Conducting Third Party Vendor Risk Assessments Using the SIG Questionnaire from Shared Assessments

August 10, 2018

As an InfoSec leader, you already know how important (yet often convoluted) the third party vendor risk assessment process can be. When it comes to selecting the right questionnaire to use for each of your vendors, there are many options available. You can create a new questionnaire for each vendor, you can re-use existing questionnaires, or you can take advantage of a top vendor risk questionnaire created by a reputable organization. In a previous post, we shared a few of the top vendor risk assessments available to your organization, including (in alphabetical order):

  1. Cloud Security Alliance — Consensus Assessments Initiative Questionnaire (CAIQ)
  2. Center for Internet Security — CIS Critical Security Controls (CIS First 5 / CIS Top 20)
  3. National Institute of Standards and Technology — NIST (800–171)
  4. Shared Assessments Group — Standardized Information Gathering Questionnaire (SIG Core / SIG-Lite)
  5. Vendor Security Alliance — VSA Questionnaire (VSAQ)

Over the next several weeks, we’ll provide a deep-dive look into several of these questionnaire frameworks so that your organization can confidently choose the right questionnaire for your third party risk management program — whether you decide to build your own or use a one of these pre-built assessments. In case you missed the last overviews, here’s a quick look back at what we’ve already covered:

In this article, we’ll take a look at the SIG Questionnaire and we’ll help you understand what it is, how it can be used, and provide a few tips for creating a seamless experience for both your InfoSec team, as well as your vendors.

What is the SIG Questionnaire and Why Was It Created?

The SIG, developed by Shared Assessments, stands for “Standard Information Gathering”, and is a holistic tool for risk management assessments of cybersecurity, IT, privacy, data security and business resiliency in an information technology environment. Unlike some of the other assessments we’ve reviewed, the SIG evaluates vendors based on its own 18 individual “risk controls”. The SIG assessment works to gather pertinent information to determine how security risks are managed across a spectrum of those 18 risk control areas, or “domains”, within a vendor’s environment, as it calls them.

Depending on your organization’s needs, paired with the type or category of vendor that you’re assessing, the SIG questionnaire can be used in a handful of ways:

  • Used by an outsourcer to evaluate their service providers’ risk controls.
  • Completed by a service provider and used proactively as part of a request for proposal (RFP) response.
  • Completed by a service provider and sent to their client(s) in lieu of completing one or multiple proprietary questionnaires.
  • Used by an organization for self-assessment.

Each year, Shared Assessments updates the SIG to comply with new industry standards and the changing cybersecurity landscape. For 2018, Shared Assessments released an overview video that details some of the changes and updates that users may notice in this year’s edition. As a part of this 2018 release, Shared Assessments released the new SIG (now called: SIG Core) and transitioned the full SIG to more of a library of questions that can be scoped based on your unique needs. This year’s release also included a specific set of questions specifically tailored to GDPR.

What if a particular vendor offers less risk and doesn’t require the extensive SIG Core questionnaire? That’s where SIG-Lite enters the picture. The SIG-Lite is a compilation of all the higher level questions from the detail tabs of the SIG and is generally used for third party service providers who offer lower risk services. This means that neither your team nor your vendor has to waste time filling out questions that aren’t relevant.

How Whistic Makes Using SIG Questionnaires a Seamless Experience

By using Whistic’s vendor assessment platform, your InfoSec team can save countless hours (or more likely, days) developing questionnaires from scratch. The SIG and SIG-Lite questionnaires are available out-of-the-box and are already held to the highest industry standards. And because so many organizations use this questionnaire on a regular basis, it contains most (if not all) the questions your organization should be asking vendors. Whistic licenses the latest SIG content from Shared Assessments and makes this available to Whistic customers via the platform.

Additionally, your InfoSec team can efficiently and securely respond to any SIG Core or SIG-Lite questionnaires that you receive by using your Whistic Security Profile, which allows teams to intelligently allocate limited resources and assigning questions to specific subject matter experts across the organization and provide due dates and reminders along the way. The ready-to-use SIG Core and SIG-Lite online questionnaires — inherently available in Whistic’s platform — provide the ability to add comments and documentation to substantiate responses.

Whether sending the assessment to cloud vendors or responding to the SIG Core or SIG-Lite as a vendor yourself, Whistic’s process allows your InfoSec team to be confident that no security issue will slip through the cracks.

Ready to Learn More?

Check out our resources below for more third party vendor best practices and insights on how your organization can effectively approach security assessments.


Why Third Party Security is Critically Important

Request a Live Demo with a Whistic Product Specialist

cybersecurity vendor risk management security questionnaires vendor assessment sig

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.