What is a SIG and How is it Different Than CAIQ?

According to the Cloud Security Alliance’s report “Cloud and Web Security Challenges in 2022“, 58% of cloud breaches originate from third parties, contractors and partners. Since 43% of organizations across all industries view protecting customer data as their top concern, it is imperative that businesses are able to accurately assess their third-party risk.

One commonly used method to assess third parties is with a security questionnaire, but the challenge is knowing which questions to include in the questionnaire. Fortunately, there are existing security questionnaire templates available to make this process easier.  Two of the most widely used questionnaires on the market today are the SIG and the CAIQ. While a SIG can be used for vendors across industries, it is particularly beneficial for those in industries that are highly regulated or focused on data privacy. 

What is a SIG?

The SIG, short for “Standardized Information Gathering (Questionnaire)” is a repository of third-party information security and privacy questions indexed to multiple regulations and control frameworks. SIG is published by a non-profit called Shared Assessments and has been in existence for about 18 years. The SIG has become such a popular means of assessment of vendor security risk that more than 15,000 people worldwide are using this security questionnaire.

What are Shared Assessments?

Shared Assessments is a non-profit member-driven organization. The members determine how Shared Assessments will evolve the SIG each year by voicing their opinions in committee meetings. These meetings are generally held monthly, and the discussions drive how the Shared Assessments team will update the SIG content. 

Shared Assessments updates the SIG annually, reflecting new security and privacy challenges, changes to regulations, and the latest trends and newest best practices in third-party risk management. Updates to the SIG usually have new questions, rewordings to old questions, deleted questions and reordering of the question sequence.

What are the types of SIG questionnaires?

Since a SIG is especially helpful for organizations in heavily regulated industries or dealing with private data, SIG users will “scope” their own questionnaire from the ~1,800-question repository according to their own regulatory or privacy requirements. Many licensees will use one of the two standards “scopings,” SIG Lite (~126 questions) and SIG Core (~855 questions). Others may add more questions from the repository or even their own business or industry-specific questions.

The SIG Core questionnaire

The Standardized Information Gathering (SIG) Core questionnaire includes approximately 855 questions that encompass all 19 risk controls. Its purpose is to help give an in-depth understanding of how a third party secures information and services. Based on industry standards, it’s meant to cover nearly all third-party risk assessments.

The SIG Lite questionnaire

The Standardized Information Gathering (SIG) Lite questionnaire includes ~126 questions. Its purpose is to provide a broad, high-level overview of a third party’s internal information security controls. This tool provides a basic level of due diligence for risk professionals and may be used as a starting point, before proceeding with a more detailed security review.

Who has adopted SIG?

The SIG is becoming increasingly common in the UK, EU, the Far East and the US across a number of industries, including many large US banks and financial services companies. Increasingly, large US vendors are adopting SIG. They in turn are requesting that customers and prospects accept their own SIG questionnaires in place of proprietary evaluator questionnaires.

Why is SIG useful for an evaluating company?

SIG reflects the combined knowledge and experience of hundreds of member organizations over more than twenty years. 

Because SIG is indexed to many standards (ISO 27002:2013, ISA 62443, FFIEC Appendix J, FFIEC CAT, PCI DSS, FFIEC IT Management Handbook, EBA Guidelines, NIST SP 800-53 Rev 4/5, NIST CSF, HIPAA, GDPR, NYDFS 23 NYCRR 500 and CSA Cloud Controls Matrix, it makes compliance simpler. Choose a given control from any one of these, and you will find the SIG questions that address it.

The SIG measures security risks across 19 risk control areas within a supplier’s environment including: 

• Enterprise Risk Management
• Security Policy
• Organizational Security
• Asset and Information Management
• Human Resources Security
• Physical and Environmental Security
• IT Operations Management
• Access Control
• Application Security
• Cybersecurity Incident Management
• Operational Resilience
• Compliance and Operational Risk
• Endpoint Device Security
• Network Security
• Privacy
• Threat Management
• Server Security
• Cloud Hosting Services

What is the CAIQ?

The CAIQ (Consensus Assessment Initiative Questionnaire) is a security questionnaire designed by the Cloud Security Alliance that assesses 197 control objectives outlined by the Cloud Controls Matrix (CCM). With questions covering over 17 domains of cloud technology, it focuses on evaluating controls for cloud service providers and is specific to each industry. Since the CCM is aligned with over 40 leading standards and regulations, it provides for an accurate assessment of the security posture of these higher-risk cloud service providers. As a result, it eliminates the need for these organizations to complete another security questionnaire.

When is it preferable to use CAIQ and not SIG?

When regulation and privacy are not primary concerns for an organization, CAIQ is a shorter questionnaire that allows organizations to easily assess their third-party providers and has become very accepted in the SaaS community. 

For example, a CISO working at an event planning company’s primary concern is the security of the large collection of SaaS tools her company uses to manage its business. Since the company doesn’t collect the identities of attendees, there are no real privacy concerns. In this case, a CAIQ provides a shorter, yet robust set of questions for assessing the security of those SaaS applications. 

When is it preferable to use SIG and not CAIQ?

With over 1800 questions from which to scope, your custom SIG questionnaire is most useful for heavily regulated businesses that handle sensitive information, such as financial, medical and insurance organizations. SIG questions are updated annually by Shared Assessments according to the latest international regulations and standards across many different industries.

How can a Panorays customer take advantage of a SIG questionnaire?

Typically, scoping the SIG content results in the generation of an Excel spreadsheet, which you’ll send to your supplier as a security supplier questionnaire. With Panorays, however, this part of the process is completely automated. 

Users of the Panorays platform benefit from:

• Rapid supplier vetting. Customers are able to vet a vendor within eight/nine days. 
• Eliminating manual questionnaires.
• Adding business context to the SIG questionnaire, so that suppliers receive only the questions that are relevant to their particular business relationship.

FAQs