What is the SIG Questionnaire?

June 14, 2022
Oro

Thoropass Team

When working with new third-party vendors, it’s important to identify any risk that may arise. However, when working with multiple companies across industries, it can be difficult to keep up to date with industry security and compliance standards.

Luckily, there is an easy way to build, customize, analyze, and store vendor assessments of third-party vendors and manage risk. This is done through the Standardized Information Gathering (SIG) Questionnaire.

The SIG is a shared assessments questionnaire that allows organizations to build, customize, analyze, and store vendor assessments for managing third-party risk. The SIG is published yearly by a non-profit called Shared Assessments. Shared Assessments have been setting the standard for companies identifying third-party risks for years, the SIG acting as their guiding light.

Even though this precaution has been around for years, this practice hasn’t been stagnant. Shared Assessments conducts annual reviews of the SIG questionnaire to determine if changes are needed to address gaps across 18 industries. Because Shared Assessments updates the SIG every year, your brand will need to conduct similar assessments of your vendors to stay in compliance.

Who uses the SIG?

The SIG was designed to be a comprehensive assessment tool to span multiple industries. Its comprehensive design allows for a wide variety of uses:

  • Outsourcers may use the SIG to evaluate their service providers’ risk.
  • Vendors may include a SIG with RFP responses or in lieu of proprietary questionnaires.
  • Organizations may use the SIG to assess third-party risk as well as self-assessments.

Each of these organizations may have a different requirement for the tasks and decisions needed to configure and implement the SIG into their programs. Additionally, there are two different types of SIG assessments that can be used.

Breaking Down the SIG

The SIG can be conducted in two parts: SIG Lite and SIG Core. These two assessments offer the same risk assessment, but as the names consider, one goes deeper than the other. Let’s break down the differences.

SIG Core

The SIG Core questionnaire is detailed and designed to assess third parties or vendors that store and/or manage sensitive, regulated data. The goal is to provide a deep level of understanding of how these third parties secure information and incorporate extensive language on privacy and compliance regulations. The SIG Core is the larger of the two questionnaires, clocking in at 825 questions targeting 18 risk domains.  The multitude of questions makes it easy for security teams to pick and choose their vendors for their ideal partner.

Recent updates to the SIG Core for 2022 include:

  • Grouping questions by topic, making it easier for users to understand controls
  • Reducing the number of questions by 25%, while putting emphasis on more control-focused questions
  • Enhancing tiering and creating out-of-the-box questionnaires for practitioners

SIG Lite

In contrast, the SIG Lite questionnaire is designed to give users a broader understanding of a third party’s internal information and security controls. This questionnaire offers a basic level of assessment due diligence with only about 150 questions. It’s common to use the SIG Lite as a preliminary assessment of a vendor before bringing in the SIG Core for a more extensive evaluation.

Recent updates to the SIG Lite 2022 include:

  • Grouping questions by topic, making it easier for users to understand controls
  • Reducing the number of questions by 50%, while putting emphasis on more control-focused questions
  • Enhancing tiering and creating out-of-the-box questionnaires for practitioners

Both the SIG Core and SIG Lite can be purchased from Shared Assessments or can be licensed for use in applications. If your organization has questions about how to remain in SIG compliance, you can work with a team of compliance professionals to ensure you’re aware of all vendor risks.

Keep in Compliance with Laika

Take your compliance one step further and manage multiple audits and assessments with ease. Laika provides a complete compliance platform that has scalable workflows and fast, effective, and comprehensive audits. Request a demo today to learn how you can do your due diligence in one space.

Share this post with your network:

Related Posts

Understanding HIPAA encryption requirements

Encryption is an essential element of compliance with HIPAA's Security Rule, serving as a powerful tool for safeguarding protected health information from unauthorized access or data breaches.
Read Article icon-arrow

Data breaches in the healthcare industry are on the rise: What this means for your organization

A recent report by Claroty found that 78% of surveyed healthcare organizations experienced a cybersecurity incident in the last year.  This is not only a concern for the organizations themselves...
Read Article icon-arrow