SIG Questionnaire

Shared Assessments Standardized Information Gathering (SIG) Questionnaire allows organizations to build, customize, analyze, and store vendor assessments for managing third-party risk.

$6,500 / 1 year
Corporate License
$12,000 / 2 year
Corporate License
Remove this when you have message

Standardized Information Gathering (SIG) Questionnaire

The SIG is a configurable solution enabling the scoping of diverse third-party risk assessments using a comprehensive set of questions used to assess third-party or vendor risk. The Shared Assessments SIG was created leveraging the collective intelligence and experience of our vast and diverse member base. It is updated every year in order to keep up with the ever-changing risk environment and priorities.

Direct Mappings:

Widely Accepted Regulations, Frameworks and Industry Guidance

The SIG aligns with the most updated domestic and international regulatory guidance and industry standards for risk management. Since its inception, the SIG has been regularly updated for emerging global risks, regulations, guidelines, and standards for a wide range of industries.

sig government regulations

Technology Standards & Frameworks

Shared Assessments SCA 2024

ISO 27001:2022

ISO 27002:2022

ISO/IEC 27701 PIMS A 2019

NIST Artificial Intelligence 100-1 2023

NIST SP-800-161r1 2022

NIST SP-800-53r5 Sep 2020

NIST Cybersecurity Framework Apr 2018

NIST Privacy Framework Jan 2020

Cybersecurity Maturity Model Certification (CMMC) 2.01 2021

CIS Critical Security Controls v8 2021

Regulations, Statutes & Laws

EBA Guidelines on Outsourcing Arrangements Feb 2019

EU GDPR 2016/679

FedRamp May 2021

German Supply Chain Due Diligence Act

HIPAA Administrative Simplification Mar 2013

NYDFS 23 NYCRR 500 Mar 2017

Industry Sector Guidance

CSA CAIQ 3.1, 2020

CSA Cloud Controls Matrix v4, 2021

ISA 62443-4-1 and 4-2, 2018

NERC Critical Infrastructure Protection (CIP), 2020


CMMC 2.0

CIS Controls v8

New York DFS’s Climate Guidance

Interagency Guidance on Third-Party Relationships

Regulatory Audit/Exam & Guidance Frameworks

FFIEC CAT Tool May 2017

FFIEC IT Exam Handbook: AIO Jun 2021

FFIEC IT Exam Handbook: Business Continuity Nov 2019

FFIEC IT Exam Handbook: Mgmt Nov 2015

FFIEC IT Exam Handbook: Outsourcing Jun 2004

Interagency Guidance on Third-Party Relationships

Learn about the regulations, standards, and guidelines to which the SIG currently (and historically) maps here >>

ESG Standardized Information Gathering (SIG)

Environmental, Social, Governance (ESG) is a set of standards designed to measure and improve how a company affects the planet and its people. ESG is important because customers, governments, and other stakeholders increasingly evaluate an organization’s performance against these criteria, and across their supply chain.

The 2023 Standardized Information Gathering (SIG) Questionnaire includes a comprehensive set of 131 standardized ESG-related risk control questions to assess vendor compliance with ESG best practices and standards.

What’s Included In The SIG Questionnaire?

After purchasing the SIG, you’ll be able to immediately download three files. Let our team of experts show you how to implement the SIG into your third-party risk program.

SIG Manager

The SIG Manager enables the scoping and configuration of SIG questionnaires. The SIG Manager provides two pre-configured questionnaires, and the ability to easily create customized assessments. The SIG Manager automates the creation and analysis of SIG responses, and options to maintain SIG data bringing efficiency to the assessment process. Use of the SIG Manager requires Microsoft Excel.

SIG User Procedure guide

The SIG User Procedure Guide provides a summary of the action steps to create, analyze and manage SIG questionnaires.  

SIG Implementation Workbook

The SIG Implementation Workbook provides best practices insights and planning checklists to identify the tasks and decisions needed to configure and implement the SIG into your TPRM program.

SIG Documentation Artifacts Request List

A project management template that provides an inventory of compliance artifacts and documentation that should be requested from the third-party being assessed.

SIG Fundamentals Training

SIG Subscribers can access this 2-hour basic training on how to use the SIG to create questionnaires. The training is free for Shared Assessments Members and SIG Subscribers. Navigate here to learn more or to register for the training.

The SIG is Used by 15,000+ People World-Wide

21 Risk Domains

The SIG measures security risks across 21 risk control areas, or “domains”, within a service provider’s environment.

  • Access Control
  • Application Security
  • Artificial Intelligence (AI)
  • Asset and Information Management
  • Cloud Hosting Services
  • Compliance Management
  • Cybersecurity Incident Management
  • Endpoint Security
  • Enterprise Risk Management
  • Environmental, Social, Governance (ESG)
  • Human Resources Security
  • Information Assurance
  • IT Operations Management
  • Network Security
  • Nth Party Management
  • Operational Resilience
  • Physical and Environmental Security
  • Privacy Management
  • Server Security
  • Supply Chain Risk Management (SCRM)
  • Threat Management

Looking for more details on Risk Domains covered by the SIG?

Check out our Guide To Risk Domains.