What is the SIG Questionnaire? SIG Core & Lite Compliance Guide

The Standardized Information Gathering Questionnaire is a vendor assessment mapping to the requirements of many cyber regulations and frameworks.

The purpose of a SIG security assessment is to help manage operational risks, business resiliency, security policies, cybersecurity risks, and third-party risks as part of a broader Third-Party Risk Management (TPRM) program.

The 19 risk domains evaluated by the SIG include:

• Enterprise Risk Management
• Security Policy
• Organizational Security
• Asset and Information Management
• Human Resources Security
• Environmental, Social, Governance (ESG)
• IT Operations Management
• Access Control
• Application Security
• Cybersecurity Incident Management
• Operational Resilience
• Compliance and Operational Risk
• Endpoint Device Security
• Network Security
• Privacy
• Threat Management
• Server Security
• Cloud Hosting Services

Learn how UpGuard can simplify your Vendor Risk Management program >

What is the SIG Questionnaire?

The Standardized Information Gathering (SIG) Questionnaire was created to help businesses improve the management of their third-party risks across multiple categories, including cybersecurity, operational and data governance, and supply chain risks. The primary objective of SIG questionnaires is to reduce the risk of an organization suffering a third-party breach.

Who created the SIG questionnaire?

The SIG questionnaire was created by Shared Assessments. Shared Assessments provides best practices, solutions, and tools helping third-party risk management teams create an environment of assurance for outsourcers and their vendors.

Shared Assessments' foundation is in regulatory and compliance-driven financial services but has grown to include the increasing number of industries that treat good Vendor Risk Management as standard operating practice, such as HIPAA-regulated entities.

Learn how UpGuard streamlines the security questionnaire process >

What is Standardized Information Gathering (SIG) Lite?

SIG Lite is the most simplified version of the SIG questionnaires developed by Shared Assessments. It was designed for instances where a quick, high-level overview of a vendor's third-party risk exposure is required. This version of SIG focused on just the core aspects of third-party risk, the minimum required to determine the overall risk a vendor introduced to your organization—cybersecurity, compliance, and privacy.

The quicker and more efficient risk assessment processes made possible with SIG Lite questionnaires make them an ideal choice for low-risk vendors not requiring a comprehensive security posture evaluation.

What is in the Standardized Information Gathering (SIG) Questionnaire Toolkit?

The components of the 2020 Standardized Information Gathering (SIG) Questionnaire Toolkit are:

• Third-party Privacy Tools: This set on tools was built from the demand driven by 2019's GDPR Privacy Tools, with an expanded scope to meet requirements for various privacy regulations and framework updates. These tools provide templates for pre-assessment scoping or readiness assessments that enable privacy-centric assessments, incorporating privacy controls and obligations based on specific jurisdictions.
• Vendor Risk Management Maturity Model (VRMMM) Benchmark Tools: SIG's VRMMM is one of the longest-running third-party risk maturity models. The 2020 VRMMM Benchmark Tools' improved maturity tracking and functionality lets managers set more granular maturity level ratings and deliver greater reporting clarity. VRMMM Benchmark Tools are free to use and available here.
• Standardized information gathering (SIG) Questionnaire Tools: The SIG employs a holistic set of questions based on industry best practices for gathering and assessing 18 critical risk domains and corresponding controls, including information technology, cybersecurity, privacy, resiliency, and data security risk.
• Standardized Control Assessment (SCA) Procedure Tools: The SCA assists risk professionals in performing onsite or virtual assessments of vendors, providing the verification or attestation component of third-party risk programs.

Why was the SIG questionnaire created?

The SIG questionnaire was created to manage cybersecurity risk, particularly third-party risk, and fourth-party risk.

As the Santa Fe Group CEO and Chairman Catherine A. Allen said, "it’s increasingly understood that third party IT security risks can cause millions of dollars in loss and damage, and often unmeasurable harm to an organization’s reputation, the best practices for effective third party risk management are certainly less well understood."

When doing business with third-parties, it's not safe to assume that you are solely doing business with the party under contract.

Just as your organization may outsource to a service provider or external provider, your vendors likely do too. So whether you know it or not, you are relying on your vendors, and increasingly their vendors using sound security controls.

This means you should apply the same standard information gathering process for testing all parties.  

