Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

SIG 2022: What’s New and How to Benefit

Updates to the Standard Information Gathering Questionnaire (SIG) include simplified questions, additional control mappings, and new categories.
Thomas Humphreys
Prevalent Compliance Expert
December 01, 2021
Blog sig 2022 updates 1221

Editor's note: Here's a link to our article on the SIG 2023 update.

The Standard Information Gathering (SIG) questionnaire is a third-party risk assessment curated by Shared Assessments. Available in Core and Lite versions, the SIG enables organizations to leverage an industry-standard library of vetted questions that measure risk across 18 domains. By mapping each question to multiple controls and regulatory requirements, it enables organizations to simplify and standardize their third-party risk management and compliance initiatives.

Shared Assessments conducts annual reviews of the SIG questionnaire to determine if changes are needed to address gaps and enhance existing controls. This post reviews the 2022 SIG update and explores how you can put this industry-leading assessment to work in your organization.

SIG 2022 Updates

SIG 2022 questionnaire updates are organized into three categories:

  1. Updated, re-ordered and reduced SIG Core and SIG Lite question sets
  2. New and updated standards and regulatory mappings, including four new and 13 updated mappings
  3. More than 30 new categories and domain updates

SIG Lite vs. SIG Core: What’s the Difference? What’s New?

First up, let’s look at how the question sets have changed. Shared Assessments offers two versions of its SIG assessment: SIG Lite and SIG Core.

The SIG Lite questionnaire is designed to provide a broad and high-level understanding about a third party’s internal information security controls, offering a basic level of assessment due diligence. With 150 questions, the SIG Lite can be used as a preliminary assessment before a more detailed one is performed.

Updates for the SIG Lite 2022 include:

  • Grouped questions by topic, making it easier for users to understand controls
  • Reduced number of questions by 50% and introduced more focused questions
  • Enhanced tiering by making out-of-the-box questionnaires available for practitioners

The SIG Core questionnaire is more detailed and designed to assess third parties or vendors that store or manage sensitive, regulated data, providing a deep level of understanding about how a third party secures information. SIG Core includes 825 questions targeting 18 risk domains. The SIG Core includes a library of questions that security teams can pick and choose from with their vendors and incorporates extensive language on privacy and compliance regulations.

Updates for the SIG Core 2022 include:

  • Grouped questions by topic, making it easier for users to understand controls
  • Reduced number of questions by 25% and introduced more control-focused questions
  • Enhanced tiering by making out-of-the-box questionnaires available for practitioners

New and Updated Regulatory Control Mappings

A second major category of SIG updates addresses regulatory control mappings. Shared Assessments keeps abreast of regulations, guidelines, and standards for a wide range of industries and has integrated 1,600 Control Points from:

  • NIST 800-53 (Rev.5) Security and Privacy Controls for Information Systems and Organizations
  • DOJ June 2020 Guidance on Evaluation of Corporate Compliance Programs for publicly held U.S. Companies
  • Consensus Assessments Initiative Questionnaire (CAIQ) v3.1 and Cloud Controls Matrix (CCM) Version 4
  • Industrial Automation and Control Systems Guidance EC-62443
  • GDPR Guidance on Standard Contractual Clauses (SCCs)
  • State Privacy Laws (California, Colorado, Virginia)

Specific to NIST 800-53, the new SIG questionnaires include Supply Chain Risk Management questions in areas including asset management, system development (outsourcing), resilience and continuity, and threat and vulnerability management.

The NIST Third-Party Compliance Checklist

The NIST Third-Party Compliance Checklist is a 30-page guide reveals which TPRM practices map to recommendations outlined in NIST SP 800-53, NIST SP 800-161, and NIST CSF.

Read Now
Feature nist compliance checklist 1021

Domain and Category Updates

The SIG 2022 also renames a few risk domains to add scope and emphasize that risk is not tied to specific functions or roles. For example, Risk Management has been renamed Enterprise Risk Management so that it encapsulates risk across the whole organization. Similarly, Business Resiliency is now Operational Resilience, and Physical Security is now Physical and Environmental Security.

Perhaps the most exciting update to the SIG is the addition of new and adjusted categories that will improve assurance on relevant and timely topics such as environment, social and governance (ESG) and incident management best practices across the supply chain.

  • ESG updates include ethical sourcing and codes of conduct, modern slavery and environmental risk management.
  • Incident management features expanded detection and documentation.
  • Fourth- and Nth-party management broadens the requirements for managing third parties to include the wider supply chain. Areas include contractual requirements, risk assessments, operational resilience, and personal data management.

How Prevalent Helps

Ready to put the SIG 2022 into practice? Prevalent can help. We license both the SIG Core and SIG Lite questionnaires in our Third-Party Risk Management Platform, helping you to:

  • Automate the collection and analysis of SIG questionnaire answers and supporting evidence with a single platform
  • Simplify regulatory and security framework reporting with additional, built-in control mappings
  • Gain improved visibility into vendor risks with machine learning analytics and reporting
  • Proactively mitigate risk with access to centralized remediation guidance
  • Provide your team with reliable access to the latest version of the SIG questionnaire
  • Complement and validate SIG questionnaire responses with continuous cyber, business, reputational, and financial risk monitoring

Additionally, Prevalent leverages the SIG as standardized content for the Prevalent Exchange Network and Prevalent Legal Vendor Network.

Request a demo today to get started on your TPRM journey. Or, for a complete review of the SIG and its 2022 enhancements, please visit Shared Assessments.

Thomas humphreys
Thomas Humphreys
Prevalent Compliance Expert
  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo