Glossary

SIG Questionnaire

The SIG (Standardized Information Gathering) questionnaire is a standardized vendor risk assessment tool created by Shared Assessments covering 18 risk domains.

Definition

The SIG (Standardized Information Gathering) questionnaire is an industry-standard tool developed by Shared Assessments for evaluating third-party vendor risk. It comes in two versions: SIG Lite (a shorter assessment for lower-risk vendors) and SIG Core (a comprehensive assessment covering 18 risk domains).

Context

The SIG questionnaire covers domains including access control, application security, business continuity, change management, cloud hosting, compliance, data privacy, encryption, governance, HR security, incident management, information assurance, IT operations, network security, physical security, risk management, server security, and threat management. Many enterprise buyers mandate the SIG format because it provides standardized coverage and enables consistent risk scoring across vendors.

Why it matters

The Standardized Information Gathering questionnaire, developed by Shared Assessments, is an industry-standard tool for evaluating third-party vendor risk across eighteen control domains. These domains span information security, privacy, business resiliency, application security, and operational resilience, among others. SIG comes in two variants: SIG Full, which contains over eight hundred questions for high-risk vendors, and SIG Lite, a scoped-down version for lower-risk assessments. Most financial services, healthcare, and enterprise organizations use SIG as their baseline vendor assessment framework.

A frequent mistake organizations make is sending the full SIG to every vendor regardless of risk tier. This creates respondent fatigue and delays procurement cycles unnecessarily. Effective programs tier their vendors by data sensitivity and business criticality, then scope the SIG accordingly. Many teams also fail to update their SIG responses annually, meaning buyers receive answers referencing controls or certifications that have since changed or expired. Treating SIG completion as a living process rather than a one-time exercise is essential.

The SIG questionnaire aligns with multiple regulatory frameworks including NIST, ISO 27001, PCI DSS, and HIPAA, making it a practical bridge between compliance requirements. Organizations that map their SIG answers to underlying control evidence can repurpose those mappings for other assessments, reducing redundant work. Shared Assessments updates the SIG annually to reflect evolving threats and regulatory changes, so teams should monitor version releases and update their response libraries to match the current year's question set.

Related terms

Security QuestionnaireCAIQ (Consensus Assessments Initiative Questionnaire)Vendor Risk AssessmentThird-Party Risk Management (TPRM)

Learn more

Questionnaire ExamplesQuestionnaire Automation

Automate your security questionnaire workflow

VeriRFP uses evidence-backed AI to draft security questionnaire responses with deterministic citations from your approved documentation.
Try VeriRFP freeQuestionnaire automationBack to glossary

Privacy controls

We use essential cookies for sign-in and service operations. With your permission we also load analytics to understand how teams use the product. Analytics stay off until you accept. See our Privacy Policy.