Successful third-party risk management (TPRM) starts with proactive vendor risk assessment (VRA) cycles that enable you to uncover and mitigate all notable threats. There are quite a few industry-standard questionnaires that help with such assessments—the Shared Assessments Standardized Information Gathering (SIG) questionnaire being one of the most widely used options.

The SIG questionnaire is designed to provide guidance when completing VRAs, with a focus on identifying security risks across domains like cybersecurity, IT operations, privacy, data governance, and business resiliency.

Our in-depth guide includes everything you need to know about the SIG questionnaire:

  • Definition and components of the SIG questionnaire
  • Questionnaire types
  • Main uses cases
  • Questionnaire costs
  • Tips for completing the SIG questionnaire efficiently

What is the SIG questionnaire?

The SIG questionnaire is a configurable set of questions designed to help security teams assess and understand third-party risks comprehensively. It’s commonly used to outline a vendor’s risk and compliance landscape and compatibility with the organization’s risk appetite, supporting decision-making during the procurement process.

Like other industry-standard questionnaires, SIG was created due to the ever-increasing security concerns that require a methodical approach to effective risk management. By leveraging the questionnaire, you can standardize your vendor selection process. The questionnaire also sets the tone for security-aware vendor relationships and minimizes the potential attack surface by helping you set up vendor controls.

{{cta_withimage10="/cta-modules"}} | Shift Left: How to Turn Security into Revenue

Risk areas covered in the SIG questionnaire

The structure of the SIG questionnaire allows for a standardized VRA process across the 21 risk areas below:

  1. Access control
  2. Application security
  3. Artificial intelligence (AI)
  4. Asset and information management
  5. Cloud hosting services
  6. Compliance management
  7. Cybersecurity incident management
  8. Endpoint security
  9. Enterprise risk management
  10. Environmental, social, and governance (ESG)
  11. Human resources security
  12. Information assurance
  13. IT operations management
  14. Network security
  15. Nth party management
  16. Operational resilience
  17. Physical and environmental security
  18. Privacy management
  19. Server security
  20. Supply chain risk management (SCRM)
  21. Threat management

Each risk area will have a core set of questions to assess an organization's security posture and existing controls. You can also adopt a portion of the questionnaire to meet specific VRA goals.

2 types of the SIG questionnaire you can choose from

The SIG questionnaire comes in two versions, as outlined below:

Version Description
SIG Core The complete version with 855 questions spread across all risk areas. It’s primarily used by organizations that handle highly sensitive data or otherwise want a comprehensive overview of a vendor’s security posture.
SIG Lite The condensed version with 126 questions addressing the key risks and security controls. It gives you a high-level overview of the vendor’s security practices. It’s mainly used for brief and preliminary assessments, which are typically followed by the more comprehensive ones. It can also serve as the standalone security questionnaire for low-risk vendors such as the company that prints your letterheads.

A key benefit of the SIG questionnaire is its customizability. If you find SIG Lite insufficient but still don’t need the entire SIG Core questionnaire, you can create a custom SIG and select questions based on the following criteria:

  • Risk domain
  • Mapping reference
  • Control category

The custom SIG questionnaire might be particularly useful for self-assessments, especially those focused on meeting specific regulations, standards, or client expectations.

{{cta_webinar5="/cta-modules"}} | Questionnaire automation webinar

What is the SIG questionnaire used for?

The primary use case of the SIG questionnaire is the assessment of vendors and other third parties before working with them. You can send out a questionnaire to understand whether you should onboard a vendor or receive one while exploring your sales opportunities.

Other noteworthy use cases of the questionnaire include:

  • Evaluating current third parties’ security controls: You can use the SIG questionnaire to assess the security posture of your current third parties. You can choose to assess them routinely or after a security incident.
  • Internal assessments: The SIG questionnaire can be an excellent tool for internal security reviews and audits, especially the SIG Core version. It lets you assess all the relevant security controls and risk management practices, minimize exposure to threats, and be ready to fill out the security questionnaires you receive.
  • Demonstrating trust (as a vendor): Since a completed SIG questionnaire is proof of a solid security posture, it builds transparency and trust with customers, investors, partners, and other stakeholders impacted by your security practices.

