The Standard Information Gathering (SIG) questionnaire is a third-party risk questionnaire created by the Shared Assessments membership organization. SIG is available in Core, Lite, and Detail versions, which equip organizations with industry-standard libraries of curated questions to measure third-party risk across 21 different domains. Each question is mapped to security controls across dozens of frameworks and compliance requirements, enabling third-party risk standardization and improvement in adherence with core TPRM compliance requirements.
Let’s start with a basic explanation of the difference between SIG Core and SIG Lite. Enterprise organizations use both question repositories extensively based on their needs, the maturity of their third-party risk management programs, and the types of third-party compliance requirements they are expected to meet.
SIG Lite is a third-party risk questionnaire that provides a high-level view of a company’s internal information control systems, including a basic level of assessment due diligence. With 128 questions, SIG Lite can serve as a preliminary evaluation before conducting a more thorough assessment. SIG Lite questions can also be used when a third-party vendor or supplier has a low degree of profiled risk and requires less due diligence than higher-risk vendors.
The SIG Core Questionnaire (SIG) is a comprehensive third-party risk questionnaire designed to assess third parties that store or maintain sensitive, regulated information. It provides a deeper insight into how a third party protects information by including four subjects and 627 questions covering 21 risk topics. SIG Core also allows organizations to select and customize the questions they want answered for each vendor. It also includes extensive coverage of legal requirements and best practices for protecting personal information.
SIG is a comprehensive risk assessment questionnaire that includes defined question sets in the following domain areas:
The Standard Information Gathering Questionnaire provides organizations a one-stop shop for building their third-party risk assessments and mapping them to applicable security frameworks and compliance requirements.
Third-party risk assessments are at the core of an effective third-party risk management program. SIG Lite or SIG Core questionnaires are regularly updated, enabling companies to assess vendors, suppliers, and other third parties against current information security and third-party risk management best practices.
Most enterprise organizations must adhere to numerous compliance and security requirements published by government bodies and required by customers. Following are a few examples of government regulations that are mapped to SIG questions:
Applicable private sector regulations include:
Using SIG Core can enable your organization to standardize a single risk assessment applicable across multiple industries and automatically map answers to several regulations and frameworks to meet your organization's regulatory and customer obligations.
Many organizations use SIG Core and SIG Lite in conjunction with a dedicated third-party risk management solution, which automates and speeds assessment distribution, collection, analysis, and reporting. Using a TPRM solution offers numerous advantages, including:
Many organizations begin their third-party risk management program by building a single vendor risk questionnaire encompassing their current understanding of third-party information security and compliance requirements. However, as organizations mature, many find that building tiered vendor questionnaires based on inherent risk makes far more sense for effectively managing risk while maximizing time efficiency and vendor response rates.
Both SIG Core and SIG Lite contain questions that can be used to build multiple third-party risk questionnaires for vendors and suppliers. Using more extensive questionnaires for high-risk vendors while conducting less-extensive assessments for vendors with low-profiled risk can dramatically streamline the process and enable you to focus on addressing the most third-party risks.
Standard Information Gathering (SIG) 2025: The Definitive Guide
Discover how key SIG 2025 changes can influence your vendor risk assessment process.
Ready to put the SIG into practice? Prevalent can help. We license both the SIG Core and SIG Lite questionnaires in our Third-Party Risk Management solution, helping you to:
Additionally, Mitratech leverages the SIG as standardized content for the Prevalent Exchange Network and Prevalent Legal Vendor Network.
Request a demo to learn more about our solutions for automating your SIG assessments.
Uncover key changes in the Standard Information Gathering (SIG) Questionnaire for 2025 and learn what these...
12/16/2024
Leverage these best practices to address NIS2 third-party risk management requirements.
12/03/2024
Ask your vendors and suppliers about their cybersecurity risk management, governance, and incident disclosure processes to...
10/24/2024