The Standardized Information Gathering Questionnaire is a vendor assessment mapping to the requirements of many cyber regulations and frameworks.
The purpose of a SIG security assessment is to help manage operational risks, business resiliency, security policies, cybersecurity risks, and third-party risks as part of a broader Third-Party Risk Management (TPRM) program.
The 19 risk domains evaluated by the SIG include:
- Enterprise Risk Management
- Security Policy
- Organizational Security
- Asset and Information Management
- Human Resources Security
- Environmental, Social, Governance (ESG)
- IT Operations Management
- Access Control
- Application Security
- Cybersecurity Incident Management
- Operational Resilience
- Compliance and Operational Risk
- Endpoint Device Security
- Network Security
- Threat Management
- Server Security
- Cloud Hosting Services
Who Created the SIG Questionnaire?
The SIG questionnaire was created by Shared Assessments. Shared Assessments provides best practices, solutions, and tools for third-party risk management teams to create an environment of assurance for outsourcers and their vendors.
Shared Assessments' foundation is in regulatory and compliance-driven financial services but has grown to include the increasing number of industries that treat good vendor risk management as standard operating practice, such as HIPAA-regulated entities.
Why Was the SIG Questionnaire Created?
As the Santa Fe Group CEO and Chairman Catherine A. Allen said, "it’s increasingly understood that third party IT security risks can cause millions of dollars in loss and damage, and often unmeasurable harm to an organization’s reputation, the best practices for effective third party risk management are certainly less well understood."
When doing business with third-parties, it's not safe to assume that you are solely doing business with the party under contract.
Just as your organization may outsource to a service provider or external provider, your vendors likely do too. So whether you know it or not, you are relying on your vendors, and increasingly their vendors using sound security controls.
This means you should apply the same standard information gathering process for testing all parties.
The SIG questionnaire aims to provide standardize resources for managing the complete third-party relationship lifecycle.
Standardization is critical for advancing effective, secure third-party controls and risk management risk assessments. The Shared Assessments Program created a suite of third-party risk management tools that aim to create efficiencies and lower costs while maintaining compliance with regulations, industry standards, and guidelines across information technology environments.
What are the Types of SIG Questionnaires?
There are three types of SIG questionnaire:
- SIG Core: The SIG Core questionnaire is a library of 855 questions, including extensive questions about specific controls and definitions. SIG Core covers 19 risk domains that determine how security risks are managed in a vendor environment.
- SIG Lite: The SIG Lite questionnaire is a streamlined version of the SIG with 126 questions for program-level assessment. SIG Lite distills the concepts and questions from SIG Core for lower-risk third parties.
- Custom SIG: A custom SIG questionnaire can be customized from the SIG Lite and Core versions based on your organization’s needs. Custom SIG questionnaires can be tailored according to business needs for due diligence requirements.
The SIG Lite questionnniare is available on the UpGuard platform.
Learn More >
How Can the SIG Questionnaire Be Used?
The SIG questionnaire can be used in a handful of ways, depending on your organization's needs and the type of vendor you are assessing, including:
- To evaluate a service provider's information security controls.
- Completed by third-party vendors and used proactively as part of due diligence or a request for proposal (RFP) response.
- Completed by a service provider and sent to their clients instead of completing one or multiple third-party risk assessments.
- Used by an organization as part of the self-assessment process
How Often Is the SIG Questionnaire Updated?
The SIG questionnaire is updated on a yearly basis to comply with new industry standards and to account for changes in the cybersecurity landscape.
The 2020 Shared Assessments Third-Party Risk Management Toolkit was released on November 20, 2019, to enable organizations around the world to meet new and evolving regulatory compliance demands and address evolving physical and cyber risks.
New for 2020 is expanded third-party privacy tools for GDPR and the California Consumer Privacy Act (CCPA), new operational risk content on emerging and expanding third-party risk scenarios such as money laundering, trafficking, anti-trust, anti-bribery, international compliance, call center security, payments compliance, ethical sourcing, and human trafficking risk in the supply chain.
New usability features and expanded operational content include:
- Expanded operational/enterprise risk: Content for the comprehensive but customizable question library addresses corporate governance functions of anti-trust, anti-bribery, international compliance, call center security, payments compliance, ethical sourcing, and human trafficking risk in the supply chain. Enterprise risk governance, information security risk, and privacy data protection questions have expanded based on new regulations, including CCPA and GDPR.
- Risk and regulatory compliance content: New content across tools helps risk professionals close regulatory compliance gaps in third-party relationships with strict data security standards such as PCI DSS.
- Data governance: Privacy regulations such as PIPEDA, CCPA, FIPA, The SHIELD Act, , and GDPR mandate that organizations diligently track data collected by or disclosed to third parties, how that data is used, and where it is accessed. The enhancements assist with the identification, tracking, and maintenance of personal information that is utilized within specific third-party relationships, including fourth-party management.
