How to Use SIG Questionnaires for Better Third-Party Risk Management
Since 2021, 82% of organizations have experienced one or more third-party data breaches, costing an average of $7.5 million to remediate. Given this risk, 80% of organizations believe properly assessing third-party vendors is critical. However, 60% of organizations believe they are only somewhat or not effective at vetting third parties.
As organizations become increasingly reliant on external service providers for key processes and operations, ensuring these partners adhere to stringent security and compliance standards is vital. This is where Standardized Information Gathering (SIG) questionnaires come into play.
In this article, you’ll learn everything you need to know to get started with the Standard Information Gathering (SIG) questionnaire, including its types, pros and cons, how to use them to manage third-party risk, and tips for automating these lengthy questionnaires.
What is the Shared Assessments Standardized Information Gathering (SIG) questionnaire?
SIG questionnaire is short for standardized information gathering questionnaire.
The SIG was developed by Shared Assessments, a membership organization dedicated to standardizing and simplifying the vendor risk assessment process across industries. Their goal is to provide tools that organizations can use to more effectively manage the risks associated with outsourcing.
The SIG questionnaire is available to paid subscribers and current Shared Assessments members. It is updated annually to factor in new industry standards and account for changes in the cybersecurity landscape.
SIG questionnaires are commonly used for:
- Vendor assessment: SIG questionnaires are used to evaluate the risk controls of third-party service providers. Using a standardized questionnaire like the SIG helps organizations cover all relevant risk areas.
- Self-assessments: Organizations can use the SIG to evaluate their own internal cybersecurity and risk management controls.
- Baseline for custom questionnaires: Some organizations may use the SIG as a starting point and then customize it to fit their specific needs and security risks.
SIG Core vs SIG Lite questionnaire
There are two versions of the SIG questionnaire based on the level of assessment needed: the SIG Core and the SIG Lite. The primary differences are their length and the depth of information they cover.
SIG Core:
- Depth and Detail: The SIG Core is a comprehensive questionnaire, typically covering a library of 19 risk domains. It is designed for in-depth assessments on topics related to information security, cybersecurity, privacy, business continuity, and other areas of operational risk.
- Use Cases: Ideal for detailed assessments, especially for high-risk vendors or those handling sensitive data or critical operations.
- Length: Because it's more comprehensive, the SIG Core is much longer than the SIG Lite (over 850 questions). It delves into the specifics of the vendor’s internal processes and security controls.
SIG Lite:
- Simplicity and Efficiency: The SIG Lite is a shorter, more streamlined version of the due diligence questionnaire. It focuses on key risk areas and is designed for faster, more high-level assessments.
- Use Cases: Suitable for assessments of lower-risk vendors or for preliminary screenings. It's also used when a full SIG Core assessment is not necessary or practical due to time or resource constraints.
- Length: With around 125 questions, the SIG Lite is shorter and less time-consuming to complete, both for the organization conducting the assessment and the vendor responding to it.
Choosing between the SIG Core and SIG Lite typically depends on the specific risk profile of the vendor being assessed and the depth of information required by the assessing organization. The SIG Core is best for critical or high-risk vendor relationships, while the SIG Lite is more appropriate for initial screenings or lower-risk scenarios.
5 benefits of SIG questionnaires for vendor risk assessments
There are a wide variety of standardized security questionnaires available for third-party risk assessments.
Types of security questionnaires
Type | Purpose |
---|---|
Standard Information Gathering (SIG) Questionnaire | Used to assess the cybersecurity, IT, data security, and privacy risks and controls of third-party service providers and vendors. |
Vendor Security Alliance (VSA) Questionnaire | Created to help organizations understand the potential impact a prospective vendor could have on their security posture. |
Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ) | Part of the CSA's GRC Stack, the CAIQ is used to assess the security capabilities of cloud service providers. |
NIST Cybersecurity Questionnaire | Security questionnaires based on NIST's highly respected standards and guidelines. |
Center for Internet Security (CIS) Controls Questionnaires | Based on the CIS Critical Security Controls, these questionnaires help organizations assess and improve their cybersecurity by focusing on a prioritized set of actions. |
ISO 27001 Questionnaires | Based on the ISO/IEC 27001 standard, these questionnaires are often used to assess whether a vendor's information security management system (ISMS) satisfies ISO standards. |
PCI DSS Questionnaires | For organizations handling cardholder data, these questionnaires are used to evaluate PCI DSS compliance. |
HIPAA Questionnaires | Used to assess compliance with HIPAA requirements for protecting PHI. |
Custom Security Questionnaires | Many organizations develop their own security questionnaires based on their unique needs, specific industry standards, regulatory requirements, and internal security policies. |
Recommended reading
Security Questionnaire: How to Answer and Send Your Own [+ Free Template]
So why would an organization choose the SIG questionnaire over alternatives?
