SIG 2022: What’s New and How to Benefit

Editor's note: Here's a link to our article on the SIG 2023 update.

The Standard Information Gathering (SIG) questionnaire is a third-party risk assessment curated by Shared Assessments. Available in Core and Lite versions, the SIG enables organizations to leverage an industry-standard library of vetted questions that measure risk across 18 domains. By mapping each question to multiple controls and regulatory requirements, it enables organizations to simplify and standardize their third-party risk management and compliance initiatives.

Shared Assessments conducts annual reviews of the SIG questionnaire to determine if changes are needed to address gaps and enhance existing controls. This post reviews the 2022 SIG update and explores how you can put this industry-leading assessment to work in your organization.

SIG 2022 Updates

SIG 2022 questionnaire updates are organized into three categories:

1. Updated, re-ordered and reduced SIG Core and SIG Lite question sets
2. New and updated standards and regulatory mappings, including four new and 13 updated mappings
3. More than 30 new categories and domain updates

SIG Lite vs. SIG Core: What’s the Difference? What’s New?

First up, let’s look at how the question sets have changed. Shared Assessments offers two versions of its SIG assessment: SIG Lite and SIG Core.

The SIG Lite questionnaire is designed to provide a broad and high-level understanding about a third party’s internal information security controls, offering a basic level of assessment due diligence. With 150 questions, the SIG Lite can be used as a preliminary assessment before a more detailed one is performed.

Updates for the SIG Lite 2022 include:

• Grouped questions by topic, making it easier for users to understand controls
• Reduced number of questions by 50% and introduced more focused questions
• Enhanced tiering by making out-of-the-box questionnaires available for practitioners

The SIG Core questionnaire is more detailed and designed to assess third parties or vendors that store or manage sensitive, regulated data, providing a deep level of understanding about how a third party secures information. SIG Core includes 825 questions targeting 18 risk domains. The SIG Core includes a library of questions that security teams can pick and choose from with their vendors and incorporates extensive language on privacy and compliance regulations.

Updates for the SIG Core 2022 include:

• Grouped questions by topic, making it easier for users to understand controls
• Reduced number of questions by 25% and introduced more control-focused questions
• Enhanced tiering by making out-of-the-box questionnaires available for practitioners

New and Updated Regulatory Control Mappings

A second major category of SIG updates addresses regulatory control mappings. Shared Assessments keeps abreast of regulations, guidelines, and standards for a wide range of industries and has integrated 1,600 Control Points from:

• NIST 800-53 (Rev.5) Security and Privacy Controls for Information Systems and Organizations
• DOJ June 2020 Guidance on Evaluation of Corporate Compliance Programs for publicly held U.S. Companies
• Consensus Assessments Initiative Questionnaire (CAIQ) v3.1 and Cloud Controls Matrix (CCM) Version 4
• Industrial Automation and Control Systems Guidance EC-62443
• GDPR Guidance on Standard Contractual Clauses (SCCs)
• State Privacy Laws (California, Colorado, Virginia)

Specific to NIST 800-53, the new SIG questionnaires include Supply Chain Risk Management questions in areas including asset management, system development (outsourcing), resilience and continuity, and threat and vulnerability management.