Subscribe
Categories
< Back to Blog
What is SIG?
Glossary

What is SIG?

By Dov Goldman Jul 16, 20194 min read

The SIG, short for “Standardized Information Gathering (Questionnaire)” is a repository of third-party information security and privacy questions, indexed to multiple regulations and control frameworks. SIG is published by a non-profit called Shared Assessments, and has been in existence for about 12 years. The SIG has become such a popular means to assess vendor security risk that more than 15,000 people worldwide are utilizing this security questionnaire.

Get the best third-party security content sent right to your inbox

Thanks for subscribing!

Shared Assessments updates the SIG every year, reflecting new security and privacy challenges, changes to regulations and the latest trends and newest best practices in third-party risk management. Updates to the SIG usually have new questions, rewordings to old questions, deleted questions and reordering of the question sequence.

SIG users will “scope” their own questionnaire from the 1,200 question repository. Many licensees will use one of the two standard “scopings,” SIG Lite (~150 questions) and SIG Core (~825 questions). Others may add more questions from the repository or even their own business- or industry-specific questions.

What is Shared Assessments?

Shared Assessments is a non-profit member-driven organization. The members determine how Shared Assessments will evolve the SIG each year, by voicing their opinions in committee meetings. These meetings are generally held each month, and the discussions drive how the Shared Assessments team will update the SIG content. 

What are the types of SIG questionnaires?

  • SIG Core questionnaire

The Standardized Information Gathering (SIG) Core questionnaire includes approximately 850 questions that target all 18 risk controls. Its purpose is to help give an in-depth understanding about how a third party secures information and services. Based on industry standards, it’s meant to cover nearly all third-party risk assessments.

  • SIG Lite questionnaire

The Standardized Information Gathering (SIG) Lite questionnaire includes about 330 questions. Its purpose is to provide a broad, high level overview about a third party’s internal information security controls. This tool provides a basic level of due diligence and may be used as a starting point, before proceeding with a more detailed security review.

Who has adopted SIG?

The SIG is becoming increasingly common in the UK, EU, the Far East and the US, across a number of industries, including many large US banks. Increasingly, large US vendors are adopting SIG. They in turn are requesting that customers and prospects accept their SIG in place of proprietary evaluator questionnaires.

Why is SIG useful for an evaluating company?

SIG reflects the combined knowledge and experience of hundreds of member organizations over more than ten years. 

Because SIG is indexed to many standards (ISO 27002:2013, ISA 62443, FFIEC Appendix J, FFIEC CAT, PCI DSS, FFIEC IT Management Handbook, EBA Guidelines, NIST SP 800-53 Rev 4/5, NIST CSF, HIPAA, GDPR, NYDFS 23 NYCRR 500 and CSA Cloud Controls Matrix, it makes compliance simpler. Choose a given control from any one of these, and you will find the SIG questions that address it.

The SIG measures security risks across 18 risk control areas within a supplier’s environment including: 

  • Enterprise Risk Management
  • Security Policy
  • Organizational Security
  • Asset and Information Management
  • Human Resources Security
  • Physical and Environmental Security
  • IT Operations Management
  • Access Control
  • Application Security
  • Cybersecurity Incident Management
  • Operational Resilience
  • Compliance and Operational Risk
  • Endpoint Device Security
  • Network Security
  • Privacy
  • Threat Management
  • Server Security
  • Cloud Hosting Services

How can a Panorays customer take advantage of a SIG questionnaire?

Typically, scoping the SIG questionnaire results in generation of an Excel spreadsheet, which becomes a supplier questionnaire. With Panorays, however, this part of the process is completely automated

Users of the Panorays platform benefit from:

  • Rapid supplier vetting. Our typical customer is able to vet a vendor within eight days. 
  • Eliminating manual questionnaires  
  • Adding business context to the SIG questionnaire, so that suppliers receive only the questions that are relevant to their particular business relationship

Interested in automating your third-party security evaluation using SIG? Watch a video tutorial here to see how Panorays can help.

Author Thumbnail
Dov Goldman

Dov Goldman is Director of Risk & Compliance at Panorays. He’s a serial entrepreneur who’s been involved with third-party programs of all sizes, and is the go-to person for explaining the difference between inherent and residual risk.

You may also like...
What is a Third-Party Vendor
Oct 21, 2021 What is a Third-Party Vendor and Why is Third-Party Security… Editorial Team
What is MAS-TRM?
Jun 28, 2021 What is MAS-TRM? Editorial Team
What Is CRISC & How It Improves Third-Party Security
Jun 09, 2021 What Is CRISC Certification and How Can It Improve Third-Party… Editorial Team
Get Started Free

Popular Posts

Top 5 cyber gaps
Feb 10, 2022 1 min read

The Most Common Third-Party Cyber Gaps Revealed

Wouldn’t it be great if you could get a sneak peek at all the upcoming 2022 cyberattacks? Yes, it would be. But, since that’s not going to happen, we’ve done the next best thing.  Panorays used data from our cyber posture evaluations of tens of thousands of third parties from various industries over an extensive period of time to find...
By Aviva Spotts
Security Best Practices & Advice
4 ways to see if you are at risk of a vendor breach
Aug 26, 2021 3 min read

4 Ways to See if You Are at Risk of a Vendor…

Recent supply chain attacks such as Kaseya, Accellion and SolarWinds have illustrated that when it comes to vendor breaches, it’s not if, but when. While it’s impossible to predict cyberattacks, there are key steps that you can take with your vendors to determine if you might be at risk. Here are 4 key strategies: 1. Monitor security posture It’s important...
By Demi Ben-Ari
Security Best Practices & Advice
5 Ways to Reduce Third-Party Cyber Risk in 2022
Jan 03, 2022 3 min read

5 Resolutions for Reducing Third-Party Cyber Risk in 2022

If there’s one thing we’ve all learned, it’s that supply chain attacks are not going away anytime soon. Last year, we saw major cyber incidents involving Accellion, Kaseya, Codecov and others; next year, there will certainly be more.  To help prevent and respond to similar cyber incidents, it’s essential to consider how best to reduce third-party risk. How can this...
By Yaffa Klugerman
Security Best Practices & Advice

Building Trust Between Companies Worldwide

Get Started

Featured Authors

Author Thumbnail
Yaffa Klugerman Director of Content Marketing at Panorays
Author Thumbnail
Elad Shapira Head of Research at Panorays.
Author Thumbnail
Moshe Ferber Cyber and Cloud Computing, entrepreneur, investor, board member and lecturer.
We use cookies to ensure you get the best experience on our website. Visit our Cookie Policy for more information.
Get our latest posts straight to your inbox Subscribe