SIG 2023: What's New in the Latest Update

Discover key changes in the Standard Information Gathering (SIG) Questionnaire, and learn how they can be leveraged in your third-party risk assessments.

By:

Thomas Humphreys

Prevalent Compliance Expert

November 29, 2022

The Standard Information Gathering Questionnaire is used by third-party risk management teams to conduct standardized vendor and supplier risk assessments. SIG questionnaires can be used as-is or leveraged as part of a wider third-party risk management (TPRM) program. This post examines key SIG 2023 updates and how they can be used in your vendor and supplier risk assessments.

What Is SIG?

The Standard Information Gathering (SIG) questionnaire is a third-party risk assessment curated by Shared Assessments. SIG is available in multiple formats, including SIG Core, SIG Lite and customized versions. Organizations use SIG questionnaires to measure third-party risk across 19 domains, and each question is mapped to several compliance and regulatory requirements. SIG covers a wide range of areas from information security and cybersecurity, to privacy and ESG.

Shared Assessments reviews and updates SIG questionnaires on an annual basis. These updates usually include additions and changes to questions, domains and subject categories based on current operational standards, societal changes, and developments in specific industries and sectors.

What Areas Does the SIG Cover?

The current version of the SIG evaluates risk across the following 19 control areas, also known as “domains”:

Access Control
Application Security
Asset and Information Management
Cloud Hosting Services
Compliance Management
Cybersecurity Incident Management
Endpoint Security
Enterprise Risk Management
Environmental, Social, Governance (ESG)
Human Resources Security
Information Assurance
IT Operations Management
Network Security
Nth-Party Management
Operational Resilience
Physical and Environmental Security
Privacy Management
Server Security
Threat Management

Major additions in SIG 2023 include the new ESG domain and the new Nth-Party Management domain. Also, the Security Policy domain was removed, and its content was relocated to the Nth-Party Management and Information Assurance domains. We’ll go into the details below.

Key Changes in SIG for 2023

New ESG Domain Added in SIG 2023

The most significant change in SIG 2023 is the addition of the Environmental, Social and Governance (ESG) domain. ESG compliance has grown in importance with the emergence of several new regulations, such as the draft EU Corporate Sustainability Due Diligence Directive and the German Supply Chain Due Diligence Law. The SIG Core 2023 update incorporates 131 questions related to environmental, social and governance practices.

Compared to SIG 2022, SIG 2023 dives deeper into specific topics within ESG. For instance, SIG 2022 included high-level questions like “Do you have an ESG program in place?” SIG 2023, on the other hand, addresses several specific ESG topics across the following categories:

Environmental

Environmental Policy
Environment Management
Air Pollution
Waste Management
Regulatory Compliance
Climate Change
Natural Resource Management

Social

Human Rights: Modern Slavery, Minimum Wage
Worker and Health Safety: OHSA Policy
Community Involvement
Consumer Safety: Regulatory Compliance (FDA)

Governance

Board Structure: Performance Monitoring
Ethics and Code of Conduct: Diversity and Inclusion, Ethical Sourcing
Supply Chain Management: ESG Risk Assessments, Codes of Conduct
ESG Management Practices: ESG Risk Register, SLAs and Targets
Data Privacy and Security

New Nth-Party Management Domain Addresses 4^th-Party Risk

Nth-Party Management is another new SIG 2023 domain. This topic was formerly covered as part of the Enterprise Risk Management domain.

Numerous factors connect increased data risks to fourth parties. For instance, threat actors have been known to target technology vendors as a means to subsequently level ransomware attacks against the vendors’ business partners and their customers. A good example is last year’s Kaseya breach, which targeted a popular platform used by managed service providers to deliver services to their customers.

In addition, as companies become increasingly connected, PII, PHI, intellectual property and other sensitive data can find its way to fourth and Nth parties who are unknown to the original data owner or steward. In this context, distinguishing fourth- and Nth-party risk from the Enterprise Risk Management domain makes a great deal of sense. Categories under the Nth-Party Management domain include:

Policies, Standards and Procedures
Executive Sponsorship
Contracts & Agreements
Inventory & Assets
Board, and Committee Oversight
Incident, and Breach Management
Due Diligence
Risk Assessments
Background & Screening
Notifications and Issue Management

SIG 2023: What’s New & How It Will Impact Your TPRM Program

Join compliance expert Thomas Humphreys as he reviews the SIG 2023 questionnaire and how to leverage available mappings to standards and regulations such as NIST, ISO, FFIEC, NERC, and more.

New Categories in SIG 2023

Another major change for SIG 2023 is the addition of several new categories. The SIG breaks each domain into multiple categories to add depth and focus to groups of disparate controls. With the new categories, SIG 2023 dives deeper into specific topics and makes it easier for companies to focus on the types of risk they are most concerned with. For example, rather than reusing the “Incident Management” category from SIG 2022, categories were refined to “Incident Handling” and “Lessons Learned from Incident Handling.”

Increased Emphasis on Management and Governance

The SIG 2023 updates reflect an elevated emphasis on information security management and governance versus on specific privacy, security and compliance control categories. At a surface level, consider some of the domain name changes and updates:

Security Policy* was replaced with Nth-Party Management
Organizational Security was replaced with Information Assurance
Compliance & Operational Risk was replaced with Compliance Management
Privacy was replaced with Privacy Management

*Most questions under the Security Policy domain were moved to either Nth-Party Management or Information Assurance.

Another obvious example of this shift is the creation of the new ESG domain, which reflects the increasing correlation between an organization’s broader business policies and its exposure to risk. It’s also important to note that the SIG 2023 update includes new questions related to management governance policies across each of the 19 domains. These updates attempt to go beyond simply determining whether a vendor has specific controls in place by including broader lines of questioning, such as how vendors track and manage new legislation.

Next Steps for Conducting SIG Assessments

From evolving cybersecurity risks and geopolitical upheaval, to supply chain disruptions and increased ESG scrutiny, your third parties operate in a constantly shifting risk environment that can have real implications for your business. That’s why the Standard Information Gathering Questionnaire is a critical tool for many third-party risk management programs.

Prevalent offers both the SIG Core and SIG Lite questionnaires as part of our Third-Party Risk Management Platform, along with over 750 other standards-based assessment templates. Our customers automate and speed their third-party assessments, combine assessment results and continuous monitoring intelligence, and gain prescriptive guidance for efficiently remediating risk. Request a demo to discover how Prevalent can power your TPRM program.

Tags: Compliance Needs - Assessment