SIG Questionnaire
Shared Assessments Standardized Information Gathering (SIG) Questionnaire allows organizations to build, customize, analyze, and store vendor assessments for managing third-party risk.
The SIG can be purchased as a standalone product and is included in all tiers of Membership.
Standardized Information Gathering (SIG) Questionnaire
The SIG is a configurable solution enabling the scoping of diverse third-party risk assessments using a comprehensive set of questions used to assess third-party or vendor risk. The Shared Assessments SIG was created leveraging the collective intelligence and experience of our vast and diverse member base. It is updated every year in order to keep up with the ever-changing risk environment and priorities.
Direct Mappings:
Widely Accepted Regulations, Frameworks and Industry Guidance
The SIG aligns with the most updated domestic and international regulatory guidance and industry standards for risk management. Since its inception, the SIG has been regularly updated for emerging global risks, regulations, guidelines, and standards for a wide range of industries.
Technology Standards & Frameworks
Shared Assessments SCA 2024
ISO 27001:2022
ISO 27002:2022
ISO/IEC 27701 PIMS A 2019
NIST Artificial Intelligence 100-1 2023
NIST SP-800-161r1 2022
NIST SP-800-53r5 Sep 2020
NIST Cybersecurity Framework Apr 2018
NIST Privacy Framework Jan 2020
Cybersecurity Maturity Model Certification (CMMC) 2.01 2021
CIS Critical Security Controls v8 2021
Regulations, Statutes & Laws
EBA Guidelines on Outsourcing Arrangements Feb 2019
EU GDPR 2016/679
FedRamp May 2021
German Supply Chain Due Diligence Act
HIPAA Administrative Simplification Mar 2013
NYDFS 23 NYCRR 500 Mar 2017
Industry Sector Guidance
CSA CAIQ 3.1, 2020
CSA Cloud Controls Matrix v4, 2021
ISA 62443-4-1 and 4-2, 2018
NERC Critical Infrastructure Protection (CIP), 2020
PCI DSS V4.0
CMMC 2.0
CIS Controls v8
New York DFS’s Climate Guidance
Interagency Guidance on Third-Party Relationships
Regulatory Audit/Exam & Guidance Frameworks
FFIEC CAT Tool May 2017
FFIEC IT Exam Handbook: AIO Jun 2021
FFIEC IT Exam Handbook: Business Continuity Nov 2019
FFIEC IT Exam Handbook: Mgmt Nov 2015
FFIEC IT Exam Handbook: Outsourcing Jun 2004
Interagency Guidance on Third-Party Relationships
Learn about the regulations, standards, and guidelines to which the SIG currently (and historically) maps here >>
ESG Standardized Information Gathering (SIG)
Environmental, Social, Governance (ESG) is a set of standards designed to measure and improve how a company affects the planet and its people. ESG is important because customers, governments, and other stakeholders increasingly evaluate an organization’s performance against these criteria, and across their supply chain.
The 2023 Standardized Information Gathering (SIG) Questionnaire includes a comprehensive set of 131 standardized ESG-related risk control questions to assess vendor compliance with ESG best practices and standards.
What’s Included In The SIG Questionnaire?
After purchasing the SIG, you’ll be able to immediately download three files. Let our team of experts show you how to implement the SIG into your third-party risk program.
SIG Manager
SIG User Procedure guide
SIG Implementation Workbook
SIG Documentation Artifacts Request List
SIG Fundamentals Training
The SIG is Used by 15,000+ People World-Wide
21 Risk Domains
The SIG measures security risks across 21 risk control areas, or “domains”, within a service provider’s environment.
- Access Control
- Application Security
- Artificial Intelligence (AI)
- Asset and Information Management
- Cloud Hosting Services
- Compliance Management
- Cybersecurity Incident Management
- Endpoint Security
- Enterprise Risk Management
- Environmental, Social, Governance (ESG)
- Human Resources Security
- Information Assurance
- IT Operations Management
- Network Security
- Nth Party Management
- Operational Resilience
- Physical and Environmental Security
- Privacy Management
- Server Security
- Supply Chain Risk Management (SCRM)
- Threat Management