The SIG questionnaire aims to provide standardize resources for managing the complete third-party relationship lifecycle.

Standardization is critical for advancing effective, secure third-party controls and risk management risk assessments. The Shared Assessments Program created a suite of third-party risk management tools that aim to create efficiencies and lower costs while maintaining compliance with regulations, industry standards, and guidelines across information technology environments.

Learn how to choose security questionnaire automation software >

What are the types of SIG questionnaires?

There are three types of SIG questionnaire:

• SIG Core: The SIG Core questionnaire is a library of 855 questions, including extensive questions about specific controls and definitions. SIG Core covers 19 risk domains that determine how security risks are managed in a vendor environment.
• SIG Lite: The SIG Lite questionnaire is a streamlined version of the SIG with 126 questions for program-level assessment. SIG Lite distills the concepts and questions from SIG Core for lower-risk third parties.‍
• Custom SIG: A custom SIG questionnaire can be customized from the SIG Lite and Core versions based on your organization’s needs. Custom SIG questionnaires can be tailored according to business needs for due diligence requirements.

SIG Core vs SIG Lite

The difference between SIG Core and SIG Lite is the depth of third-party risk exposure being assessed by each questionnaire.

• SIG Core is a comprehensive questionnaire designed for in-depth vendor risk assessments. It should be used with critical or high-risk vendors handling sensitive data. It covers 21 risk domains to provide the most detailed insights about a vendor's cybersecurity and risk management practices. The Core version of SIG is an ideal choice for businesses outsourcing the processing of their sensitive data to third-party relationships.‍
• SIG Lite: This is a more streamlined version compared to SIG Core. SIG Lite is ideal when a high-level understanding of a vendor's cybersecurity practices is sufficient. It is typically used with low-risk vendor relationships, those that do not have access to sensitive data, such as a vendor providing stationary supplies. SIG LIte questionnaires could also be used as a preliminary assessment of prospective vendors when deciding whether a more comprehensive evaluation with a SIG Core questionnaire is necessary.

The SIG Lite questionnniare is available on the UpGuard platform.

Get a free trial of UpGuard >

How can the SIG questionnaire be used?

The SIG questionnaire can be used in a handful of ways, depending on your organization's needs and the type of vendor you are assessing, including:

• To evaluate a service provider's information security controls.
• Completed by third-party vendors and used proactively as part of due diligence or a request for proposal (RFP) response.
• Completed by a service provider and sent to their clients instead of completing one or multiple third-party risk assessments.
• Used by an organization as part of the self-assessment process

Related: The top Third-Party Risk Management solutions on the market.

What is the SIG framework?

The Standardized Information Gathering (SIG) framework evaluates the level of risk posed by third-party services by considering various risk domains. While SIG questionnaires are the primary means of collecting data for a SIG framework, other sources of third-party risk information could include certifications and completed questionnaires mapping to cybersecurity standards, such as NIST CSF. 

Depending on the level of security risk detail required of a vendor, consolidating multiple data sources to support frameworks such as SIG could be time-consuming. Solutions such as UpGuard Trust Exchange could streamline this effort.

Sign up to Trust Exchange for free >

The SIG framework offers a structured approach to collecting third-party risk information to evaluate a vendor's security posture, ensuring that vendor risk assessment processes remain consistent across all third-party vendor relationships.

Key components of the SIG framework

The SIG framework is characterized by the following:

1. RIsk domains

The SIG framework is divided into multiple risk domains (21 domains in SIG Core), each focusing on a different aspect of Third-Party Risk Management. Each SIG question evaluates how a vendor addresses potential risks in a given risk domain.

2. Two versions of the SIG questionnaire

The Standardized Information Gathering (SIG) framework offers two versions of its questionnaire to account for the primary types of vendor relationships within a Third-Party Risk Management program: high-risk and low-risk.

• SIG Core - for high-risk vendors
• SIG Lite - for low-risk vendors

3. High customization potential

The SIG framework was designed to be customizable to just about every TPRM context so that it can be applied across all industries. Organizations are free to add, remove, or modify any question to adapt each questionnaire to each unique vendor relationship. This flexibility allows the SIG frameworks to be tailored to an organization's specific third-party risk appetites and regulatory requirements. 

