Editor's note: Here's a link to our article on the SIG 2023 update.
The Standard Information Gathering (SIG) questionnaire is a third-party risk assessment curated by Shared Assessments. Available in Core and Lite versions, the SIG enables organizations to leverage an industry-standard library of vetted questions that measure risk across 18 domains. By mapping each question to multiple controls and regulatory requirements, it enables organizations to simplify and standardize their third-party risk management and compliance initiatives.
Shared Assessments conducts annual reviews of the SIG questionnaire to determine if changes are needed to address gaps and enhance existing controls. This post reviews the 2022 SIG update and explores how you can put this industry-leading assessment to work in your organization.
SIG 2022 questionnaire updates are organized into three categories:
First up, let’s look at how the question sets have changed. Shared Assessments offers two versions of its SIG assessment: SIG Lite and SIG Core.
The SIG Lite questionnaire is designed to provide a broad and high-level understanding about a third party’s internal information security controls, offering a basic level of assessment due diligence. With 150 questions, the SIG Lite can be used as a preliminary assessment before a more detailed one is performed.
Updates for the SIG Lite 2022 include:
The SIG Core questionnaire is more detailed and designed to assess third parties or vendors that store or manage sensitive, regulated data, providing a deep level of understanding about how a third party secures information. SIG Core includes 825 questions targeting 18 risk domains. The SIG Core includes a library of questions that security teams can pick and choose from with their vendors and incorporates extensive language on privacy and compliance regulations.
Updates for the SIG Core 2022 include:
A second major category of SIG updates addresses regulatory control mappings. Shared Assessments keeps abreast of regulations, guidelines, and standards for a wide range of industries and has integrated 1,600 Control Points from:
Specific to NIST 800-53, the new SIG questionnaires include Supply Chain Risk Management questions in areas including asset management, system development (outsourcing), resilience and continuity, and threat and vulnerability management.
The NIST Third-Party Compliance Checklist
The NIST Third-Party Compliance Checklist is a 30-page guide reveals which TPRM practices map to recommendations outlined in NIST SP 800-53, NIST SP 800-161, and NIST CSF.
The SIG 2022 also renames a few risk domains to add scope and emphasize that risk is not tied to specific functions or roles. For example, Risk Management has been renamed Enterprise Risk Management so that it encapsulates risk across the whole organization. Similarly, Business Resiliency is now Operational Resilience, and Physical Security is now Physical and Environmental Security.
Perhaps the most exciting update to the SIG is the addition of new and adjusted categories that will improve assurance on relevant and timely topics such as environment, social and governance (ESG) and incident management best practices across the supply chain.
Ready to put the SIG 2022 into practice? Prevalent can help. We license both the SIG Core and SIG Lite questionnaires in our Third-Party Risk Management Platform, helping you to: