Standardized Information Gathering (SIG) Questionnaire
The SIG is a configurable solution enabling the scoping of diverse third-party risk assessments using a comprehensive set of questions used to assess third-party or vendor risk. The Shared Assessments SIG was created leveraging the collective intelligence and experience of our vast and diverse member base. It is updated every year in order to keep up with the ever-changing risk environment and priorities.

Technology Standards & Frameworks
ISO 27001 and 27002:2013
ISO/IEC 27701 PIMS A, 2019
NIST SP-800-53r5, 2020
NIST Cyber Security Framework, 2018
NIST Privacy Framework, 2020
Shared Assessments SCA, 2023
Regulations, Statutes & Laws
EBA Guidelines: Outsourcing Arrangements, 2019
EU GDPR 2016/679, 2016
Federal Risk and Authorization Management Program (FedRAMP)
FFIEC CAT Tool, 2017
FFIEC Handbook: Architecture, Infrastructure, Operations (AIO), 2021
FFIEC Handbook: Outsourcing, 2004
FFIEC Handbook:Business Continuity, 2019
FFIEC Handbook: Management, 2015
HIPAA Administrative Simplification, 2013
NYDFS 23 NYCRR 500, 2017
Industry Guidance
CSA CAIQ 3.1, 2020
CSA Cloud Controls Matrix v4, 2021
ISA 62443-4-1 and 4-2, 2018
NERC Critical Infrastructure Protection (CIP), 2020
PCI DSS v3.2.1, 2018
.
Learn about the regulations, standards, and guidelines to which the SIG maps here >>
ESG Standardized Information Gathering (SIG)
Environmental, Social, Governance (ESG) is a set of standards designed to measure and improve how a company affects the planet and its people. ESG is important because customers, governments, and other stakeholders increasingly evaluate an organization’s performance against these criteria, and across their supply chain.
The 2023 Standardized Information Gathering (SIG) Questionnaire includes a comprehensive set of 131 standardized ESG-related risk control questions to assess vendor compliance with ESG best practices and standards.
What’s Included In The SIG Questionnaire?
After purchasing the SIG, you’ll be able to immediately download three files. Let our team of experts show you how to implement the SIG into your third-party risk program.
SIG Manager
The SIG Manager enables the scoping and configuration of SIG questionnaires. The SIG Manager provides two pre-configured questionnaires, and the ability to easily create customized assessments. The SIG Manager automates the creation and analysis of SIG responses, and options to maintain SIG data bringing efficiency to the assessment process. Use of the SIG Manager requires Microsoft Excel.
SIG User Procedure guide
The SIG User Procedure Guide provides a summary of the action steps to create, analyze and manage SIG questionnaires.
SIG Implementation Workbook
The SIG Implementation Workbook provides best practices insights and planning checklists to identify the tasks and decisions needed to configure and implement the SIG into your TPRM program.
SIG Documentation Artifacts Request List
A project management template that provides an inventory of compliance artifacts and documentation that should be requested from the third-party being assessed.
SIG Fundamentals Training
SIG Subscribers can access this 2-hour basic training on how to use the SIG to create questionnaires. The training is free for Shared Assessments Members and SIG Subscribers. Navigate here to learn more or to register for the training.
The SIG is Used by 15,000+ People World-Wide












19 Risk Domains
The SIG measures security risks across 19 risk control areas, or “domains”, within a service provider’s environment.
- Access Control
- Application Security
- Asset and Information Management
- Cloud Hosting Services
- Compliance Management
- Cybersecurity Incident Management
- Endpoint Security
- Enterprise Risk Management
- Environmental, Social, Governance (ESG)
- Human Resources Security
- Information Assurance
- IT Operations Management
- Network Security
- Nth Party Management
- Operational Resilience
- Physical and Environmental Security
- Privacy Management
- Server Security
- Threat Management
SIG Subscription Options
Subscribe to the SIG or license for use in applications.

SIG
Standardized Information Gathering Questionnaire
The SIG is available for purchase on its own for one year. Includes any updates made within the year of the license.
Purchase of the SIG includes access to the SIG Online Portal and SIG Fundamentals Training
.
$6,000/yr


TPRM Product Suite
Manage the full vendor assessment relationship life cycle
The SIG is part of our Third-Party Risk Product Suite which also includes our award winning VRMMM, SCA, and Data Governance Product.
$7,500/yr

Membership
Industry-Standard Best Practices and Products
Shared Assessments membership includes access to all the products in our Third-Party Risk Product Suite, including the SIG.