Whistic Upgrades to SIG 2022 Toolkit

September 29, 2021

Whistic leverages the Shared Assessments Standardized Information Gathering Questionnaire (SIG). The 2022 SIG is updated to align with the evolving regulatory and threat environment. Built on vetted questions mapped to controls and regulatory guidance, the SIG provides standardized efficiency in performing third party risk assessments.

More than 80% of the SIG was enhanced for 2022, making this a significant and important update. Shared Assessments keeps abreast of regulations, guidelines and standards for a wide range of industries and has integrated 1,600 Control Points into the 2022 Toolkit from new guidelines, regulations, and frameworks including: 

  • NIST 800-53 (Rev.5) Security and Privacy Controls for Information Systems and Organizations
  • DOJ June 2020 Guidance on Evaluation of Corporate Compliance Programs for publicly held U.S. Companies
  • Consensus Assessments Initiative Questionnaire (CAIQ) v3.1 (April 2020) 
  • CSA Cloud Controls Matrix (CCM) Version 4
  • Industrial Automation and Control Systems Guidance EC-62443 (2018)
  • GDPR Guidance on Standard Contractual Clauses (SCCs) June 2021
  • State Privacy Laws (CA, CO, Virginia)
  • Environmental, Social, Governance (ESG): Third party risk programs must increasingly gauge the ESG compliance of critical suppliers and vendors. In response, new features of the 2022 Toolkit include ESG updates among all Shared Assessments TPRM tools.

Designed to provide a broad and high-level understanding about a third party’s internal information security controls, the SIG Lite questionnaire gives a basic level of assessment due diligence. With 150 questions, the SIG Lite can be used as a preliminary assessment before a more detailed assessment. 

Designed to assess third parties or vendors that store or manage sensitive, regulated data, the SIG Core questionnaire provides a deep level of understanding about how a third party secures information. With 825 questions targeting 18 risk domains, the SIG Core is based on industry standards and meets the needs of almost all third-party risk assessments. 

Shared Assessments has become the trusted source in third party risk assurance. Shared Assessments offers opportunities for members to address global risk management challenges through committees, awareness groups, interest groups and special projects. For more information, visit https://sharedassessments.org/

See your full security picture with Whistic. Automate your program, assess vendors easily, and start using security to your advantage. Learn more.

vendor assessment security profile sig vendor security review sig core third party risk mgmt proactive vendor security

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.