What is the SIG Questionnaire?

Person works on the SIG questionnaire on their laptop

Oro provides content designed to educate and help audiences on their compliance journey.

Imagine a world where you could confidently assess the security risks of your third-party vendors, ensuring the safety of your sensitive data and protecting your organization’s reputation. Sounds perfect, right?

When working with a new third-party vendor, it’s important to identify any risk that may arise. However, when working with multiple companies across industries, it can be difficult to keep up to date with industry security and compliance standards.

Luckily, there is an easy way to build, customize, analyze, and store vendor assessments of third-party vendors and manage risk. This is done through the Standardized Information Gathering (SIG) questionnaire.

Short summary

  • The SIG Questionnaire is an effective tool for assessing third-party risk and staying compliant with regulations.
  • It offers two types (Core and Lite) to meet different assessment needs, plus the ability to customize it for specific needs.
  • Automating the questionnaire through a Third-Party Risk Management (TPRM) platform can help organizations save time and resources while improving accuracy and compliance.

What is Standardized Information Gathering (SIG)?

The SIG is a shared assessments questionnaire that allows organizations to build, customize, analyze, and store vendor assessments for managing third-party risk. The SIG is published yearly by a non-profit called Shared Assessments.

Even though this precaution has been around for years, this practice hasn’t been stagnant. Shared Assessments conducts annual reviews of the SIG questionnaire to determine if changes are needed to address gaps. Because Shared Assessments updates the SIG every year, your brand will need to conduct similar assessments of your vendors to stay in compliance.

19 risk domains

The SIG questionnaire, created by Shared Assessments, is a powerful tool that allows organizations to assess third-party risk across 19 domains. They are:

  1. Access Control
  2. Application Security
  3. Asset and Information Management
  4. Cloud Hosting Services
  5. Compliance Management
  6. Cybersecurity Incident Management
  7. Endpoint Security
  8. Enterprise Risk Management
  9. Environmental, Social, Governance (ESG)
  10. Human Resources Security
  11. Information Assurance
  12. IT Operations Management
  13. Network Security
  14. Nth Party Management
  15. Operational Resilience
  16. Physical and Environmental Security
  17. Privacy Management
  18. Server Security
  19. Threat Management

With the ever-evolving landscape of regulations and privacy challenges, the 2023 SIG questionnaire is updated to address the implementation of:

Technology standards & frameworks

  • ISO 27001 and 27002:2013
  • NIST SP-800-53r5, 2020
  • NIST Cyber Security Framework, 2018
  • NIST Privacy Framework, 2020
  • Shared Assessments SCA, 2023

Regulations, statutes & laws

  • EBA Guidelines: Outsourcing Arrangements, 2019
  • EU GDPR 2016/679, 2016
  • Federal Risk and Authorization Management Program (FedRAMP)
  • FFIEC CAT Tool, 2017
  • FFIEC Handbook: Architecture, Infrastructure, Operations (AIO), 2021
  • FFIEC Handbook: Outsourcing, 2004
  • FFIEC Handbook: Business Continuity, 2019
  • FFIEC Handbook: Management, 2015
  • HIPAA Administrative Simplification, 2013
  • NYDFS 23 NYCRR 500, 2017

Industry guidance

  • CSA CAIQ 3.1, 2020
  • CSA Cloud Controls Matrix v4, 2021
  • ISA 62443-4-1 and 4-2, 2018
  • NERC Critical Infrastructure Protection (CIP), 2020
  • PCI DSS v3.2.1, 2018.

People review documents of third-party risk information
Continued Reading
The importance of Third-Party Risk Management

Understand the inherent risks of using third parties and perform adequate due diligence activities to minimize these risks.

The importance of Third-Party Risk Management (TPRM) icon-arrow-long

Who uses the SIG?

The SIG was designed to be a comprehensive assessment tool for multiple industries. Its comprehensive design allows for a wide variety of uses:

  • Outsourcers may use the SIG to evaluate their service providers’ risk
  • Vendors may include a SIG with RFP responses or in lieu of proprietary questionnaires
  • Organizations may use the SIG to assess third-party risk as well as self-assessments

Each of these organizations may have a different requirement for the tasks and decisions needed to configure and implement the SIG into their programs. Additionally, two different types of SIG assessments can be used.

Breaking down the SIG

The SIG questionnaire comes in two flavors: Core and Lite. Both versions are designed to help organizations assess and manage third-party risks effectively, but they serve different purposes depending on the level of assessment required.

  1. SIG Core
  2. SIG Lite

These two assessments offer the same risk assessment, but as the names consider, one goes deeper than the other. Let’s break down the differences.

1. SIG Core

The SIG Core questionnaire is detailed and designed to assess third parties or vendors that store and/or manage sensitive, regulated data. The goal is to provide a deep level of understanding of how these third parties secure information and incorporate extensive language on privacy and compliance regulations. The SIG Core is the larger of the two questionnaires, clocking in at 855 questions targeting 19 risk domains.  The multitude of questions makes it easy for security teams to pick and choose their vendors for their ideal partner.

