The Standard Information Gathering (SIG) Questionnaire Explained

What is the Standard Information Gathering (SIG) questionnaire?

The Standard Information Gathering (SIG) questionnaire is a third-party risk questionnaire created by the Shared Assessments membership organization. SIG is available in two versions, Core and Lite, which equip organizations with industry-standard libraries of curated questions to measure third-party risk across 21 different domains. Each question is mapped to security controls across dozens of frameworks and compliance requirements, enabling third-party risk standardization and improvement in adherence with core TPRM compliance requirements.

SIG Core vs SIG Lite, what’s the difference?

Let’s start with a basic explanation of the difference between SIG Core and SIG Lite. Both question repositories are used extensively by enterprise organizations based on their needs, the maturity of their third-party risk management programs, and the types of third-party compliance requirements they are expected to meet.

What is SIG Lite?

SIG Lite is a third-party risk questionnaire that provides a high-level view of a company’s internal information control systems, including a basic level of assessment due diligence. With 125 questions, SIG Lite can serve as a preliminary evaluation before conducting a more thorough assessment. SIG Lite questions can also be used when a third-party vendor or supplier has a low degree of profiled risk and requires less due diligence than higher-risk vendors.

What is SIG Core?

The SIG Core Questionnaire (SIG) is a comprehensive third-party risk questionnaire designed to assess third parties that store or maintain sensitive, regulated information. It provides a deeper level of insight into how a third party protects information by including four different subjects and 620 questions covering 21 risk topics. SIG Core also allows organizations to select and customize the questions they want answered for each vendor. It also includes extensive coverage of legal requirements and best practices related to protecting personal information.

What are SIG’s 21 domains?

SIG is a comprehensive risk assessment questionnaire that includes defined question sets in the following domain areas:

1. Access Control
2. Application Management
3. Artificial Intelligence
4. Asset and Information Management
5. Cloud Services
6. Compliance Management
7. Cybersecurity Incident Management
8. Endpoint Security
9. Enterprise Risk Management
10. Environmental, Social, and Governance (ESG)
11. Human Resources Security
12. Information Assurance
13. IT Operations Management
14. Network Security
15. Nth-Party Management
16. Operational Resilience
17. Physical and Environmental Security
18. Privacy Management
19. Server Security
20. Supply Chain Risk Management
21. Threat Management

SIG Questionnaire Use Cases

The Standard Information Gathering Questionnaire provides organizations with a one-stop shop for building their third-party risk assessments and mapping them to applicable security frameworks and compliance requirements.

Enhance Third-Party Risk Assessments

Third-party risk assessments are at the core of an effective third-party risk management program. SIG Lite or SIG Core questionnaires are regularly updated, enabling companies to assess vendors, suppliers and other third parties against current information security and third-party risk management best practices. Be sure to check out our article on the SIG 2024 update.

Map Vendor Security Controls to Compliance Requirements

Most enterprise organizations must adhere to numerous compliance and security requirements published by government bodies and required by customers. Following are a few examples of government regulations that are mapped to SIG questions:

• NIST SP 800-53
• NIST SP 800-161r1
• NIST AI 100-1
• HIPAA
• GDPR
• Interagency Guidance on Third-Party Relationships: Risk Management
• CMMC
• CCPA
• FEDRAMP
• EBA Outsourcing Guidelines
• The German Supply Chain Act
• New York DFS Climate Guidance

Applicable private sector regulations include:

• PCI DSS
• CIS Critical Security Controls
• ISO 27001
• ISO 27002
• SOC 2

Using SIG Core can enable your organization to standardize on a single risk assessment that is applicable across multiple industries and automatically map answers to a several regulations and frameworks to meet your organizations regulatory and customer obligations.

Automate Third-Party Risk Data Collection

Many organizations use SIG Core and SIG Lite in conjunction with a dedicated third-party risk management solution, which automate and speed assessment distribution, collection, analysis and reporting. Using a TPRM platform offers numerous advantages, including:

• Enriching SIG Questionnaire answers with findings from continuous cybersecurity, business, reputational and financial monitoring

• Mapping SIG Core and SIG Lite questionnaire answers to additional compliance requirements, standards and frameworks

• Automating questionnaire gathering and vendor reminders to streamline the vendor risk questionnaire process

• Simplifying remediations with built-in guidance, workflow and vendor communications

• Customizing reporting based on stakeholder or regulatory framework

• Offering a central document repository for storing and analyzing supporting evidence

• Integrating into broader enterprise risk management platforms or other business applications

Create Tiered Vendor Risk Questionnaires

Many organizations begin their third-party risk management program by building a single vendor risk questionnaire that encompasses their current understanding of third-party information security and compliance requirements. However, as organizations mature, many find that building tiered vendor questionnaires based on inherent risk makes far more sense for effectively managing risk while also maximizing time efficiency and vendor response rates.

Both SIG Core and SIG Lite contain questions that can be used to build multiple third-party risk questionnaires for different third-party vendors and suppliers. Using more-extensive questionnaires for high-risk vendors, while conducting less-extensive assessments for vendors with low profiled risk, can dramatically streamline the process and enable you to focus on addressing the most third-party risks.