Latest Report: The 2022 Gartner® Market Guide for IT Vendor Risk Management Solutions

SIG 2023: What's New in the Latest Update

Discover key changes in the Standard Information Gathering (SIG) Questionnaire, and learn how they can be leveraged in your third-party risk assessments.
By:
Thomas Humphreys
,
Prevalent Compliance Expert
November 29, 2022
Share:
Blog sig2023 1122

The Standard Information Gathering Questionnaire is used by third-party risk management teams to conduct standardized vendor and supplier risk assessments. SIG questionnaires can be used as-is or leveraged as part of a wider third-party risk management (TPRM) program. This post examines key SIG 2023 updates and how they can be used in your vendor and supplier risk assessments.

What Is SIG?

The Standard Information Gathering (SIG) questionnaire is a third-party risk assessment curated by Shared Assessments. SIG is available in multiple formats, including SIG Core, SIG Lite and customized versions. Organizations use SIG questionnaires to measure third-party risk across 19 domains, and each question is mapped to several compliance and regulatory requirements. SIG covers a wide range of areas from information security and cybersecurity, to privacy and ESG.

Shared Assessments reviews and updates SIG questionnaires on an annual basis. These updates usually include additions and changes to questions, domains and subject categories based on current operational standards, societal changes, and developments in specific industries and sectors.

What Areas Does the SIG Cover?

The current version of the SIG evaluates risk across the following 19 control areas, also known as “domains”:

  1. Access Control
  2. Application Security
  3. Asset and Information Management
  4. Cloud Hosting Services
  5. Compliance Management
  6. Cybersecurity Incident Management
  7. Endpoint Security
  8. Enterprise Risk Management
  9. Environmental, Social, Governance (ESG)
  10. Human Resources Security
  11. Information Assurance
  12. IT Operations Management
  13. Network Security
  14. Nth-Party Management
  15. Operational Resilience
  16. Physical and Environmental Security
  17. Privacy Management
  18. Server Security
  19. Threat Management

Major additions in SIG 2023 include the new ESG domain and the new Nth-Party Management domain. Also, the Security Policy domain was removed, and its content was relocated to the Nth-Party Management and Information Assurance domains. We’ll go into the details below.

Key Changes in SIG for 2023

New ESG Domain Added in SIG 2023

The most significant change in SIG 2023 is the addition of the Environmental, Social and Governance (ESG) domain. ESG compliance has grown in importance with the emergence of several new regulations, such as the draft EU Corporate Sustainability Due Diligence Directive and the German Supply Chain Due Diligence Law. The SIG Core 2023 update incorporates 131 questions related to environmental, social and governance practices.

Compared to SIG 2022, SIG 2023 dives deeper into specific topics within ESG. For instance, SIG 2022 included high-level questions like “Do you have an ESG program in place?” SIG 2023, on the other hand, addresses several specific ESG topics across the following categories:

Environmental

  • Environmental Policy
  • Environment Management
  • Air Pollution
  • Waste Management
  • Regulatory Compliance
  • Climate Change
  • Natural Resource Management

Social

  • Human Rights: Modern Slavery, Minimum Wage
  • Worker and Health Safety: OHSA Policy
  • Community Involvement
  • Consumer Safety: Regulatory Compliance (FDA)

Governance

  • Board Structure: Performance Monitoring
  • Ethics and Code of Conduct: Diversity and Inclusion, Ethical Sourcing
  • Supply Chain Management: ESG Risk Assessments, Codes of Conduct
  • ESG Management Practices: ESG Risk Register, SLAs and Targets
  • Data Privacy and Security

New Nth-Party Management Domain Addresses 4th-Party Risk

Nth-Party Management is another new SIG 2023 domain. This topic was formerly covered as part of the Enterprise Risk Management domain.

Numerous factors connect increased data risks to fourth parties. For instance, threat actors have been known to target technology vendors as a means to subsequently level ransomware attacks against the vendors’ business partners and their customers. A good example is last year’s Kaseya breach, which targeted a popular platform used by managed service providers to deliver services to their customers.

In addition, as companies become increasingly connected, PII, PHI, intellectual property and other sensitive data can find its way to fourth and Nth parties who are unknown to the original data owner or steward. In this context, distinguishing fourth- and Nth-party risk from the Enterprise Risk Management domain makes a great deal of sense. Categories under the Nth-Party Management domain include:

  • Policies, Standards and Procedures
  • Executive Sponsorship
  • Contracts & Agreements
  • Inventory & Assets
  • Board, and Committee Oversight
  • Incident, and Breach Management
  • Due Diligence
  • Risk Assessments
  • Background & Screening
  • Notifications and Issue Management

SIG 2023: What’s New & How It Will Impact Your TPRM Program

Join compliance expert Thomas Humphreys as he reviews the SIG 2023 questionnaire and how to leverage available mappings to standards and regulations such as NIST, ISO, FFIEC, NERC, and more.

New Categories in SIG 2023

Another major change for SIG 2023 is the addition of several new categories. The SIG breaks each domain into multiple categories to add depth and focus to groups of disparate controls. With the new categories, SIG 2023 dives deeper into specific topics and makes it easier for companies to focus on the types of risk they are most concerned with. For example, rather than reusing the “Incident Management” category from SIG 2022, categories were refined to “Incident Handling” and “Lessons Learned from Incident Handling.”

Increased Emphasis on Management and Governance

The SIG 2023 updates reflect an elevated emphasis on information security management and governance versus on specific privacy, security and compliance control categories. At a surface level, consider some of the domain name changes and updates:

  • Security Policy* was replaced with Nth-Party Management
  • Organizational Security was replaced with Information Assurance
  • Compliance & Operational Risk was replaced with Compliance Management
  • Privacy was replaced with Privacy Management

*Most questions under the Security Policy domain were moved to either Nth-Party Management or Information Assurance.

Another obvious example of this shift is the creation of the new ESG domain, which reflects the increasing correlation between an organization’s broader business policies and its exposure to risk. It’s also important to note that the SIG 2023 update includes new questions related to management governance policies across each of the 19 domains. These updates attempt to go beyond simply determining whether a vendor has specific controls in place by including broader lines of questioning, such as how vendors track and manage new legislation.

Next Steps for Conducting SIG Assessments

From evolving cybersecurity risks and geopolitical upheaval, to supply chain disruptions and increased ESG scrutiny, your third parties operate in a constantly shifting risk environment that can have real implications for your business. That’s why the Standard Information Gathering Questionnaire is a critical tool for many third-party risk management programs.

Prevalent offers both the SIG Core and SIG Lite questionnaires as part of our Third-Party Risk Management Platform, along with over 200 other standards-based assessment templates. Our customers automate and speed their third-party assessments, combine assessment results and continuous monitoring intelligence, and gain prescriptive guidance for efficiently remediating risk. Request a demo to discover how Prevalent can power your TPRM program.

Tags:
Share:
Thomas humphreys
Thomas Humphreys
Prevalent Compliance Expert
  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo