‍

Successful third-party risk management (TPRM) starts with proactive vendor risk assessment (VRA) cycles that enable you to uncover and mitigate all notable threats. There are quite a few industry-standard questionnaires that help with such assessments—the Shared Assessments Standardized Information Gathering (SIG) questionnaire being one of the most widely used options.

‍

The SIG questionnaire is designed to provide guidance when completing VRAs, with a focus on identifying security risks across domains like cybersecurity, IT operations, privacy, data governance, and business resiliency.

‍

Our in-depth guide includes everything you need to know about the SIG questionnaire:

‍

• Definition and components of the SIG questionnaire
• Questionnaire types
• Main uses cases
• Questionnaire costs
• Tips for completing the SIG questionnaire efficiently

‍

What is the SIG questionnaire?

The SIG questionnaire is a configurable set of questions designed to help security teams assess and understand third-party risks comprehensively. It’s commonly used to outline a vendor’s risk and compliance landscape and compatibility with the organization’s risk appetite, supporting decision-making during the procurement process.

‍

Like other industry-standard questionnaires, SIG was created due to the ever-increasing security concerns that require a methodical approach to effective risk management. By leveraging the questionnaire, you can standardize your vendor selection process. The questionnaire also sets the tone for security-aware vendor relationships and minimizes the potential attack surface by helping you set up vendor controls.

‍

{{cta_withimage10="/cta-modules"}} | Shift Left: How to Turn Security into Revenue

‍

Risk areas covered in the SIG questionnaire

The structure of the SIG questionnaire allows for a standardized VRA process across the 21 risk areas below:

‍

1. Access control
2. Application security
3. Artificial intelligence (AI)
4. Asset and information management
5. Cloud hosting services
6. Compliance management
7. Cybersecurity incident management
8. Endpoint security
9. Enterprise risk management
10. Environmental, social, and governance (ESG)
11. Human resources security
12. Information assurance
13. IT operations management
14. Network security
15. Nth party management
16. Operational resilience
17. Physical and environmental security
18. Privacy management
19. Server security
20. Supply chain risk management (SCRM)
21. Threat management

‍

Each risk area will have a core set of questions to assess an organization's security posture and existing controls. You can also adopt a portion of the questionnaire to meet specific VRA goals.

‍

2 types of the SIG questionnaire you can choose from

‍

The SIG questionnaire comes in two versions, as outlined below:

‍

‍

A key benefit of the SIG questionnaire is its customizability. If you find SIG Lite insufficient but still don’t need the entire SIG Core questionnaire, you can create a custom SIG and select questions based on the following criteria:

‍

• Risk domain
• Mapping reference
• Control category

‍

The custom SIG questionnaire might be particularly useful for self-assessments, especially those focused on meeting specific regulations, standards, or client expectations.

‍

{{cta_webinar5="/cta-modules"}} | Questionnaire automation webinar

‍

What is the SIG questionnaire used for?

The primary use case of the SIG questionnaire is the assessment of vendors and other third parties before working with them. You can send out a questionnaire to understand whether you should onboard a vendor or receive one while exploring your sales opportunities.

‍

Other noteworthy use cases of the questionnaire include:

‍

• Evaluating current third parties’ security controls: You can use the SIG questionnaire to assess the security posture of your current third parties. You can choose to assess them routinely or after a security incident.
• Internal assessments: The SIG questionnaire can be an excellent tool for internal security reviews and audits, especially the SIG Core version. It lets you assess all the relevant security controls and risk management practices, minimize exposure to threats, and be ready to fill out the security questionnaires you receive.
• Demonstrating trust (as a vendor): Since a completed SIG questionnaire is proof of a solid security posture, it builds transparency and trust with customers, investors, partners, and other stakeholders impacted by your security practices.

‍

How is the SIG questionnaire different from other security questionnaires?

The SIG questionnaire is not the only option you can use for well-rounded VRAs. Other popular options include CAIQ and VSAQ.

‍

Here's a breakdown of these questionnaires:

‍

‍

‍

The SIG questionnaire is indexed to over 35 standards and regulations, making it among the most comprehensive options when it comes to security and risk coverage. It also comes with the most risk areas covered, so it’s a reliable option for VRAs in any industry.

‍

Is the SIG questionnaire free?

