SIG 2025: Key Updates and Considerations

SIG Updates for 2025

Although no new risk domains were added, the 2025 version added new questions for incident management and operational resilience, increased the number of standards mappings, and included new regulatory matters.

New Question Content in SIG 2025

The SIG 2025 expanded existing risk domains, particularly within:

• Information Assurance: 3 new questions.
• Cybersecurity Incident Management: 5 new questions covering incident response requirements and outsourcing incident reporting.
• Operational Resilience: 4 new questions to gauge enhanced contingency planning requirements, data governance, and resilience planning.

Changes in Content Mappings for SIG 2025

Along with adding questions in key control areas, the most important update to the 2025 SIG questionnaire was the addition of new content related to distinct compliance standards. This reflects the broader evolution in third-party risk. Adding these content mappings acknowledges the increasingly complex landscape that companies operate within and need to ask their vendors about.

The three net-new standards mappings available in the 2025 SIG are:

• E.U. Digital Operational Resilience Act (DORA), a regulation to improve the European financial sector’s resilience to cyber and ICT threats.
• E.U. Network and Information Security Directive 2 (NIS2) is legislation that provides measures to improve cybersecurity, including for third parties.
• National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0 is a well-accepted set of best practices and guidelines adopted across the U.S. public and private sectors.

Operational Resilience: DORA

The Digital Operational Resilience Act (DORA), which will take full effect in January 2025, is designed to ensure that the European financial sector can maintain resilience during severe operational disruptions. DORA creates a regulatory framework for digital operational resilience in the financial sector, under which all firms must confirm that they can withstand, respond to, and recover from a wide range of ICT disruptions and cyber threats.

The Act sets uniform requirements for the security of network and information systems. It spells out requirements in Chapter V for critical third parties that provide information communication technologies (ICT) services, such as cloud platforms or data analytics services, to the financial services industry.

Under DORA, organizations must classify incidents, enable transparent incident reporting, and develop a structured risk management framework, which includes testing tools, systems, and processes. In the SIG 2025 questionnaire, control J.11 asks if the organization has outsourced its incident reporting responsibilities to a third-party service provider to address DORA Article 18, which requires financial entities to report major ICT-related incidents to the relevant competent authority.

Supply Chain Security: NIST CSF 2.0

Since its release in 2024, the latest version of NIST CSF has become a benchmark for organizations seeking guidance and best practices to improve their supply chain security and cybersecurity operations. NIST CSF closely aligns with NIST 800-53, which is already engrained within the SIG.

NIST CSF 2.0 added a new Governance Function, increased roles for legal and compliance teams, and provided enhanced guidance on supply chain risks. Particularly relevant for third-party risk management, the introduction of the Governance Function illustrates how critical cybersecurity governance is to managing and reducing cybersecurity risk in supply chains. A dedicated governance Function helps align and integrate third-party cybersecurity activities and processes across third-party risk management, enterprise risk management, and legal teams, which prompted its inclusion in the latest SIG 2025 questionnaires.

Cybersecurity in Critical Industries: NIS2

Recognizing that vulnerabilities within supply chains can compromise the security of essential services, the European Union adopted the Network and Information Security Directive 2 (NIS2) in December 2022. NIS2 mandates that organizations implement robust measures to manage and mitigate risks associated with their third-party relationships. The NIS2 Directive went into effect in October 2024. Mappings to NIS2 were added to the SIG 2025 to accommodate NIS2 requirements to:

• Establish supply chain security policies.
• Conduct risk analyses and assessments.
• Ensure sound third-party incident handling and report procedures.
• Continuously monitor and evaluate third parties.
• Enforce third-party contractual obligations.

For example, SIG 2025 controls C.11, and C.12 were added to address NIS Directive Article 29, which requires exchanging cybersecurity information related to cyber threats, near misses, vulnerabilities, techniques, and procedures.

What Do The SIG 2025 Updates Mean for TPRM?

The addition of operational resilience and supply chain security mappings to the 2025 SIG questionnaire reflects the emphasis on the cybersecurity and supply chain risks that are permeating the modern business landscape. Organizations are seeing more third-party data breaches, necessitating a full understanding of the cybersecurity supply chain.

The SIG 2025 questionnaire endeavors to answer some of these concerns while providing peace of mind from understanding the controls built into your suppliers’ defenses. As the regulatory environment shifts globally, SIG will likely add more content mappings in the next year.

How Mitratech Can Help

Mitratech offers the SIG Core and SIG Lite questionnaires, along with over 800 other standards-based assessment templates, as part of the Prevalent Third-Party Risk Management solution. This library of templates enables Mitratech customers to leverage shared data and streamline the risk questionnaire process.

Along with these assessments, the Prevalent solution adds process automations, reporting, compliance mapping, and built-in remediation guidance to streamline third-party risk management. Part of the problem with TPRM is understanding how to resolve issues that arise. With the Prevalent solution’s remediation guidance, resolving the issue is no longer as challenging.

Finally, the Prevalent solution also includes continuous monitoring intelligence to help you monitor ongoing risks in your third-party ecosystem. It’s nearly impossible for any TPRM program manager to keep up with all possible risks themselves, which is why the Prevalent solution does it for you.

Download the SIG 2025 Definitive Guide to better understand how to apply the SIG questionnaire in your TPRM program, or request a demo today to discover how the Prevalent solution can power your TPRM program.