How is the SIG questionnaire different from other security questionnaires?

The SIG questionnaire is not the only option you can use for well-rounded VRAs. Other popular options include CAIQ and VSAQ.

Here's a breakdown of these questionnaires:

Questionnaire Focal point Number of risk/security areas mapped Number of mappings Examples of mapped standards/regulations
SIG Third-party risk management 21 35+
CAIQ Cloud security transparency 17 10+
  • ISO 27001
  • NIST CSF
  • NIST 800-53
VSAQ Vendor Security 8 2+
  • NIST CSF
  • GDPR
  • CCPA

The SIG questionnaire is indexed to over 35 standards and regulations, making it among the most comprehensive options when it comes to security and risk coverage. It also comes with the most risk areas covered, so it’s a reliable option for VRAs in any industry.

Is the SIG questionnaire free?

Unlike CAIQ or VSAQ, the SIG questionnaire isn’t free for public use—it’s only available to Shared Assessment members. If you’re not a member yet, you have two corporate license options to choose from:

  1. One year: $6,500
  2. Two years: $12,300

Alternatively, you can get the SIG as a part of Shared Assessments’ Primary Product Suite for $7,200 per year. Besides the questionnaire, the suite includes two other products—Vendor Risk Management Maturity Model and Standardized Control Assessment Procedure, which can further support your security practices.

There are two additional tiers you can explore if you want to leverage Shared Assessments’ complete offering.

Tier What’s included Cost
Primary Plus Product Suite Everything in Primary Product Suite + Data Governance $9,000 per year
Comprehensive Product Suite Everything in Primary Plus Product Suite + Third Party Service Inherent Risk Rating and ESG SIG $11,000 per year

You can also buy the products from these suites separately to create a custom ecosystem of solutions specific to your team—although the individual cost of a product might be higher than what you’d pay for as part of a specific suite.

{{cta_withimage17="/cta-modules"}} | State of Trust Report 

3 tips for completing the SIG questionnaire

As a vendor, completing a SIG questionnaire from a prospect can be a formidable task due to its all-encompassing nature. This is especially true for teams that rely on manual work, such as going through multiple spreadsheets and security documents, to finalize each questionnaire they receive.

Excessive manual work during questionnaire completion slows down security teams and can even impact the success of your deals and sales opportunities. There’s also the risk of providing incomplete responses that fail to present an accurate overview of your security posture.

To ensure a cohesive workflow and complete the questionnaire effortlessly, you can follow these practical tips:

  1. Be proactive and prepare common responses
  2. Continuously review your security posture
  3. Automate questionnaire responses

1. Be proactive and prepare common responses

The best practice for organizations is to be prepared to answer security questionnaires at any time and keep a list of common responses that can be used for similar questions. The goal is to not wait for a prospect to send you a security questionnaire before you initiate the relevant workflows, including internal security assessments and data gathering.

Specifically, you can complete the SIG questionnaire as a part of your internal security reviews. Having a pre-filled questionnaire will ensure you have all the information you need to respond to a prospect’s questionnaire in a timely and efficient way.

2. Continuously review your security posture

The SIG questionnaire aims to verify numerous risk areas and threats, which calls for a more methodical approach to internal security reviews. You need to set up a granular overview of your security posture and third-party network, preferably in real time, and continuously adapt your risk management strategy and security controls to respond to new threats. This approach makes it likely you’ll have favorable responses to security questionnaires at any point in time. 

The ideal workflow here is to first inventory all your IT assets and third parties. List all the necessary components to map out the potential attack surface and third-party relationships. You should consider having a robust risk management software solution that can help monitor your attack surface and give you a unified view of your security posture at all times.

3. Automate questionnaire responses

If done manually, security reviews and questionnaire completion can be tedious, repetitive, and time-consuming. Processing the questions and filling out the responses alone can take quite some time, but the main source of inefficiencies is what happens between these two processes—evidence collection.

Sifting through documents and spreadsheets to find proof of effective security controls puts a considerable strain on your workflow and prevents your team from focusing on the tasks on their plate.

To overcome this obstacle, you can leverage questionnaire automation tools that take over mundane work and let your teams shift their time and energy to more high-value tasks. Such tools can significantly tighten your workflow and prevent deals from falling through due to inefficiencies.