Unlike CAIQ or VSAQ, the SIG questionnaire isn’t free for public use—it’s only available to Shared Assessment members. If you’re not a member yet, you have two corporate license options to choose from:

‍

1. One year: $6,500
2. Two years: $12,300

‍

Alternatively, you can get the SIG as a part of Shared Assessments’ Primary Product Suite for $7,200 per year. Besides the questionnaire, the suite includes two other products—Vendor Risk Management Maturity Model and Standardized Control Assessment Procedure, which can further support your security practices.

‍

There are two additional tiers you can explore if you want to leverage Shared Assessments’ complete offering.

‍

‍

‍

You can also buy the products from these suites separately to create a custom ecosystem of solutions specific to your team—although the individual cost of a product might be higher than what you’d pay for as part of a specific suite.

‍

{{cta_withimage17="/cta-modules"}} | State of Trust Report 

‍

3 tips for completing the SIG questionnaire

As a vendor, completing a SIG questionnaire from a prospect can be a formidable task due to its all-encompassing nature. This is especially true for teams that rely on manual work, such as going through multiple spreadsheets and security documents, to finalize each questionnaire they receive.

‍

Excessive manual work during questionnaire completion slows down security teams and can even impact the success of your deals and sales opportunities. There’s also the risk of providing incomplete responses that fail to present an accurate overview of your security posture.

‍

To ensure a cohesive workflow and complete the questionnaire effortlessly, you can follow these practical tips:

‍

1. Be proactive and prepare common responses
2. Continuously review your security posture
3. Automate questionnaire responses

‍

1. Be proactive and prepare common responses

The best practice for organizations is to be prepared to answer security questionnaires at any time and keep a list of common responses that can be used for similar questions. The goal is to not wait for a prospect to send you a security questionnaire before you initiate the relevant workflows, including internal security assessments and data gathering.

‍

Specifically, you can complete the SIG questionnaire as a part of your internal security reviews. Having a pre-filled questionnaire will ensure you have all the information you need to respond to a prospect’s questionnaire in a timely and efficient way.

‍

2. Continuously review your security posture

The SIG questionnaire aims to verify numerous risk areas and threats, which calls for a more methodical approach to internal security reviews. You need to set up a granular overview of your security posture and third-party network, preferably in real time, and continuously adapt your risk management strategy and security controls to respond to new threats. This approach makes it likely you’ll have favorable responses to security questionnaires at any point in time. 

‍

The ideal workflow here is to first inventory all your IT assets and third parties. List all the necessary components to map out the potential attack surface and third-party relationships. You should consider having a robust risk management software solution that can help monitor your attack surface and give you a unified view of your security posture at all times.

‍

3. Automate questionnaire responses

If done manually, security reviews and questionnaire completion can be tedious, repetitive, and time-consuming. Processing the questions and filling out the responses alone can take quite some time, but the main source of inefficiencies is what happens between these two processes—evidence collection.

‍

Sifting through documents and spreadsheets to find proof of effective security controls puts a considerable strain on your workflow and prevents your team from focusing on the tasks on their plate.

‍

To overcome this obstacle, you can leverage questionnaire automation tools that take over mundane work and let your teams shift their time and energy to more high-value tasks. Such tools can significantly tighten your workflow and prevent deals from falling through due to inefficiencies.

‍

{{cta_testimonial16="/cta-modules"}} | ComplyCube customer story

‍

Complete SIG questionnaires faster with Vanta

Software-supported questionnaire completion gives you a major advantage over competitors, and Vanta can help you gain that edge. It’s a comprehensive trust management platform that automates compliance and security workflows—including the completion of questionnaires like SIG.

‍

Vanta’s Questionnaire Automation product is a dedicated solution to reduce friction during the completion process. It offers plenty of automation features, most notably:

‍

• A centralized security knowledge base that unifies all your security data and documents
• AI-enabled responses based on the information in your knowledge base (acceptance rate: 95 percent)
• Multi-format questionnaire completion that lets you adapt to a prospect’s preferences
• 73 percent coverage across security questions

‍

These features enhance your ability to tackle multiple questionnaires at one time—enabling you to complete security reviews up to 5 times faster. You can request a custom demo for your team and see how to integrate the solution into your workflows.

‍

Another key automation solution is the Trust Center. It's your custom portal where you can offer a real-time overview of your key security controls and compliance information to your prospects and build trust without extensive work. Watch this webinar for a hands-on overview of the service.

‍

{{cta_simple13="/cta-modules"}} | Questionnaire automation product page

‍