Let’s dissect the pros and cons of the SIG.
1. SIG questionnaires map to compliance requirements
The Shared Assessments organization updates the SIG questionnaire annually to reflect updated compliance requirements for a wide variety of regulatory, security, and industry standards. These include:
- ISO 27001 and ISO 27002
- ISO/IEC 27701
- NIST 800-53
- NIST Cyber Security Framework
- NIST Privacy Framework
- EU GDPR
- Federal Risk and Authorization Management Program (FedRAMP)
- CSA CAIQ
- CSA Cloud Controls Matrix
- ISA 62443-4-1 and 4-2
- NERC Critical Infrastructure Protection (CIP)
- PCI DSS
(You can find a full list of mapped frameworks on the Shared Assessments website.)
By mapping to compliance frameworks, the SIG questionnaire allows organizations to assess compliance with multiple standards and regulations using a single tool. This eliminates the need for multiple, separate assessments, saving time and resources for both the assessing organization and the vendors or third parties being evaluated. Similarly, third-party vendors who complete the SIG questionnaire can demonstrate their compliance with multiple frameworks through a single security assessment.
As regulations and industry standards evolve, a tool like the SIG assessment that’s regularly updated and aligns with multiple frameworks can ensure that an organization’s vendor risk management program stays relevant with current compliance and security best practices.
2. SIG questionnaires offer comprehensive vendor risk assessment
The detailed nature of the SIG allows organizations to conduct an in-depth evaluation of their vendors’ security, privacy, and compliance practices. This helps in identifying potential vulnerabilities and gaps that might not be evident with a less comprehensive assessment tool.
The SIG Core questionnaire covers 19 risk domains:
- Access Control
- Application Security
- Asset and Information Management
- Cloud Hosting Services
- Compliance Management
- Cybersecurity Incident Management
- Endpoint Security
- Enterprise Risk Management
- Environmental, Social, Governance (ESG)
- Human Resources Security
- Information Assurance
- IT Operations Management
- Network Security
- Nth Party Management
- Operational Resilience
- Physical and Environmental Security
- Privacy Management
- Server Security
- Threat Management
The detailed insights gained from a comprehensive questionnaire like the SIG allow organizations to better manage their vendor relationships. By understanding the vendor's practices in-depth, organizations can have more informed discussions and lead collaborative risk management efforts. And because organizations are increasingly held accountable for their third-party vendors’ practices — especially regarding data security and privacy — a thorough SIG assessment can demonstrate due diligence, potentially reducing liability in the event of a vendor security breach or compliance issue.
3. SIG questionnaires are standardized
Standardization means that all vendors are assessed using the same criteria, leading to fairer and more consistent evaluations. It saves time for both the assessing organizations and vendors, since organizations don’t need to develop unique questionnaires for each vendor or industry. Similarly, vendors become familiar with the questionnaire format, which means they can use the same responses for multiple clients and streamline their response process.
The adoption of a standardized questionnaire also promotes the implementation of best practices across different industries, encouraging vendors to elevate their standards to meet a widely recognized benchmark. And for smaller vendors or those new to certain markets, the SIG can help them understand and implement a range of security and compliance best practices.
4. SIG questionnaires are frequently updated
Cybersecurity threats and technology landscapes are constantly evolving, and with them the regulations and security standards organizations must adhere to. Annual updates ensure that the questionnaire stays relevant and effective in assessing current and emerging risks.
In addition, regular updates allow for feedback to be incorporated into the questionnaire (both the organizations using the SIG and the vendors completing it), making it more effective and user-friendly.
As best practices in risk management, cybersecurity, and data protection evolve, the SIG can be updated to reflect these industry best practices, ensuring that organizations are always assessing their vendors against the highest standards.
5. SIG questionnaires are customizable
The SIG questionnaire is structured in a modular format, allowing organizations to select relevant sections or risk domains based on the services provided by the vendor. This makes it easy for organizations to tailor the assessment based on the vendor risk profile and industry, making the assessment process more focused and efficient.
Customization also allows organizations to align the questionnaire with their own security priorities and policies, ensuring the assessment directly addresses the organization’s critical risk areas.
Challenges of SIG questionnaires
While the SIG allows organizations to conduct targeted, relevant, and efficient assessments, it may not be the right choice for every company. Here are a few potential drawbacks to consider:
- Expense: Access to SIG questionnaires requires a paid annual subscription, which is currently $6,000/year for a corporate license. This includes access to the questionnaire, a SIG Manager, SIG User Procedure Guide, SIG Implementation Workbook, SIG Documentation Artifacts Request List, and SIG Fundamentals Training.
- Slower response times: The comprehensive nature of the SIG, especially the SIG Core, means that it can be quite lengthy and complex. This can be overwhelming for vendors, particularly smaller ones with limited resources, leading to delays in response or incomplete information.