4. Efficiency in Vendor Management:

By using a standardized set of questions most businesses are familiar with, the SIG framework accommodates pre-filled questionnaire responses, allowing vendors to respond to their SIG questionnaires more rapidly and streamlining the entire Vendor Risk Management (VRM) process.

Watch this video to learn how VRM automation, such as pre-filling vendor questionnaires, could be used with all types of vendor questionnaires, not just those aligned with the SIG framework.

Get a free trial of UpGuard >

SIG Questionnaire example

Here are some examples of questions that could be used in a SIG questionnaire across all twenty-one risk domains of SIG version 2024. This is just a small sample; SIG questionnaires contain more questions in each risk domain.

Domain: Risk Assessment and Treatment

1. Is there a formalized process for risk ownership assignment, including the documentation of responsibilities for managing identified risks?
2. Are all identified risks periodically reviewed and updated by a designated risk management committee?
3. Are risk treatment plans integrated into the organization's strategic planning process?

Domain: Security Policy

1. Has the information security policy been approved and communicated to all relevant stakeholders, including external partners?
2. Is there a policy review process in place to ensure all security policies remain aligned with evolving legal requirements?
3. Are all changes to security policies documented and tracked to ensure compliance and transparency?

Domain: Organizational Security

1. Are there designated roles and responsibilities for overseeing information security initiatives within the organization?
2. Does the organization have an independent security governance structure that provides oversight separate from operational functions?
3. Are security roles reviewed periodically to reflect changes in the organizational structure or risk landscape?

Domain: Asset and Information Management

1. Is there a centralized inventory of all physical and digital assets, including classifications based on their sensitivity and value?
2. Does the organization enforce controls on removable media, such as restricting the use of unauthorized USB devices?
3. Are encryption tools and practices regularly reviewed and updated to protect data at rest and in transit?

Domain: Human Resource Security

1. Are background checks conducted on all employees, contractors, and subcontractors with sensitive data access?
2. Is there a documented policy for ongoing security awareness training that is tailored to the organization's different roles and responsibilities?
3. Are there procedures in place to ensure the secure offboarding of employees, including revoking access and retrieving company assets?

Domain: Physical and Environmental Security

1. Are physical access controls implemented to prevent unauthorized entry into data centers and other sensitive facilities?
2. Are security cameras and monitoring systems used to detect and respond to unauthorized access attempts?
3. Are visitors required to sign in and be escorted while on the premises where sensitive information is processed or stored?

Domain: Operations Management

1. Are documented standard operating procedures maintained for all critical IT operations, including backup and recovery processes?
2. Is there a change management policy that requires testing and approval before implementing changes to critical systems?
3. Are regular reviews conducted to ensure operational controls are effective and updated as needed?

Domain: Access Control

1. Is multi-factor authentication required for accessing systems that store or process sensitive data?
2. Are individual user accounts strictly managed, including regular audits to identify and remove inactive accounts?
3. Are role-based access controls implemented to ensure users have the minimum level of access necessary for their job functions?

Domain: Application Security

1. Are security assessments conducted on all applications before deployment in a production environment?
2. Are secure coding practices enforced and regularly reviewed to mitigate common vulnerabilities such as SQL injection and cross-site scripting?
3. Are application logs monitored for suspicious activity that could indicate an attempted or successful breach?

Domain: Incident Event and Communications Management

1. Is there a documented incident response plan that includes defined roles, communication protocols, and escalation procedures?
2. Are incident response exercises conducted at least annually to test the effectiveness of the response plan?
3. Is there a process to notify affected parties of a data breach within a defined timeframe?

Domain: Business Resiliency

1. Are business continuity plans developed and documented for all critical business functions?
2. Are continuity and recovery strategies tested and updated at least annually to ensure they remain effective?
3. Is there a defined recovery point objective (RPO) and recovery time objective (RTO) for each critical system and service?

Domain: Compliance

1. Are there documented policies to ensure compliance with relevant legal, regulatory, and contractual requirements?
2. Are internal audits performed regularly to assess compliance with established policies and procedures?
3. Is there a records management policy that specifies the retention and disposal of documents in line with regulatory obligations?

Domain: End User Device Security

1. Are all end-user devices configured according to security standards that include encryption, patching, and anti-malware controls?
2. Is there a mobile device management program to enforce security policies on mobile devices used within the organization?
3. Are employees prohibited from using unauthorized devices to access the corporate network or sensitive data?

