What is the SIG Framework?

The Standardized Information Gathering (SIG) questionnaire is used to conduct an initial evaluation of suppliers, gathering information to determine how security risks are managed based on 18 individual risk controls. It is a comprehensive risk assessment framework for cybersecurity, privacy, data security, IT and business resiliency. 

SIG was created by Shared Assessments, an organization that develops risk management tools, resources and best practices. 

The SIG questionnaire was developed to manage cybersecurity risk, specifically third and fourth-party risk. 

The questionnaire is gaining traction, particularly in the US and is commonly used in industries that are highly regulated or handle sensitive data. These industries include but are not limited to, insurance, technology, banking and pharmaceutical. To ensure continued compliance, businesses may require service providers to annually update their questionnaire.

SIG questionnaires are divided into three categories: 

  1. SIG Questionnaire: The SIG assessment evaluates a service provider’s security risks across 18 different risk domains which together determine the vendor’s risk posture. This tool has a total of 1200 questions. 
  2. SIG LITE: The SIG questionnaire is comprehensive, covering a wide range of risk areas across multiple disciplines. SIG LITE, with approximately 330 questions, can be highly effective for vendors who have lower risk levels, thus not requiring the SIG assessment in its entirety. It takes the high-level concepts and questions from the complete SIG assessment, breaking it down into a short and simple questionnaire.
  3. SIG CORE: SIG CORE is a new version of the original SIG assessment. Its added personalization enables security teams to pick and choose relevant questions. In addition, it includes extensive questions related to GDPR and other specific compliance regulations. In total, SIG CORE has around 850 questions.

The 18 domains that SIG is composed of are:

  • Risk Management
  • Security Policy
  • Organizational Security
  • Asset and Info Management
  • Human Resource Security
  • Physical and Environmental Security
  • Operations Management
  • Access Control
  • Application Security
  • Incident Event and Communications Management
  • Business Resiliency
  • Compliance
  • End User Device Security
  • Network Security
  • Privacy
  • Threat Management
  • Server Security
  • Cloud Hosting

A new SIG questionnaire is released annually to reflect the ever-changing risk environment. The latest version is the 2021 SIG.

What are the requirements for SIG?

The SIG questionnaire can be used in a variety of ways, depending on your specifications and the type of vendor you are evaluating, including:

  • Outsourcers: Outsourcers can use SIG to assess a vendor’s information security controls
  • Vendors:
    • Vendors can complete SIG assessments and use them proactively as part of due diligence or a request for proposal (RFP) response
    • Third-party vendors can complete the assessments and send them to potential clients instead of completing one or multiple vendor risk assessments
  • Organizations: Any organization can utilize SIG for self-assessment purposes

Organizations can scope their own SIG questionnaire choosing from the three tools as mentioned above (SIG, LITE or CORE). After that, they can remove unrelated questions and add industry-specific questions from the repository. They now have a customized questionnaire based on their specific business needs and requirements.

Many organizations request a completed SIG when contemplating onboarding a new vendor. Therefore, vendors and third-party suppliers may choose to complete a SIG assessment yearly, saving time on answering multiple SIGs.

The SIG contains direct mappings to fourteen of the most critical Reference Documents included within the SIG Content Library. These frameworks include but are not limited to ISO 27001 and 27701, GDPR, PCI DSS, NIST CSF, NIST Privacy and CSA CMM.

Why should you be SIG compliant?

As the security risks and concerns of organizations continue to increase, many security teams have found that creating personalized questionnaires works best for their vendors. Utilizing SIG, SIG LITE, and SIG CORE, gives security teams the opportunity to create questionnaires based solely on their vendors’ needs. This is all to ensure complete security compliance when working with third-party suppliers.

In addition, organizations can use the answers from their SIG assessments to assist them with other questionnaires, making it that much simpler to complete other assessments or determine the compliance of vendors.

SIG is mapped to many standards, making the compliance process easier. If you need to implement a control from one of the mapped standards, you are sure to find the SIG questions that address it.

The SIG results can help determine whether or not a business is trustworthy when it comes to security and data. Establishing this trust is often a part of the due diligence process. 

As a result, compliance with SIG ensures that you will not be left in the dust when organizations are choosing their vendors.

As a vendor, failure to complete SIG assessments makes it more likely that businesses will skip over you when choosing third party software. An organization that deals with vendors without screening them, practically guarantees unknown risks and vulnerabilities in its software, which could have significant repercussions leading to loss of trust, lack of compliance and even data breaches.

How to achieve compliance?

Organizations, whether outsourcers or vendors, can benefit from the SIG toolkit. Outsourcers can utilize the completed SIG assessments when vetting new third party software, and service providers can take advantage of the three SIG assessments, choosing the right one for their needs, completing it and submitting it for potential contracts.

It can be daunting to figure out how to best use the SIG framework with all its possibilities, not to mention the high costs for maintaining a SIG membership. 

Your vendors pose a potential risk to your organization, but managing that risk effectively without the help of an intuitive, smart and automated platform is nearly impossible. Threats continue to grow, and the need for a great solution is very much needed. 

Using the Centraleyes cloud-based vendor risk management platform empowers organizations to onboard and manage hundreds or thousands of vendors in one centralized smart interface. All the SIG documents have been smoothly integrated to the Centraleyes platform, giving you automated workflows, smart questionnaires and a remediation planner. The platform enables you to categorize and compare vendors against a clear and objective scoring system based on their SIG assessment results.

The Centraleyes platform is user friendly, guiding vendors in choosing the correct SIG option, customizing the assessment to their needs and updating the questionnaires in real time.

Empower your vendor risk management with the Centraleyes powerful platform that automates and orchestrates your evolving vendor risk.



Related Content

7 Security Challenges Most SaaS Business Comes Across

7 Security Challenges Most SaaS Business Comes Across

Placing data on the cloud always sounds like a great idea – many big companies are…

NIST 800-82

What is the NIST SP 800-82 Framework? The National Institute of Standards and Technology (NIST) Special…

NIST 800-207 (Zero Trust)

What is the Zero Trust Model? Zero trust is a growing security model that is based…