SIG Security Questionnaire: Everything You Need to Know

What is the SIG Questionnaire?

The SIG, short for “Standardized Information Gathering (Questionnaire)”, standardizes the assessment of vendors and other third parties. This recognized repository of questions spans 18 risk domains and provides a holistic risk assessment of third-party relationships and vendors. SIG was developed by the non-profit organization Shared Assessments which has been serving the third-party risk community since 2005.

Why Was the SIG Questionnaire Created?

The Standardized Information Gathering (SIG) questionnaire was created to help businesses that outsource services manage their exposure to third-party risks and compliance requirements. These risks include but are not limited to:

• cybersecurity risks
• operational risks
• data governance risks
• supply chain risks

According to Catherine Allen, former chairman and founder of The Santa Fe Group and managing agent of Shared Assessments, “it’s increasingly understood that third-party IT security risks can cause millions of dollars in loss and damage, and frequently unmeasurable harm to an organization’s reputation.”  The Shared Assessments SIG questionnaire fills an important void in providing a standardized method to decrease risk in third-party interactions as well as to increase assessment efficiency. The SIG has evolved along with the shifting risk environment and is now an industry standard product for third-party risk assessment across industries. 

About the Org: Shared Assessments 

Shared Assessments has established itself as the industry leader in third-party risk assessments having successfully developed a widely recognized third-party risk assessment resource.

The organization is a member-driven team of companies, IT service providers, and assessment firms, including the Big Four accounting firms. Their mission is to present rigorous standards for managing risk associated with outsourcing relationships and provide its members with the knowledge they need to forge safe third-party relationships. The Santa Fe Group, a strategic consulting company, originally managed Shared Assessments. The organization was acquired by OneTrust in 2021. 

Who are SIG Users?

The SIG is used by thousands of businesses across numerous industries, and more than 100,000 SIGs are traded each year. Member companies represent a range of industries including financial services, retail, and healthcare. A single license of the SIG typically costs about $4,000 for one year.

Two Parts of a SIG

Understandably, one security questionnaire doesn’t accommodate the full range of businesses that use the Shared Assessments questionnaire. 

Therefore, two default SIG Questionnaire templates are provided. The SIG Lite provides a foundation with 150 program-level questions, while the SIG Core provides a far more comprehensive set of questions for higher-risk vendors. Each company can tailor, scope, or filter the number and type of questions using the SIG Manager based on what type of assessment is being performed.

How To Know Which Level To Choose?

The level of SIG to choose is based on the depth and breadth of due diligence you need based on the vendor’s risk rating and vendor classification. 

SIG Core questionnaire

The Standardized Information Gathering (SIG) Core questionnaire includes approximately 850 questions that target all 18 risk controls. Its purpose is to help give an in-depth understanding of how a third party secures information and services. Based on industry standards, it’s meant to cover nearly all third-party risk assessments.

SIG Lite questionnaire

The Standardized Information Gathering (SIG) Lite questionnaire includes about 330 questions. Its purpose is to provide a broad, high-level overview of a third party’s internal information security controls. This tool provides a basic level of due diligence.

What is Scoping in a SIG Assessment?

Scoping is the process of selecting questions that represent the agenda of your third-party risk management program. Based on your needs, you can scope the questions to form a customized SIG questionnaire.

SIG Domains

The SIG measures security risks across 18 risk control areas within a supplier’s environment. Here’s a list of the domain categories:

• Enterprise Risk Management
• Security Policy
• Organizational Security
• Asset and Information Management
• Human Resources Security
• Physical and Environmental Security
• IT Operations Management
• Access Control
• Application Security
• Cybersecurity Incident Management
• Operational Resilience
• Compliance and Operational Risk
• Endpoint Device Security
• Network Security
• Privacy
• Threat Management
• Server Security
• Cloud Hosting Services

How Often is the SIG Questionnaire Updated?

SIG reviews its questionnaire annually to examine parts of the framework that may need to be updated due to changes in the sector. Based on member comments and feedback, Shared Assessments builds new concepts and requirements into the framework.

The annually revised questionnaire provides real-world insight into changing regulations, emerging trends, and new frameworks, laws, and standards.

We’ll discuss the changes and additions to the SIG Questionnaire for 2023 in the section below. The changes aim to ensure adequate coverage of all emerging risks as well as provide an enhanced mapping function between frameworks to avoid redundancies.