Domain: Network Security

1. Are firewalls, intrusion detection systems, and other network security controls implemented to protect against external threats?
2. Are regular network vulnerability scans performed, and are vulnerabilities remediated promptly?
3. Are network segmentation controls in place to isolate sensitive systems from less secure parts of the network?

Domain: Privacy

1. Is there a privacy policy that defines how personal data is collected, used, stored, and shared?
2. Are privacy impact assessments conducted when introducing new technologies or processes that may affect personal data?
3. Are third-party agreements reviewed to ensure compliance with the organization’s privacy standards?

Domain: Threat Management

1. Is there a documented threat intelligence program that identifies and assesses emerging threats relevant to the organization?
2. Are threat detection tools regularly updated to address the latest security vulnerabilities?
3. Is there a coordinated process for managing and mitigating threats, including collaboration with external partners?

Domain: Server Security

1. Are all servers hardened according to industry best practices, including disabling unnecessary services and configuring firewalls?
2. Are critical server patches applied within a specific timeframe to minimize exposure to vulnerabilities?
3. Are administrative access controls in place to limit who can change server configurations?

How often is the SIG questionnaire updated?

The SIG questionnaire is updated on a yearly basis to comply with new industry standards and to account for changes in the cybersecurity landscape.

The 2020 Shared Assessments Third-Party Risk Management Toolkit was released on November 20, 2019, to enable organizations around the world to meet new and evolving regulatory compliance demands and address evolving physical and cyber risks.

New for 2020 is expanded third-party privacy tools for GDPR and the California Consumer Privacy Act (CCPA), new operational risk content on emerging and expanding third-party risk scenarios such as money laundering, trafficking, anti-trust, anti-bribery, international compliance, call center security, payments compliance, ethical sourcing, and human trafficking risk in the supply chain.

New usability features and expanded operational content include:

• Expanded operational/enterprise risk: Content for the comprehensive but customizable question library addresses corporate governance functions of anti-trust, anti-bribery, international compliance, call center security, payments compliance, ethical sourcing, and human trafficking risk in the supply chain. Enterprise risk governance, information security risk, and privacy data protection questions have expanded based on new regulations, including CCPA and GDPR.
• Risk and regulatory compliance content: New content across tools helps risk professionals close regulatory compliance gaps in third-party relationships with strict data security standards such as PCI DSS.
• Data governance: Privacy regulations such as PIPEDA, CCPA, FIPA, The SHIELD Act, , and GDPR mandate that organizations diligently track data collected by or disclosed to third parties, how that data is used, and where it is accessed. The enhancements assist with the identification, tracking, and maintenance of personal information that is utilized within specific third-party relationships, including fourth-party management.
• Service provider configuration and response management: New agility in the Standardized Information Gathering (SIG) Management Tool enables service providers to make it easier to build, configure, and maintain multiple completed questionnaires, reducing the effort and complexity involved in responding to due diligence requests.
• External content automation: Shared Assessment members, outsourcers, and licenses can extract and integrate SIG content into their platforms via JSON.

Summary of SIG updates

The following is an overview of some of the more significant SIG framework changes introduced in historical SIG updates:

SIG 2024 updates

The SIG 2024 update introduced two new risk domains and revised the names of existing domains to better reflect evolving risk management needs:

1. New risk domains:

• Supply Chain Risk Management: For mitigating risks across the supply chain with a focus on enhanced cybersecurity and increased continuity disruption resilience.. This domain incorporates the Supply Chain Risk Management standards of NIST 800-161
• Artificial Intelligence (AI): For assessing risk associated with using AI tools, namely their impact on privacy and safety. The AI risk management standards of this risk domain have been influenced by the NIST AI Risk Management Framework (NIST AI RMF).

2. Renamed risk domains:

• Application Security has been renamed to Application Management, expanding the focus of this risk domain from just securing applications to risk management throughout the entire software development lifecycle. 
• Cloud Hosting Services has been updated to Cloud Services to broaden the scope of cloud-based activities beyond infrastructure security.

