< Back to Blog
What is SIG?

What is SIG?

By Dov Goldman Jul 16, 20193 min read

The SIG, short for “Standardized Information Gathering (Questionnaire)” is a repository of third-party information security and privacy questions, indexed to multiple regulations and control frameworks. SIG is published by a non-profit called Shared Assessments, and has been in existence for about 10 years.

Shared Assessments updates the SIG questionnaire every year, reflecting new security and privacy challenges, changes to regulations and the latest trends and newest best practices in third-party risk management. Updates to the SIG usually have new questions, rewordings to old questions, deleted questions and reordering of the question sequence.

SIG users will “scope” their own questionnaire from the 1,200 question repository. Many licensees will use one of the two standard “scopings,” SIG Lite (~330 questions) and SIG Core (~850 questions). Others may add more questions from the repository or even their own business- or industry-specific questions.

Shared Assessments evolve the SIG each year

What is Shared Assessments?

Shared Assessments is a non-profit member-driven organization. The members determine how Shared Assessments will evolve the SIG each year, by voicing their opinions in committee meetings. These meetings are generally held each month, and the discussions drive how the Shared Assessments team will update the SIG content.

Who has adopted SIG?

The SIG is becoming increasingly common in the US across a number of industries, including many large US banks. Increasingly, large US vendors are adopting SIG. They in turn are requesting that customers and prospects accept their SIG in place of proprietary evaluator questionnaires.

Why is SIG useful for an evaluating company?

SIG reflects the combined knowledge and experience of hundreds of member organizations over more than ten years.

Because SIG is indexed to many standards (ISO 27002:2013, FFIEC Appendix J, FFIEC CAT, PCI, FFIEC IT Management Handbook, NIS SP 800-53 Rev 4, NIST CSF, HIPAA and GDPR), it makes compliance simpler. Choose a given control from any one of these, and you will find the SIG questions that address it.

How can a Panorays customer take advantage of a SIG questionnaire?

Typically, scoping the SIG security questionnaire results in generation of an Excel spreadsheet, which becomes a supplier questionnaire. With Panorays, however, this part of the process is completely automated

Users of the Panorays platform benefit from:

  • Rapid supplier vetting. Our typical customer is able to vet a vendor within eight days.
  • Eliminating manual questionnaires
  • Adding business context to the SIG questionnaire, so that suppliers receive only the questions that are relevant to their particular business relationship

Interested in automating your third-party security evaluation using SIG? Watch a video tutorial here. 

Dov Goldman

Dov Goldman is Director of Risk & Compliance at Panorays. He’s a serial entrepreneur who’s been involved with third-party programs of all sizes, and is the go-to person for explaining the difference between inherent and residual risk.

You may also like...
What is MAS-TRM?
Jun 28, 2021 What is MAS-TRM? Editorial Team
What Is CRISC Certification and How Can It Improve Third-Party Security?
Jun 09, 2021 What Is CRISC Certification and How Can It Improve Third-Party… Editorial Team
What Is Cybersecurity Risk?
May 20, 2021 What Is Cybersecurity Risk? Editorial Team
Get our latest posts straight to your inbox Subscribe

We use cookies to ensure you get the best experience on our website. Visit our Privacy Policy for more information.