SIG Questionnaire Explained: The Complete Vendor Risk Assessment Guide

What Is the SIG Questionnaire?

The Standardized Information Gathering (SIG) questionnaire is a comprehensive third-party risk assessment tool developed by Shared Assessments, a member-driven organization focused on third-party risk management best practices.

The SIG is widely regarded as the gold standard for vendor risk assessments, particularly in heavily regulated industries like financial services, healthcare, and insurance. It provides a standardized framework for evaluating a vendor's security, privacy, and operational controls.

SIG Lite vs SIG Core

The SIG comes in two versions:

Most enterprise assessors will send you SIG Lite for initial evaluation and SIG Core for vendors handling sensitive data or critical operations.

The 18 SIG Risk Domains

1. Enterprise Risk Management

Focus: Organizational risk governance, risk appetite, risk assessment methodology

Assessors want to see: A formal risk management program with board oversight, documented risk appetite statements, and regular risk assessments.

2. Security Policy

Focus: Information security policy framework, policy review cadence

Assessors want to see: Comprehensive security policies reviewed at least annually, with clear ownership and enforcement mechanisms.

3. Organizational Security

Focus: Security team structure, CISO role, security responsibilities

Assessors want to see: Dedicated security leadership (CISO or equivalent), clear security responsibilities across the organization, and adequate security staffing.

4. Asset & Information Management

Focus: Asset inventory, data classification, data lifecycle management

Assessors want to see: Complete asset inventory, data classification scheme (public/internal/confidential/restricted), and defined data retention and disposal procedures.

5. Human Resource Security

Focus: Background checks, security training, termination procedures

Assessors want to see: Pre-employment screening, annual security awareness training with completion tracking, and documented offboarding procedures.

6. Physical & Environmental Security

Focus: Facility access, environmental controls, equipment security

Assessors want to see: Physical access controls (badge, biometric), environmental monitoring (temperature, humidity, fire suppression), and secure equipment disposal.

7. IT Operations Management

Focus: Change management, capacity planning, system administration

Assessors want to see: Formal change management process, documented operational procedures, and capacity monitoring with defined thresholds.

8. Access Control

Focus: Authentication, authorization, privileged access, access reviews

Assessors want to see: Multi-factor authentication, role-based access control, privileged access management, and quarterly access reviews.

9. Application Security

Focus: SDLC, code review, vulnerability management, API security

Assessors want to see: Secure SDLC with security gates, code review processes, OWASP Top 10 awareness, and regular application security testing.

10. Cybersecurity Incident Management

Focus: Incident response plan, detection capabilities, notification procedures

Assessors want to see: Documented incident response plan tested at least annually, 24/7 monitoring capabilities, and defined notification timelines.

11. Operational Resilience

Focus: Business continuity, disaster recovery, testing

Assessors want to see: Business impact analysis, documented BCP/DR plans, defined RTO/RPO, and annual testing with documented results.

12. Compliance & Legal

Focus: Regulatory compliance, contractual obligations, legal requirements

Assessors want to see: Compliance monitoring program, regulatory tracking, and evidence of meeting applicable legal requirements (GDPR, CCPA, HIPAA, etc.).

13. Endpoint Device Security

Focus: Workstation security, mobile device management, BYOD

Assessors want to see: Endpoint protection (EDR), device encryption, mobile device management, and BYOD policies.

14. Network Security

Focus: Network architecture, segmentation, monitoring, wireless security

Assessors want to see: Network segmentation, firewall management, intrusion detection/prevention, and wireless security controls.

15. Privacy

Focus: Privacy program, data subject rights, privacy impact assessments

Assessors want to see: Formal privacy program, privacy impact assessments for new products, data subject rights handling procedures, and privacy training.

16. Threat Management

Focus: Vulnerability management, penetration testing, threat intelligence

Assessors want to see: Regular vulnerability scanning, annual penetration testing by qualified third parties, and threat intelligence integration.

17. Server Security

Focus: Server hardening, patch management, configuration management

Assessors want to see: Server hardening standards (CIS benchmarks), patch management SLAs, and configuration management with drift detection.

18. Cloud Hosting Services

Focus: Cloud security, shared responsibility, cloud-specific controls

Assessors want to see: Understanding of shared responsibility model, cloud security posture management, and cloud-specific access controls.

How to Complete the SIG Efficiently

Preparation Phase (Before You Start)

1. Gather your documentation — SOC 2 report, ISO 27001 certificate, security policies, network diagrams, BCP/DR plans
2. Identify subject matter experts — Assign owners for each domain (IT, Security, Legal, HR, Compliance)
3. Review the SIG template — Understand the question format and response expectations
4. Check for reusable content — If you've completed the SIG before, start with your previous responses

Response Phase (Completing the Questionnaire)

For each question, follow this structure:

1. Answer the question directly — Yes, No, N/A, or the specific control
2. Provide implementation details — How the control works, what tools you use
3. Reference evidence — Policy name, SOC 2 section, certification number
4. Note any exceptions — If a control is partially implemented, explain the gap and remediation timeline

Review Phase (Quality Assurance)

1. Cross-reference with SOC 2 — Ensure consistency between your SIG responses and audit report
2. Check for completeness — No blank answers; use N/A with justification where appropriate
3. Verify accuracy — Have SMEs validate responses in their domain
4. Update the date — Ensure the assessment reflects your current security posture

Automating SIG Responses with AI

Manually completing a SIG Core questionnaire takes 4-8 weeks of effort across multiple teams. With TrustFill AI, you can reduce this to 3-5 days:

1. Upload your security documentation — SOC 2 reports, policies, procedures, past SIG responses
2. Import the SIG spreadsheet — Our AI recognizes the SIG format automatically
3. AI generates draft responses — Mapped to your knowledge base with confidence scores
4. Route for review — High-confidence answers get spot-checked; low-confidence answers go to SMEs
5. Export the completed SIG — In the standard Shared Assessments format

SIG vs Other Assessment Frameworks

Best Practices for SIG Success

1. Maintain a living knowledge base — Update your security documentation continuously, not just before assessments
2. Build a response library — Organize approved responses by SIG domain for quick reuse
3. Track question patterns — Many SIG questions repeat across assessments; identify your "top 50" most common questions
4. Invest in automation — The ROI on SIG automation is significant for companies receiving 10+ assessments per year
5. Proactive sharing — Consider publishing a security whitepaper or trust center that preemptively answers common SIG questions

Get Started

TrustFill AI helps you complete SIG questionnaires in days instead of weeks. Our AI understands the SIG format, maps questions to your documentation, and generates accurate responses with source citations.

Start your free 14-day trial and tackle your next SIG with confidence.