The Standard Information Gathering (SIG) questionnaire is a third-party risk questionnaire created by the Shared Assessments membership organization. SIG is available in two versions, Core and Lite, which equip organizations with industry-standard libraries of curated questions to measure third-party risk across 19 different domains. Each question is mapped to security controls across dozens of frameworks and compliance requirements, enabling third-party risk standardization and improvement in adherence with core TPRM compliance requirements.
Let’s start with a basic explanation of the difference between SIG Core and SIG Lite. Both question repositories are used extensively by enterprise organizations based on their needs, the maturity of their third-party risk management programs, and the types of third-party compliance requirements they are expected to meet.
SIG Lite provides a high-level view of a company’s internal information control systems, providing a basic level of assessment due diligence. With 126 questions, SIG Lite can serve as a preliminary evaluation before conducting a more thorough assessment. SIG Lite questions can also be used when a third-party vendor or supplier has a low degree of profiled risk and requires less due diligence than higher-risk vendors.
The SIG Core Questionnaire (SIG) is more detailed and is designed to assess third parties that store or maintain sensitive, regulated information. It provides a deeper level of insight into how a third party protects information by including eight different risk domains and 855 questions covering 19 risk topics. SIG Core also allows organizations to select and customize the questions they want answered for each vendor. It also includes extensive coverage of legal requirements and best practices related to protecting personal information.
SIG is a comprehensive risk assessment questionnaire that includes defined question sets in the following domain areas:
The Standard Information Gathering Questionnaire provides organizations with a one-stop shop for building their third-party risk assessments and mapping them to applicable security frameworks and compliance requirements.
Third-party risk assessments are at the core of an effective third-party risk management program. SIG Lite or SIG Core questionnaires are regularly updated, enabling companies to assess vendors, suppliers and other third parties against current information security and third-party risk management best practices. Be sure to check out our article on the SIG 2023 update.
Most enterprise organizations must adhere to numerous compliance and security requirements published by government bodies and required by customers. Following are a few examples of government regulations that are mapped to SIG questions:
Applicable private sector regulations include:
Using SIG Core can enable your organization to standardize on a single risk assessment that is applicable across multiple industries and automatically map answers to a several regulations and frameworks to meet your organizations regulatory and customer obligations.
Many organizations use SIG Core and SIG Lite in conjunction with a dedicated third-party risk management solution, which automate and speed assessment distribution, collection, analysis and reporting. Using a TPRM platform offers numerous advantages, including:
Many organizations begin their third-party risk management program by building a single vendor risk questionnaire that encompasses their current understanding of third-party information security and compliance requirements. However, as organizations mature, many find that building tiered vendor questionnaires based on inherent risk makes far more sense for effectively managing risk while also maximizing time efficiency and vendor response rates.
Both SIG Core and SIG Lite contain questions that can be used to build multiple third party risk questionnaires for different third-party vendors and suppliers. Using more-extensive questionnaires for high-risk vendors, while conducting less-extensive assessments for vendors with low profiled risk, can dramatically streamline the process and enable you to focus on addressing the most third-party risks.
SIG 2023: What’s New & How It Will Impact Your TPRM Program
Join compliance expert Thomas Humphreys as he reviews the SIG 2023 questionnaire and how to leverage available mappings to standards and regulations such as NIST, ISO, FFIEC, NERC, and more.
Ready to put the SIG into practice? Prevalent can help. We license both the SIG Core and SIG Lite questionnaires in our Third-Party Risk Management Platform, helping you to:
Request a demo to learn more about our solutions for automating your SIG assessments.