SIG 2022 Notable New Content

SIG 2022 has gone through a significant update this year, including updated questions on both the SIG Light and SIG Core components. The updates boil down to these categories:

• New and updated mappings to standards and regulations
• Updates to domains and categories
• Questionnaire changes
  • Reordered questions to improve the logic flow
  • New questions that reflect gaps identified over the year, or enhancements to existing questions
  • Reworded text to make the content more easily understood to laymen
  • Removal of outdated questions that have grown obsolete
  • Overall reduction of questions throughout

New and Updated Mappings

4 new mappings have been added to the 2023 SIG version:

SIG is indexed to many standards, including GDPR, NIST 800-53, and PCI DSS, streamlining assessments and reducing redundancies. The SIG Questionnaire was newly mapped to the following standards:

• Federal Financial Institutions Examination Council (FFIEC) Outsourcing Technology Services Guidance
• Federal Financial Institutions Examination Council (FFIEC) Architecture, Infrastructure, and Operations (AIO) Guidance
• Federal Risk and Authorization Management Program (FedRAMP)
• North American Electric Reliability Corporation (NERC) Reliability Standards
• SIG will now be able to map directly to SCF’s comprehensive controls catalog and mappings

Mapping updates have been made to the following frameworks to reflect changes in the new question set.

• Nist-800-53
• Cloud security alliance cloud controls matrix
• Cloud security alliance CAIQ v.4
• IACS
• ISO 27001 and 27002
• ISO 27701
• PCI-DSS
• NIST cybersecurity framework
• NIST privacy framework
• NYDFS Cybersecurity requirements
• FFIEC IT examination handbook
• FFIEC cybersecurity assessment tool
• HIPAA administrative simplification
• Shared assessments SCA procedures
• European Banking Authority (EBA) guidelines on outsourcing procedures
• Eu GDPR 2016/679

Updates to Domains and Categories

Domains

The 18 core topic domains have remained although 3 domains have been renamed.

• Risk management was changed to enterprise risk management
• Business residency was changed to operational resilience
• Physical security was changed to physical and environmental security

Categories

Trending topics that are reflected in new 2023 topic categories:

ESG

ESG plays a central role in the 2023 SIG with 131 questions in a new ESG Risk Domain allowing users to easily scope an ESG-specific SIG. Risk practitioners can use an ESG-scoped SIG to self-assess their own organization’s ESG compliance, or to assess third-party ESG risk.

Fourth and Nth Party Management

As the supply chain continues to be an area of focus for businesses and regulators, the 2023 Standardized Information Gathering (SIG) Questionnaire moves fourth and Nth Party questions to their own domain for greater visibility. In an increasingly complex supply chain environment, the new domain helps users scope a supply chain risk assessment with more ease & precision.

Categories under the Nth-Party Management domain include:

• Policies, Standards, and Procedures
• Executive Sponsorship
• Contracts & Agreements
• Inventory & Assets
• Board, and Committee Oversight
• Incident and Breach Management
• Due Diligence
• Risk Assessments
• Background & Screening
• Notifications and Issue Management

Data and privacy

The 2023 SIG has received important Privacy Updates to address pending CPRA/CCPA implementation in California, as well as EU GDPR updates, the GLBA Data Safeguard ruling, and impending U.S. State Privacy laws from Colorado, Utah, Virginia, and Connecticut.

How Centraleyes Can Help Your TPRM

SIG is a spreadsheet-based assessment program. In the SIG questionnaire, vendors and users are unable to collect policies and documentation. 

Automated third-party assessments can enhance your TPRM program by linking key evidence and documents to the questionnaire, and driving actionable insights based on vendor input. At Centraleyes, we bridge the gap between our very own framework-based vendor questionnaire and the evidence needed to back it up by providing automated evidence collection built into the assessment process.

Centraleyes provides a totally unique vendor questionnaire that assesses vendor risk exposures, streamlines the due diligence process, and provides mitigation strategies in response to security gaps that are uncovered.

We can help you manage and assess your third-party relationships to make your process smarter, more unified, and more prescriptive. At Centraleyes, we believe that TPRM is not just about automating questionnaires but about providing complete TPRM lifecycle oversight from onboarding to offboarding.