Standardized Information Gathering Questionnaire

The SIG is a configurable tool to enable the scoping of diverse third-party risk assessments using a comprehensive set of questions used to assess third-party or vendor risk. The Shared Assessments SIG was created leveraging the collective intelligence and experience of our vast and diverse member base. It is updated every year in order to keep up with the ever-changing risk environment and priorities. Learn about the regulations, standards, and guidelines to which the SIG maps here.


Used the SIG to evaluate their service providers’ risk controls


Include a SIG with RFP responses or in lieu of proprietary questionnaires


Used to assess third-party risk as well as self-assessments

50+ Government Regulations

The SIG aligns with the most updated domestic and international regulatory guidance and industry standards. It is regularly updated for emerging risks, regulations, guidelines and standards for the wide range of industries. 

sig government regulations

What’s Included In The SIG Questionnaire?

After purchasing the SIG, you’ll be able to immediately download three files. Let our team of experts show you how to implement the SIG into your third-party risk program.

SIG Manager Tool

The SIG Manager is a comprehensive tool to enable the scoping and configuration of SIG questionnaires. The SIG Manager provides two pre-configured questionnaires, and the ability to easily create customized assessments. The SIG Manager automates the creation and analysis of SIG responses, and options to maintain SIG data bringing efficiency to the assessment process. Use of the SIG Manager requires Microsoft Excel.

SIG User Procedure guide

The SIG User Procedure Guide provides a summary of the action steps to create, analyze and manage SIG questionnaires.  

SIG Implementation Workbook

The SIG Implementation Workbook provides best practices insights and planning checklists to identify the tasks and decisions needed to configure and implement the SIG into your TPRM program.

SIG Documentation Artifacts Request List

A project management template that provides an inventory of compliance artifacts and documentation that should be requested from the third-party being assessed.

The SIG is Used by 15,000+ People World-Wide

18 Risk Domains

The SIG measures security risks across 18 risk control areas, or “domains”, within a service provider’s environment.

  • Enterprise Risk Management
  • Security Policy
  • Organizational Security
  • Asset and Information Management
  • Human Resources Security
  • Physical and Environmental Security
  • IT Operations Management
  • Access Control
  • Application Security
  • Cybersecurity Incident Management
  • Operational Resilience
  • Compliance and Operational Risk
  • Endpoint Device Security
  • Network Security
  • Privacy
  • Threat Management
  • Server Security
  • Cloud Hosting Services

SIG Buying Options

The SIG can be purchased in three ways as well as licensed for use in applications.

SIG Portal

Purchase of the SIG includes access to a preview of the

SIG Online Portal


The SIG is available for purchase on its own for one year. Includes any updates made within the year of the license.


The SIG is part of our Third-Party Risk Toolkit which also includes our award winning VRMMM, SCA, and Data Governance Tools.


Shared Assessment membership includes access to all our tools in our third-party risk toolkit, including the SIG.