3. Enhanced compliance mapping:

• New mapping was added to account for updated standards, such as SO 27001:2022, ISO 27002:2022, PCI DSS v4.0, and CMMC 2.0

4. Other updates:

• Fixed errors and alignment issues, clarified question wording, and improved mapping to CSA CAIQ and FedRamp to enhance accuracy and usability across different platforms (e.g., Windows, Mac).

SIG 2023 updates

The SIG 2023 update made several key changes to enhance third-party risk assessments:

New Risk Domains:

• Environmental, Social, and Governance (ESG): With growing regulatory demands around sustainability and ethical governance, this domain was added to cover various ESG topics, such as environmental policies, worker safety, and ethical sourcing.
• Nth-Party Management: This domain focuses on managing risks associated with fourth and nth-party vendors, recognizing the need to assess risks beyond direct third-party relationships. It addresses areas like contracts, due diligence, and incident management.

• Reorganization of Existing Content:some text
  • The Security Policy domain was removed, and its content was redistributed across the third-party management and Information Assurance domains to streamline risk assessment processes.
• Expanded Coverage:some text
  • SIG 2023 went deeper into specific areas within new domains, such as ESG, by incorporating more detailed questions related to compliance with emerging laws like the EU Corporate Sustainability Due Diligence Directive and the German Supply Chain Due Diligence La

SIG 2022 updates

The SIG 2022 update focused on simplifying and improving the usability of the SIG questionnaires:

1. Simplification of Question Sets:some text
   • SIG Core and SIG Lite question sets were re-ordered and reduced to make them more manageable. This included grouping questions by topic to improve clarity and reduce the overall number by up to 50% for SIG Lite and 25% for SIG Core.
2. New and Updated Regulatory Mappings:some text
   • The update included four new and thirteen updated control mappings to align with evolving regulatory standards, such as NIST 800-53 (Rev. 5), DOJ guidance, and the CAIQ v3.1. These mappings ensure that the SIG remains a relevant tool for compliance across various frameworks.
3. Introduction of New Categories:some text
   • More than 30 new categories and domain updates were introduced to reflect emerging risk areas and evolving compliance needs. These updates make it easier for users to find relevant controls and focus on specific risk areas

How is the SIG questionnaire different from other vendor risk assessment questionnaires?

The SIG Management Tool is a Microsoft Excel workbook that allows assessors to draw from the bank of questions in the SIG Content Library to create customized questionnaire templates based on their needs.

This is different to other security questionnaires, such as HEVCAT and the Vendor Security Alliance Questionnaire, the SIG questionnaire evaluates third-party vendors and service providers based on their own 18 individual risk control areas.

SIG is a good option for a broad range of vendor risk management use cases because its controls map to a large variety of cybersecurity frameworks and guidelines, including:

• ISO 27002:2013,
• ISA 62443,
• CSA Cloud Controls Matrix
• HIPAA
• GDPR
• 23 NYCRR 500
• FFIEC Appendix J,
• FFIEC CAT
• PCI DSS
• FFIEC IT Management Handbook
• EBA Guidelines
• NIST SP 800-53 Rev 4
• NIST CSF
• SOC 2

Indexing across multiple security assessments makes the SIG questionnaire a good choice for evaluating the security postures during the prospecting and onboarding phases of Vendor Risk Management.

Other well-known and respected security questionnaires include:

• The National Institute of Standards and Technology (NIST) SP 800-171
• ISO 27001
• CIS Critical Security Controls
• The Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ)
• The Vendor Security Alliance Questionnaire (VSAQ)

Get our free vendor risk assessment questionnaire template >

How to achieve SIG compliance in 2024

SIG compliance is achieved when your organization aligns its third-party risk management processes with the standards outlined in the Standardized Information Gathering (SIG) framework. The following is a high-level framework for achieving SIG compliance.

Step 1: Understand the SIG framework

Begin by understanding the third-party risk management objectives of the SIG framework across all of its 21 risk domains. Start with the framework outlined in SIG core, allowing you to consider the most extreme compliance effort scenario. Determine the relevance of each risk domain to your TPRM objectives and the scope of controls of each risk domain that are potentially applicable.

Step 2: Select an appropriate SIG questionnaire

Determine whether to use a SIG Core or SIG Lite questionnaire for your vendors. Your choice should be based on the level of risk associated with each vendor's relationship. High-risk vendors (those processing sensiitve data) should be assigned a SIG Core questionnaire. A SIG Lite questionnaire would be the more efficient choice for low-risk vendors.

