The Standard Information Gathering Questionnaire is used by third-party risk management teams to conduct standardized vendor and supplier risk assessments. SIG questionnaires can be used as-is or leveraged as part of a wider third-party risk management (TPRM) program. This post examines key SIG 2023 updates and how they can be used in your vendor and supplier risk assessments.
The Standard Information Gathering (SIG) questionnaire is a third-party risk assessment curated by Shared Assessments. SIG is available in multiple formats, including SIG Core, SIG Lite and customized versions. Organizations use SIG questionnaires to measure third-party risk across 19 domains, and each question is mapped to several compliance and regulatory requirements. SIG covers a wide range of areas from information security and cybersecurity, to privacy and ESG.
Shared Assessments reviews and updates SIG questionnaires on an annual basis. These updates usually include additions and changes to questions, domains and subject categories based on current operational standards, societal changes, and developments in specific industries and sectors.
The current version of the SIG evaluates risk across the following 19 control areas, also known as “domains”:
Major additions in SIG 2023 include the new ESG domain and the new Nth-Party Management domain. Also, the Security Policy domain was removed, and its content was relocated to the Nth-Party Management and Information Assurance domains. We’ll go into the details below.
The most significant change in SIG 2023 is the addition of the Environmental, Social and Governance (ESG) domain. ESG compliance has grown in importance with the emergence of several new regulations, such as the draft EU Corporate Sustainability Due Diligence Directive and the German Supply Chain Due Diligence Law. The SIG Core 2023 update incorporates 131 questions related to environmental, social and governance practices.
Compared to SIG 2022, SIG 2023 dives deeper into specific topics within ESG. For instance, SIG 2022 included high-level questions like “Do you have an ESG program in place?” SIG 2023, on the other hand, addresses several specific ESG topics across the following categories:
Nth-Party Management is another new SIG 2023 domain. This topic was formerly covered as part of the Enterprise Risk Management domain.
Numerous factors connect increased data risks to fourth parties. For instance, threat actors have been known to target technology vendors as a means to subsequently level ransomware attacks against the vendors’ business partners and their customers. A good example is last year’s Kaseya breach, which targeted a popular platform used by managed service providers to deliver services to their customers.
In addition, as companies become increasingly connected, PII, PHI, intellectual property and other sensitive data can find its way to fourth and Nth parties who are unknown to the original data owner or steward. In this context, distinguishing fourth- and Nth-party risk from the Enterprise Risk Management domain makes a great deal of sense. Categories under the Nth-Party Management domain include:
SIG 2023: What’s New & How It Will Impact Your TPRM Program
Join compliance expert Thomas Humphreys as he reviews the SIG 2023 questionnaire and how to leverage available mappings to standards and regulations such as NIST, ISO, FFIEC, NERC, and more.
Another major change for SIG 2023 is the addition of several new categories. The SIG breaks each domain into multiple categories to add depth and focus to groups of disparate controls. With the new categories, SIG 2023 dives deeper into specific topics and makes it easier for companies to focus on the types of risk they are most concerned with. For example, rather than reusing the “Incident Management” category from SIG 2022, categories were refined to “Incident Handling” and “Lessons Learned from Incident Handling.”
The SIG 2023 updates reflect an elevated emphasis on information security management and governance versus on specific privacy, security and compliance control categories. At a surface level, consider some of the domain name changes and updates:
*Most questions under the Security Policy domain were moved to either Nth-Party Management or Information Assurance.
Another obvious example of this shift is the creation of the new ESG domain, which reflects the increasing correlation between an organization’s broader business policies and its exposure to risk. It’s also important to note that the SIG 2023 update includes new questions related to management governance policies across each of the 19 domains. These updates attempt to go beyond simply determining whether a vendor has specific controls in place by including broader lines of questioning, such as how vendors track and manage new legislation.
From evolving cybersecurity risks and geopolitical upheaval, to supply chain disruptions and increased ESG scrutiny, your third parties operate in a constantly shifting risk environment that can have real implications for your business. That’s why the Standard Information Gathering Questionnaire is a critical tool for many third-party risk management programs.
Prevalent offers both the SIG Core and SIG Lite questionnaires as part of our Third-Party Risk Management Platform, along with over 200 other standards-based assessment templates. Our customers automate and speed their third-party assessments, combine assessment results and continuous monitoring intelligence, and gain prescriptive guidance for efficiently remediating risk. Request a demo to discover how Prevalent can power your TPRM program.