SIG Questionnaire

Shared Assessments Standardized Information Gathering (SIG) Questionnaire allows organizations to build, customize, analyze, and store vendor assessments for managing third-party risk.

The SIG is available as a standalone product subscription and is included with all levels of Membership.

Interested in multi-year pricing? Email sales@sharedassessments.org.

$7,000 / 1 Year
Corporate License
Remove this when you have message
Demo

Introducing SIG Evolution (SIG EV)

SIG EV is the cloud-based evolution of the SIG Questionnaire — built to modernize third-party risk assessments for today’s TPRM teams.

SIG EV gives outsourcers greater visibility into assessment progress and validation outcomes, while helping service providers demonstrate their security and risk management practices.

Key capabilities include:

  • Intuitive Web Interface — Create, compare, and score assessments with ease
  • Secure Sharing — Distribute assessments via one-time links, no portal needed
  • Live Dashboards — Track assessment progress at a glance
  • Built-In File Validation — Capture and organize vendor responses in one place
  • Role-Based Access — Appropriate permissions for every team

Want to learn more? Request a demo here.

Standardized Information Gathering (SIG) Questionnaire

The SIG is a configurable solution enabling the scoping of diverse third-party risk assessments using a comprehensive set of questions used to assess third-party or vendor risk. The Shared Assessments SIG was created leveraging the collective intelligence and experience of our vast and diverse member base. It is updated every year in order to keep up with the ever-changing risk environment and priorities.

 

Direct Mappings:

Widely Accepted Regulations, Frameworks and Industry Guidance

The SIG aligns with the most updated domestic and international regulatory guidance and industry standards for risk management. Since its inception, the SIG has been regularly updated for emerging global risks, regulations, guidelines, and standards for a wide range of industries.

sig government regulations

Technology Standards & Frameworks

Shared Assessments SCA 2026

ISO 27001:2022

ISO 27002:2022

ISO/IEC 27701 PIMS A 2019

ISO/IEC 42001:2023

NIST Artificial Intelligence 100-1 2023

NIST SP-800-161r1 2022

NIST SP-800-53r5.1.1 (Nov 2023)

NIST SP-800-171r3 (May 2024)

NIST Cybersecurity Framework (Apr 2018)

NIST Cybersecurity Framework 2.0 (Feb 2024)

NIST Privacy Framework (Jan 2020)

Cybersecurity Maturity Model Certification (CMMC) 2.0 2024

CIS Critical Security Controls v8 2021

Regulations, Statutes & Laws

Digital Operational Resilience Act Jan 2023 (DORA)

EBA Guidelines on Outsourcing Arrangements Mar 2019

EU GDPR 2016/679

EU NIS 2 Jan 2023

Interagency Guidance on Third-Party Relationships: Risk Management 2023

FedRamp May 2023

FFIEC CAT Tool May 2017

FFIEC IT Exam Handbook: AIO Jun 2021

FFIEC IT Exam Handbook: Business Continuity Nov 2019

FFIEC IT Exam Handbook: Mgmt Nov 2015

FFIEC IT Exam Handbook: Outsourcing Jun 2004

HIPAA Administrative Simplification Mar 2013

NYDFS 23 NYCRR 500 Nov 2023

Industry Sector Guidance

CSA CAIQ 4.0 Jun 2024

CSA Cloud Controls Matrix v4

BRC Operational Resilience Framework Nov 2022

ISA 62443-4-1 and 2 2018

North American Electric Reliability Corporation (NERC)

PCI DSS 4.0 March 2022

Learn about the regulations, standards, and guidelines to which the SIG currently (and historically) maps here >>

What’s Included In The SIG Questionnaire?

After purchasing the SIG, you will be able to immediately download the product and supporting materials.

REQUEST A DEMO

Learn more about which SIG you should use when scoping vendor risk questionnaires.

SIG Product

The SIG product itself (includes the SIG Manager). 

SIG User guide

The SIG User Guide provides a summary of the action steps to create, analyze and manage SIG questionnaires.

SIG Manager Enhancement Document

This document covers the changes and revisions to the most recent version of the SIG. 

SIG Version Delta

A workbook listing versions of the SIG from 2008 onward displaying the associations between question numbers, serial numbers, and identifying if a question is new or has been retired. 

21 Risk Domains

The SIG measures security risks across 21 risk control areas, or “domains”, within a service provider’s environment.

  • Access Control
  • Application Management
  • Artificial Intelligence (AI)
  • Asset and Information Management
  • Cloud Services
  • Compliance Management
  • Cybersecurity Incident Management
  • Endpoint Security
  • Enterprise Risk Management
  • Environmental, Social, Governance (ESG)
  • Human Resources Security
  • Information Assurance
  • IT Operations Management
  • Network Security
  • Nth Party Management
  • Operational Resilience
  • Physical and Environmental Security
  • Privacy Management
  • Server Security
  • Supply Chain Risk Management (SCRM)
  • Threat Management

Looking for more details on Risk Domains covered by the SIG?

Check out our Guide To Risk Domains.

© 2026 Shared Assessments LLC