SIGs you create so that you can draw from those prior SIGs as you develop new SIG questionnaires for new vendors.

SIG Getting started guide

The comprehensive Getting Started Guide (in pdf) that provides step-by-step instructions of using the SIG Management Tool to create, analyze and store SIGs. The SIG Getting Started Guide provides users with a summary overview of the SIG and best practice guidance on administering the SIG as part of a Third Party Risk Management (TPRM) program. It outlines the basics of the tool, the tool structure and how to use the SIG from different perspectives, whether as an outsourcer, assessor, or a service provider.

SIG Implementation checklist

Provides project management templates to identify the tasks and planning to implement the SIG tools in your TPRM program.

SIG documentation request checklist

A template to gather relevant compliance documents from a service provider as part of an assessment.

The SIG is Used by 15,000+ People World-Wide

18 Risk Domains

The SIG measures security risks across 18 risk control areas, or “domains”, within a service provider’s environment.

  • Risk Management
  • Security Policy
  • Organizational Security
  • Asset and Info Management
  • Human Resource Security
  • Physical and Environmental Security
  • Operations Management
  • Access Control
  • Application Security
  • Incident Event and Communications Management
  • Business Resiliency
  • Compliance
  • End User Device Security
  • Network Security
  • Privacy
  • Threat Management
  • Server Security
  • Cloud Hosting

What’s New in SIG 

SIG updates are a response not only to the changing regulatory and risk landscape, but to our hundreds of members and tool purchasers looking to perform fast and effective vendor risk assessments.

SIG Buying Options

The SIG can be purchased in three ways as well as licensed for use in applications.


The SIG is available for purchase on it’s own for one year. Includes any updates made within the year of the license.


The SIG is part of our Third Party Risk Toolkit which also includes our award winning VRMMM, SCA and Privacy Tools.


Shared Assessment membership includes access to all our tools in our third party risk toolkit, including the SIG.