Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

The Standard Information Gathering (SIG) Questionnaire Explained

Learn about the SIG Core and SIG Lite assessments and how you can use them to streamline your third-party risk management program.
Thomas Humphreys
Prevalent Compliance Expert
October 05, 2022
Blog sig explained 1022

The Standard Information Gathering (SIG) questionnaire is a third-party risk questionnaire created by the Shared Assessments membership organization. SIG is available in two versions, Core and Lite, which equip organizations with industry-standard libraries of curated questions to measure third-party risk across 19 different domains. Each question is mapped to security controls across dozens of frameworks and compliance requirements, enabling third-party risk standardization and improvement in adherence with core TPRM compliance requirements.

SIG Core vs SIG Lite, what’s the difference?

Let’s start with a basic explanation of the difference between SIG Core and SIG Lite. Both question repositories are used extensively by enterprise organizations based on their needs, the maturity of their third-party risk management programs, and the types of third-party compliance requirements they are expected to meet.

What is SIG Lite?

SIG Lite provides a high-level view of a company’s internal information control systems, providing a basic level of assessment due diligence. With 126 questions, SIG Lite can serve as a preliminary evaluation before conducting a more thorough assessment. SIG Lite questions can also be used when a third-party vendor or supplier has a low degree of profiled risk and requires less due diligence than higher-risk vendors.

What is SIG Core?

The SIG Core Questionnaire (SIG) is more detailed and is designed to assess third parties that store or maintain sensitive, regulated information. It provides a deeper level of insight into how a third party protects information by including eight different risk domains and 855 questions covering 19 risk topics. SIG Core also allows organizations to select and customize the questions they want answered for each vendor. It also includes extensive coverage of legal requirements and best practices related to protecting personal information.

What are SIG’s 19 domains?

SIG is a comprehensive risk assessment questionnaire that includes defined question sets in the following domain areas:

  1. Access Control
  2. Application Security
  3. Asset and Information Management
  4. Cloud Hosting Services
  5. Compliance Management
  6. Cybersecurity Incident Management
  7. Endpoint Security
  8. Enterprise Risk Management
  9. Environmental, Social, Governance (ESG)
  10. Human Resources Security
  11. Information Assurance
  12. IT Operations Management
  13. Network Security
  14. Nth-Party Management
  15. Operational Resilience
  16. Physical and Environmental Security
  17. Privacy Management
  18. Server Security
  19. Threat Management

SIG Questionnaire Use Cases

The Standard Information Gathering Questionnaire provides organizations with a one-stop shop for building their third-party risk assessments and mapping them to applicable security frameworks and compliance requirements.

Enhance Third-Party Risk Assessments

Third-party risk assessments are at the core of an effective third-party risk management program. SIG Lite or SIG Core questionnaires are regularly updated, enabling companies to assess vendors, suppliers and other third parties against current information security and third-party risk management best practices. Be sure to check out our article on the SIG 2023 update.

Map Vendor Security Controls to Compliance Requirements

Most enterprise organizations must adhere to numerous compliance and security requirements published by government bodies and required by customers. Following are a few examples of government regulations that are mapped to SIG questions:

  • NIST SP 800-53
  • GDPR
  • CMMC
  • CCPA
  • EBA Outsourcing Guidelines

Applicable private sector regulations include:

  • ISO 27001
  • SOC 2

Using SIG Core can enable your organization to standardize on a single risk assessment that is applicable across multiple industries and automatically map answers to a several regulations and frameworks to meet your organizations regulatory and customer obligations.

Automate Third-Party Risk Data Collection

Many organizations use SIG Core and SIG Lite in conjunction with a dedicated third-party risk management solution, which automate and speed assessment distribution, collection, analysis and reporting. Using a TPRM platform offers numerous advantages, including:

  • Enriching SIG Questionnaire answers with findings from continuous cybersecurity, business, reputational and financial monitoring
  • Mapping SIG Core and SIG Lite questionnaire answers to additional compliance requirements, standards and frameworks
  • Automating questionnaire gathering and vendor reminders to streamline the vendor risk questionnaire process
  • Simplifying remediations with built-in guidance, workflow and vendor communications
  • Customizing reporting based on stakeholder or regulatory framework
  • Offering a central document repository for storing and analyzing supporting evidence
  • Integrating into broader enterprise risk management platforms or other business applications

Create Tiered Vendor Risk Questionnaires

Many organizations begin their third-party risk management program by building a single vendor risk questionnaire that encompasses their current understanding of third-party information security and compliance requirements. However, as organizations mature, many find that building tiered vendor questionnaires based on inherent risk makes far more sense for effectively managing risk while also maximizing time efficiency and vendor response rates.

Both SIG Core and SIG Lite contain questions that can be used to build multiple third party risk questionnaires for different third-party vendors and suppliers. Using more-extensive questionnaires for high-risk vendors, while conducting less-extensive assessments for vendors with low profiled risk, can dramatically streamline the process and enable you to focus on addressing the most third-party risks.

SIG 2023: What’s New & How It Will Impact Your TPRM Program

Join compliance expert Thomas Humphreys as he reviews the SIG 2023 questionnaire and how to leverage available mappings to standards and regulations such as NIST, ISO, FFIEC, NERC, and more.

How Prevalent Helps

Ready to put the SIG into practice? Prevalent can help. We license both the SIG Core and SIG Lite questionnaires in our Third-Party Risk Management Platform, helping you to:

  • Automate the collection and analysis of SIG questionnaire answers and supporting evidence with a single platform
  • Simplify regulatory and security framework reporting with additional, built-in control mappings
  • Gain improved visibility into vendor risks with machine learning analytics and reporting
  • Proactively mitigate risk with access to centralized remediation guidance
  • Provide your team with reliable access to the latest version of the SIG questionnaire
  • Complement and validate SIG questionnaire responses with continuous cyber, business, reputational, and financial risk monitoring

Additionally, Prevalent leverages the SIG as standardized content for the Prevalent Exchange Network and Prevalent Legal Vendor Network.

Request a demo to learn more about our solutions for automating your SIG assessments.

Thomas humphreys
Thomas Humphreys
Prevalent Compliance Expert
  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo