What You Need to Know about SIG, SIG CORE, and SIG LITE in 2019

September 19, 2019

The information security landscape is constantly changing and evolving. As new threats and risk emerge — and as the technology available to these risks continues to become more complex — the importance of having a secure infrastructure is growing. Organizations are constantly having to update their processes and adopt new solutions to ensure that their security is on par or ahead of the threats.

One way that many organizations test to ensure there are no gaps or holes in their security processes is through security risk assessments. Because a majority of threats emerge through third-party vendor partnerships, InfoSec thought leaders started building vendor risk assessments to proactively identify these gaps before vendor relationships are signed. One of these groups, Shared Assessments, created the SIG (Standard Information Gathering) assessment as a holistic way to address multiple areas of risk. Over the years, the SIG assessment has been modified and updated to address the different needs of organizations. These modifications have resulted in the creation of the SIG CORE and SIG LITE assessments.

So how should you choose which SIG assessment is right for your organization? Here are the main benefits and differences of the three options:

SIG — The SIG assessment evaluates vendors based on 18 individual risk controls, which together determine how security risks are managed across this broader spectrum. SIG is a good assessment for outsourcers to evaluate provider risk controls, as a way for organizations to complete RFPs, or for security teams to conduct self-assessments because it is broader in scope than other SIG assessments.

SIG LITE — Understandably, the SIG assessment is a pretty extensive questionnaire that targets multiple areas of risk across multiple disciplines. For vendors with less inherent risk that don’t require the entire SIG catalog of assessment, SIG LITE is the answer. It takes the high-level concepts and questions from the larger SIG questionnaire and distills it down to just a few questions. SIG LITE ensures that both sides are doing due diligence without having either side wasting time answering questions that don’t have any relevance or value to the end results. Many security teams use SIG LITE as a jumping off point to see which other more in-depth assessments are required down the road.

SIG CORE — Released in 2018, SIG CORE is an update of the original SIG assessment that allows for a deeper scope and more personalized assessment. Instead of a standard questionnaire, SIG CORE is a library of questions that security teams can pick and choose from with their vendors. The CORE update also includes extensive language on GDPR and other specific compliance regulations. Ideally, the updated SIG CORE assessment can be used as a way to gather the answers to multiple questionnaires or assessments, if a security team has the tools to sort and manage the answers efficiently.

Taking Advantage of SIG

As the security needs of organizations continue to change, many security teams have found that picking and choosing different questions from different assessments works best for their vendors. This is why risk assessment tools like Whistic are so beneficial. With SIG, SIG LITE, and SIG CORE all accessible in the Whistic platform, alongside other leading assessments and questionnaires, security teams have access to the right questions to ensure complete security compliance when working with vendors.

Additionally, security teams can use the answers from SIG, SIG LITE, or SIG CORE to amend and/or inform other questionnaires within the system, making it easier to respond to incoming questionnaires or determine the compliance of vendors.

security sig sig lite security assessments sig core

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.