- Resource intensive: The SIG questionnaire process can be resource-intensive for both the organization issuing the questionnaire and the vendors responding to it. Vendors often require significant time and effort to gather and provide detailed information, which pulls team focus away from other priorities. For assessing organizations, evaluating, comparing, and following up on multiple completed questionnaires can be similarly time-consuming.
- Potential for ‘checkbox security’: Some organizations might use the SIG primarily as a compliance checklist rather than a tool to facilitate strategic risk management and information security practices. This can lead to a box-checking approach, where the focus is more on meeting the questionnaire's requirements rather than improving security postures.
Recommended reading
What is a Request for Proposal? + Template
How to use a SIG questionnaire for third-party risk management
Curious how to get started with the SIG questionnaire? Here’s a step-by-step process for using the SIG to enhance your organization’s third-party risk management (TPRM).
Step 1: Determine scope. Decide which parts of the SIG are relevant to the vendor being assessed based on the services they provide and the potential risks they pose.
Step 2: Customize the questionnaire. This might involve selecting relevant modules or sections of the questionnaire, and possibly adding industry-specific or company-specific questions.
Step 3: Distribute to vendors. Questionnaires are often accompanied by a cover letter explaining the purpose of the assessment and providing instructions and deadlines for completion.
Step 4: Vendor completes the questionnaire. The vendor fills out the questionnaire, providing detailed responses to the queries about their security and compliance controls, policies, and procedures.
Step 5: Review. Once the completed questionnaire is received, review and analyze the responses to assess the adequacy of the vendor’s controls and practices. This step often involves a team of experts across cybersecurity, compliance, and risk management to identify any areas of concern or potential risks.
Step 6: Follow up, if necessary. If there are unclear or incomplete answers, or if additional information is needed, follow up with the vendor. This might involve asking for additional documentation or specific examples.
Step 7: Make the decision. Decide if the vendor meets the organization’s risk tolerance and compliance requirements. Determine if any risk mitigation strategies are needed, such as additional controls, contract terms, or ongoing monitoring. Create a report on the assessment’s findings for audit trails and future reference.
Based on the assessment, either proceed with the vendor relationship, require certain risk mitigation measures, conduct further assessments, or decide not to engage with the vendor.
Step 8: Monitor. Continuously monitor the vendor’s compliance and risk posture. You may reissue the SIG questionnaire periodically, or if there are significant changes in the vendor’s services or regulatory environment.
Tips for responding to a SIG questionnaire
Responding to a SIG questionnaire is an opportunity to demonstrate your organization’s commitment to security and compliance. A thoughtful and well-prepared response can strengthen your relationship with the client and enhance your reputation in the market.
Follow this process for answering any SIG questionnaires you receive:
Step 1: Review the entire questionnaire first. This will help you understand the scope of the questionnaire and how it relates to your product and services, as well as get an overview of what information is required. If any questions are unclear, contact the issuing organization for clarification.
Step 2: Assemble your team. With a better understanding of requirements, you can now involve key personnel from different departments like IT, security, compliance, legal, and operations. Their expertise is crucial for providing accurate and complete answers.
Step 3: Answer questions. Ensure that responses are accurate and reflect your current practices and policies. If there are areas where your security posture is not up to the mark or out of date, acknowledge them and detail any plans for improvement or updates. Be clear and concise, and avoid overly technical jargon.
While answers should be complete, it’s also important to be mindful of the confidentiality of the information you share. Ensure that answers do not violate any internal policies or data protection regulations.
Step 4: Include supporting documents. Wherever possible, support your answers with relevant documents like policies, certifications, audit reports, or compliance statements to add credibility to your responses.
Step 5: Review and validate responses. Internal stakeholders should review the completed questionnaire to ensure accuracy and maintain a consistent message about your security and compliance practices.
Step 6: Submit the completed questionnaire. Make sure you keep a copy of your completed questionnaire and any supporting documents. This can be useful for future reference and in maintaining consistency across multiple questionnaire responses.
Automate SIG and security questionnaires
SIG questionnaires are a powerful tool for both assessing third-party risk and winning customer trust. But they can be incredibly cumbersome and resource-intensive to both answer and review.
Secureframe’s Questionnaire Automation can streamline the tedious and time-consuming process of answering lengthy security questionnaires and RFPs, with built-in AI functionality that pulls responses from a Knowledge Base with hundreds to thousands of answers and 90%+ accuracy. Simply upload a completed SIG questionnaire, verify and store answers in your Knowledge Base, and Secureframe will pull answers to automatically complete future SIG questionnaires.
Pair SIG questionnaires with the Secureframe Trust Center to demonstrate the strength of your security posture, highlight your key security metrics and certifications, and win customer trust. Learn more about Secureframe Trust and our questionnaire automation capabilities, or schedule a demo with a product expert to see it in action.