As digital transformation continues to change how the world connects and does business, organizations must be vigilant when it comes to vendor risk management and compliance. With the number of factors to consider, it’s a daunting task to undertake. However, a popular option for managing the process is the SIG questionnaire.
This blog will explore everything you need to know about the SIG questionnaire. Below you’ll find answers to what it is, who uses it and what variations are available. In addition, we’ll offer a pair of proactive approaches that will save you time.
SIG questionnaire background and basics
SIG questionnaires are becoming more common for businesses of all sizes. Therefore, it’s important for those responding to them to understand what they are, their purpose and the different types available.
What is a SIG questionnaire?
SIG stands for standardized information gathering. Appropriately, a SIG questionnaire is a single document that enables businesses to collect information from third parties and vendors. Generally, the questions cover a wide array of information from data security and privacy to risk management and regulatory compliance. The SIG questionnaire is a popular option when a business needs to issue a security questionnaire.
Within the SIG assessment, there are 18 different areas covered. For example, the questions explore information technology, resiliency, cyber security, data security and privacy. All of the information gathered paints a picture of whether or not a business is trustworthy when it comes to security and data. Often establishing this trust is a part of the due diligence process.
Shared Assessments created the SIG questionnaire. They are an organization that develops best practices, resources and tools that enable risk management. They describe the questionnaire, saying:
“The Standardized Information Gathering (SIG) Questionnaire Tools allow organizations to build, customize, analyze and store vendor questionnaires. Built on best practices by our member community, the SIG provides standardization and efficiency in performing third party risk assessments.”
Within the SIG Questionnaire Tools kit is a sophisticated multi-tab spreadsheet where SIG security questionnaires are built. It offers several options for customizing the questionnaire to the business’s needs. Luckily, Shared Assessments updates the tool each year. The changes reflect customer feedback, updated regulations, new best practices and improved security measures.
Who uses SIG questionnaires?
The questionnaire is growing in popularity, particularly in the United States. It’s common to industries that are highly regulated or handle sensitive information. For example banking, pharmaceutical, insurance and technology often use the standardized information gathering questionnaire. Businesses require vendors to update the questionnaire annually to ensure continued compliance.
Additional SIG questionnaire uses:
- Assessing security of outsourced services
- Self-assessment of the business
Two types of questionnaires: SIG core vs SIG lite
As you might expect, one security questionnaire doesn’t fit every business and every vendor or third party. Accordingly, Shared Assessments provides two main types of SIG questionnaires for businesses to scope.
SIG Core questionnaire
The standard SIG Core questionnaire includes around 850 questions targeting all 18 individual risk controls. According to Shared Assessments’ FAW, the SIG core questionniare is:
“Designed for assessing service providers that store or manage highly sensitive or regulated information, such as consumer information or trade secrets. This level is meant to provide a deeper level of understanding about how a service provider secures information and services. It is meant to meet the needs of almost all assessments, based on industry standards.”
SIG Lite questionnaire
On the other hand, as you might expect, the SIG Lite questionnaire is the shorter of the two assessment options. At about 330 questions, it’s less than half the length of the SIG Core. It’s defined by Shared Assessments as:
“Designed to provide a broad but high-level understanding about an Assessee’s internal information security controls. This level is for Assessees that need a basic level of due diligence. It can also be used as a preliminary assessment before a more detailed review.”
Businesses may use either or both questionnaires. Within the tool from Shared Assessments, users can’t change the specific wording of the questions. So, the questions remain standardized. However, businesses can add their own versions of the questions to a separate library.
In addition to the standard questions in the Core and Lite questionnaires, the SIG Questionnaire Tool offers 1200 total questions in a questionnaire content library. So, the questions included on each SIG will vary depending on the business’s needs. Therefore, it’s important for responders to pay close attention to the wording of the questions.
A pair of proactive approaches to completing SIG questionnaires
Certainly the need for security and risk assessments is clear. However, for teams that respond to SIG questionnaires, they can be daunting. Often there’s pressure to complete them quickly so that a contract or sale can be finalized. Not only that, but because of the ever-evolving security landscape, many clients require an updated SIG questionnaire before renewing a contract.
In this ongoing cycle of questionnaires, accuracy is vital to protect your business. At the same time, it’s important to be as efficient as possible when responding to security questionnaires like the SIG questionnaire. So, here’s what you can do.
1. Provide a completed SIG questionnaire before anyone asks for it
A growing number of vendors and third-party suppliers opt to complete the SIG questionnaire before their clients request it. So, instead of waiting for the client to create a security assessment, they provide the SIG questionnaire with all the information that’s widely considered standard.
This approach can save time when you’re trying to complete a deal if the client agrees to accept the SIG security questionnaire rather than having your team complete a new and potentially highly-customized security questionnaire. Beyond simply saving you time, this upfront approach can help continue to build trust between your business. and the client.
2. Build a knowledge library of SIG security questions and responses
While some of the information in the SIG questionnaire changes, the majority of the questions will stay the same from year to year. Typically, the various businesses that are using the SIG core or SIG lite questionnaire will ask many of the same questions. So, it makes sense to create a security assessment content library to centralize all of your data and security information. This centralized knowledge library empowers the security team to proactively update information. In addition, it allows the sales team to complete the majority of questionnaires without assistance. Armed with this updated information, much of the questionnaire is already completed by the time it gets to IT team.
There’s no doubt that third-party risk assessments and SIG questionnaires are here to stay. Now it’s up to each business to make the process as efficient and effective as possible.