- Service provider configuration and response management: New agility in the Standardized Information Gathering (SIG) Management Tool enables service providers to make it easier to build, configure, and maintain multiple completed questionnaires, reducing the effort and complexity involved in responding to due diligence requests.
- External content automation: Shared Assessment members, outsourcers, and licenses can extract and integrate SIG content into their platforms via JSON.
How is the SIG Questionnaire Different From Other Vendor Risk Assessment Questionnaires?
The SIG Management Tool is a Microsoft Excel workbook that allows assessors to draw from the bank of questions in the SIG Content Library to create customized questionnaire templates based on their needs.
This is different to other security questionnaires, such as HEVCAT and the Vendor Security Alliance Questionnaire, the SIG questionnaire evaluates third-party vendors and service providers based on their own 18 individual risk control areas.
SIG is a good option for a broad range of vendor risk management use cases because its controls map to a large variety of cybersecurity frameworks and guidelines, including:
- ISO 27002:2013,
- ISA 62443,
- CSA Cloud Controls Matrix
- 23 NYCRR 500
- FFIEC Appendix J,
- FFIEC CAT
- PCI DSS
- FFIEC IT Management Handbook
- EBA Guidelines
- NIST SP 800-53 Rev 4
- NIST CSF
- SOC 2
Indexing across multiple security assessments makes the SIG questionnaire a good choice for evaluating the security postures during the prospecting and onboarding phases of Vendor Risk Management.
Other well-known and respected security questionnaires include:
- The National Institute of Standards and Technology (NIST) SP 800-171
- ISO 27001
- CIS Critical Security Controls
- The Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ)
- The Vendor Security Alliance Questionnaire (VSAQ)
What is in the Standardized Information Gathering (SIG) Questionnaire Toolkit?
The components of the 2020 Standardized Information Gathering (SIG) Questionnaire Toolkit are:
- Third-party Privacy Tools: This set on tools was built from the demand driven by 2019's GDPR Privacy Tools, with an expanded scope to meet requirements for various privacy regulations and framework updates. These tools provide templates for pre-assessment scoping or readiness assessments that enable privacy-centric assessments, incorporating privacy controls and obligations based on specific jurisdictions.
- Vendor Risk Management Maturity Model (VRMMM) Benchmark Tools: SIG's VRMMM is one of the longest-running third-party risk maturity models. The 2020 VRMMM Benchmark Tools' improved maturity tracking and functionality lets managers set more granular maturity level ratings and deliver greater reporting clarity. VRMMM Benchmark Tools are free to use and available here.
- Standardized information gathering (SIG) Questionnaire Tools: The SIG employs a holistic set of questions based on industry best practices for gathering and assessing 18 critical risk domains and corresponding controls, including information technology, cybersecurity, privacy, resiliency, and data security risk.
- Standardized Control Assessment (SCA) Procedure Tools: The SCA assists risk professionals in performing onsite or virtual assessments of vendors, providing the verification or attestation component of third-party risk programs.
Why You Should Consider Using Security Ratings Alongside the SIG Questionnaire
The benefit of security ratings alongside security questionnaires is they are automatically generated, updated frequently, and they provide a common language for technical and non-technical stakeholders.
Security ratings fill the attack surface gaps left by traditional point-in-time assessment techniques like the SIG questionnaire to provide continuous attack surface awareness.
Security ratings can complement and provide assurance of remediation efforts and the results reported in security questionnaires because they are externally verifiable, always up-to-date, and provided by an independent organization.
According to Gartner, cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships.
UpGuard is one of the most popular security ratings providers. We generate our ratings through proprietary algorithms that take in and analyze trusted commercial and open-source threat feeds, and non-intrusive data collection methods to quantitatively evaluate cyber risk.
UpGuard basis its ratings on the analysis of 70+ vectors, including:
- Susceptibility to man-in-the-middle attacks
- Insecure SSL/TLS certificates
- SPF, DKIM and DMARC settings
- HTTP Strict Transport Security (HSTS)
- Email spoofing and phishing risk
- Malware susceptibility
- Unnecessary open administration, database, app, email, and file-sharing ports
- Exposure to known data breaches and data leaks
- Vulnerable software
- HTTP accessibility
- Secure cookie configuration
- Results of intelligent security questionnaires
If you are curious about the performance of other security rating services, see our guide on SecurityScorecard vs. BitSight here.
How UpGuard Can Help You Automate Security Questionnaires
UpGuard streamlines your security questionnaire workflows with features suited to an efficient Vendor Risk Management program, including the Shared Assessments’ SIG Lite Questionnaire.
In October 2023, UpGuard launched the SIG Lite questionnaire to help customers assess and mitigate vendor risk through the SIG framework with planning underway for a future release of the SIG Core questionnaire.
With the SIG Lite questionnaire, you can standardize information collection and simplify vendor assessment aligned to the SIG framework. UpGuard helps you save time and resources by automating information gathering in compliance with industry standards. Pair the SIG Lite questionnaire with UpGuard’s robust security ratings and streamlined workflows for an elevated vendor risk management process.