If you're not sure of a vendor's risk level and, therefore, which SIG questionnaire to send them, a SIG Lite questionnaire could provide the most efficient means of gauging inherent risk levels to determine whether a follow-up evaluation with a SIG Core questionnaire is required.

Step 3: Map to regulatory standards

The SIG framework offers a pathway to compliance with various standards, such as NIST, ISO 27001, GDPR, PCI DSS, and industry-specific guidelines such as NIST SP 800-161r1 for supply chain risk and the NIST AI RMF for AI risk management. To ultimately achieve SIG compliance, you will need to align your third-party risk management practices to all applicable standards based on the findings of SIG questionnaires. Each vendor will have a unique third-party risk context that will need to be considered when strategizing alignment improvements.

Step 4: Implement third-party risk management controls

Implement robust risk management controls across all applicable risk domains in the SIG framework. To ensure the ongoing effectiveness of these controls. Implement organizational policies, procedures, and tools to simplify the identification and management of third-party risks being mitigated by each control.

Step 5: Conduct regular risk assessments

Regularly evaluate each vendor's security risk levels with SIG questionnaires, ensuring appropriate versions are used based on each vendor's criticality level. Critical vendors will need to undergo the most frequent SIG compliance assessments. To make this effort more streamlined and scalable, implement a vendor tiering strategy into your Third-Party Risk Management program, where vendors are grouped based on the level of risk they pose to the organization. This will make it easier to identify vendors ready for a scheduled SIG compliance assessment and allow appropriate versions of SIG to be sent to each vendor at scale.

Why you should consider using security ratings alongside the SIG questionnaire

Security ratings provide risk management and security teams with the ability to continuously monitor the security posture of their vendors.

The benefit of security ratings alongside security questionnaires is they are automatically generated, updated frequently, and they provide a common language for technical and non-technical stakeholders.

Security ratings fill the attack surface gaps left by traditional point-in-time assessment techniques like the SIG questionnaire to provide continuous attack surface awareness.

Security ratings can complement and provide assurance of remediation efforts and the results reported in security questionnaires because they are externally verifiable, always up-to-date, and provided by an independent organization.

According to Gartner, cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships.

Learn how UpGuard calculates its security ratings >

UpGuard is one of the most popular security ratings providers. We generate our ratings through proprietary algorithms that take in and analyze trusted commercial and open-source threat feeds, and non-intrusive data collection methods to quantitatively evaluate cyber risk.

UpGuard basis its ratings on the analysis of 70+ vectors, including:

• Susceptibility to man-in-the-middle attacks
• Insecure SSL/TLS certificates
• SPF, DKIM and DMARC settings
• HTTP Strict Transport Security (HSTS)
• Email spoofing and phishing risk
• Vulnerabilities
• Malware susceptibility
• Unnecessary open administration, database, app, email, and file-sharing ports
• Exposure to known data breaches and data leaks
• Vulnerable software
• HTTP accessibility
• Secure cookie configuration
• Results of vendor risk assessment questionnaires.

If you are curious about the performance of other security rating services, see our guide on SecurityScorecard vs. BitSight here.

How UpGuard can help you manage your SIG Questionnaires

UpGuard streamlines your security questionnaire workflows with features suited to an efficient Vendor Risk Management program, including the Shared Assessments’ SIG Lite Questionnaire.

The UpGuard platforms offers a SIG Lite questionnaire to help users align their Vendor Risk Management practices against the SIG framework. UpGuard helps you save time and resources by automating information gathering processes for risk assessments based on the SIG framework, or other popular cybersecurity and regulatory standards. Combines UpGuard's SIG questionniare with its security ratings tools for real-time tracking of a vendor's emerging security risks.

UpGuard streamlines your security questionnaire workflows with features suited to an efficient Vendor Risk Management program, including the Shared Assessments’ SIG Lite Questionnaire.

The UpGuard platform offers a SIG Lite questionnaire to help users align their Vendor Risk Management practices against the SIG framework. UpGuard helps you save time and resources by automating information-gathering processes for risk assessments based on the SIG framework, or other popular cybersecurity and regulatory standards. Combines UpGuard's SIG questionniare with its security ratings tools for real-time tracking of a vendor's emerging security risks.

‍