Recent updates to the SIG Core for 2023 include:

  • Grouping questions by topic, making it easier for users to understand controls
  • Reducing the number of questions by 25% while emphasizing more control-focused questions
  • Enhancing tiering and creating out-of-the-box questionnaires for practitioners

Advantages of using SIG Core

The SIG Core questionnaire is a comprehensive tool with 855 questions covering 19 risk controls, making it suitable for assessing third parties handling sensitive or regulated information. By providing a more detailed analysis of a third party’s security practices, the SIG Core questionnaire ensures compliance with various legal requirements and industry best practices for protecting personal data.

Furthermore, the ability to tailor the questions for each vendor enables organizations to obtain the specific information they need for an effective third-party risk assessment.

2. SIG Lite

In contrast, the SIG Lite questionnaire is designed to give users a broader understanding of a third party’s internal information and security controls. This questionnaire offers a basic level of assessment due diligence with only about 126 questions. It’s common to use the SIG Lite as a preliminary assessment of a vendor before bringing in the SIG Core for a more extensive evaluation.

Recent updates to the SIG Lite 2023 include:

  • Grouping questions by topic, making it easier for users to understand controls
  • Reducing the number of questions by 50% while emphasizing more control-focused questions
  • Enhancing tiering and creating out-of-the-box questionnaires for practitioners

Both the SIG Core and SIG Lite can be purchased from Shared Assessments or can be licensed for use in applications. If your organization has questions about how to remain in SIG compliance, you can work with a team of compliance professionals to ensure you’re aware of all vendor risks.

Advantages of using SIG Lite

SIG Lite is a shorter questionnaire consisting of approximately 126 questions that provide a high-level overview of a third party’s internal security controls. This condensed version is perfect for organizations looking for a quick yet insightful assessment of a vendor’s security posture.

The SIG Lite questionnaire can be completed faster than the Core version, saving time on due diligence without compromising the evaluation of a vendor’s security practices.

How to implement the SIG questionnaire

Implementing the SIG questionnaire at your organization involves a few crucial steps, including:

  • Assessing vendor candidates
  • Mapping vendor security controls to compliance requirements
  • Managing third-party risk

By following these steps, organizations can ensure they are working with secure and trustworthy vendors while minimizing the risk of security breaches and other potential issues.

Organizations should take the time to thoroughly assess vendor candidates and map their security controls to compliance.

Vendor assessment process

The vendor assessment process involves sending the SIG questionnaire to potential vendors, evaluating their responses, and determining their risk posture. This process is essential for organizations to ensure they are working with secure and trustworthy vendors, as well as identifying and mitigating any potential risks associated with third-party relationships.

By continuously monitoring and reviewing vendor assessments, organizations can proactively address potential risks and maintain a secure supply chain.

Mapping to compliance requirements

The SIG questionnaire not only helps organizations assess the security risks of their vendors but also assists in mapping vendor security controls to various compliance requirements. By providing a comprehensive set of questions that cover a wide range of security topics, the SIG questionnaire simplifies the process of ensuring vendor compliance with relevant regulations and industry standards including SOC 2, ISO 27001, and NIST.

Managing third-party risk

This comprehensive approach to vendor risk assessment enables organizations to make informed decisions about their third-party relationships while minimizing potential security risks.

Mitigate your security risks with Thoropass

Take your compliance one step further and manage multiple audits and assessments with ease. Thoropass provides a complete compliance platform with scalable workflows and fast, effective, comprehensive audits. Request a demo today to learn how to use one vendor for all your infosec compliance needs.

More FAQs about SIG questionnaires

A SIG questionnaire is a security assessment tool used to gain insights into a vendor’s risk posture by asking them standard questions about their security policies and procedures.

These questions can help identify areas of risk and potential vulnerabilities that may need to be addressed. They can also provide valuable information about the vendor’s security posture and how it compares to industry standards.

Standardized Information Gathering (SIG) is a security assessment questionnaire developed by the Shared Assessments nonprofit which seeks to manage third-party risk assessments and create a standardized vendor risk assessment questionnaire indexing it to many regulatory standards.

The questionnaire is designed to help organizations assess the security posture of their vendors and third-party service providers. It is a comprehensive set of questions that cover a wide range of security topics, including physical security, data security, and incident response. The questionnaire is designed to be used as a baseline for assessing the security posture.

The SIG Core questionnaire consists of 850 questions covering all 19 risk controls:

  1. Access Control
  2. Application Security
  3. Asset and Information Management
  4. Cloud Hosting Services
  5. Compliance Management
  6. Cybersecurity Incident Management
  7. Endpoint Security
  8. Enterprise Risk Management
  9. Environmental, Social, Governance (ESG)
  10. Human Resources Security
  11. Information Assurance
  12. IT Operations Management
  13. Network Security
  14. Nth Party Management
  15. Operational Resilience
  16. Physical and Environmental Security
  17. Privacy Management
  18. Server Security
  19. Threat Management

SIG LITE questionnaire is a simpler version of the larger SIG assessment, taking its high-level concepts and questions but distilling them down to fewer questions. It is beneficial for vendors with less inherent risk.

Security ratings make third-party risk management more effective by offering continuous monitoring of vendors and creating a common language for stakeholders, making data from questionnaires easier to interpret. This helps to ensure that all stakeholders are on the same page when it comes to assessing risk and making decisions. It also makes it easier to identify potential issues and take corrective action quickly. Overall, security ratings provide a valuable tool for organizations to better manage their security.


Share this post with your network:

LinkedIn