{{cta_testimonial16="/cta-modules"}} | ComplyCube customer story

Complete SIG questionnaires faster with Vanta

Software-supported questionnaire completion gives you a major advantage over competitors, and Vanta can help you gain that edge. It’s a comprehensive trust management platform that automates compliance and security workflows—including the completion of questionnaires like SIG.

Vanta’s Questionnaire Automation product is a dedicated solution to reduce friction during the completion process. It offers plenty of automation features, most notably:

  • A centralized security knowledge base that unifies all your security data and documents
  • AI-enabled responses based on the information in your knowledge base (acceptance rate: 95 percent)
  • Multi-format questionnaire completion that lets you adapt to a prospect’s preferences
  • 73 percent coverage across security questions

These features enhance your ability to tackle multiple questionnaires at one time—enabling you to complete security reviews up to 5 times faster. You can request a custom demo for your team and see how to integrate the solution into your workflows.

Another key automation solution is the Trust Center. It's your custom portal where you can offer a real-time overview of your key security controls and compliance information to your prospects and build trust without extensive work. Watch this webinar for a hands-on overview of the service.

{{cta_simple13="/cta-modules"}} | Questionnaire automation product page

Security Questionnaires

What is the SIG questionnaire?

Successful third-party risk management (TPRM) starts with proactive vendor risk assessment (VRA) cycles that enable you to uncover and mitigate all notable threats. There are quite a few industry-standard questionnaires that help with such assessments—the Shared Assessments Standardized Information Gathering (SIG) questionnaire being one of the most widely used options.

The SIG questionnaire is designed to provide guidance when completing VRAs, with a focus on identifying security risks across domains like cybersecurity, IT operations, privacy, data governance, and business resiliency.

Our in-depth guide includes everything you need to know about the SIG questionnaire:

  • Definition and components of the SIG questionnaire
  • Questionnaire types
  • Main uses cases
  • Questionnaire costs
  • Tips for completing the SIG questionnaire efficiently

What is the SIG questionnaire?

The SIG questionnaire is a configurable set of questions designed to help security teams assess and understand third-party risks comprehensively. It’s commonly used to outline a vendor’s risk and compliance landscape and compatibility with the organization’s risk appetite, supporting decision-making during the procurement process.

Like other industry-standard questionnaires, SIG was created due to the ever-increasing security concerns that require a methodical approach to effective risk management. By leveraging the questionnaire, you can standardize your vendor selection process. The questionnaire also sets the tone for security-aware vendor relationships and minimizes the potential attack surface by helping you set up vendor controls.

{{cta_withimage10="/cta-modules"}} | Shift Left: How to Turn Security into Revenue

Risk areas covered in the SIG questionnaire

The structure of the SIG questionnaire allows for a standardized VRA process across the 21 risk areas below:

  1. Access control
  2. Application security
  3. Artificial intelligence (AI)
  4. Asset and information management
  5. Cloud hosting services
  6. Compliance management
  7. Cybersecurity incident management
  8. Endpoint security
  9. Enterprise risk management
  10. Environmental, social, and governance (ESG)
  11. Human resources security
  12. Information assurance
  13. IT operations management
  14. Network security
  15. Nth party management
  16. Operational resilience
  17. Physical and environmental security
  18. Privacy management
  19. Server security
  20. Supply chain risk management (SCRM)
  21. Threat management

Each risk area will have a core set of questions to assess an organization's security posture and existing controls. You can also adopt a portion of the questionnaire to meet specific VRA goals.

2 types of the SIG questionnaire you can choose from

The SIG questionnaire comes in two versions, as outlined below:

Version Description
SIG Core The complete version with 855 questions spread across all risk areas. It’s primarily used by organizations that handle highly sensitive data or otherwise want a comprehensive overview of a vendor’s security posture.
SIG Lite The condensed version with 126 questions addressing the key risks and security controls. It gives you a high-level overview of the vendor’s security practices. It’s mainly used for brief and preliminary assessments, which are typically followed by the more comprehensive ones. It can also serve as the standalone security questionnaire for low-risk vendors such as the company that prints your letterheads.

A key benefit of the SIG questionnaire is its customizability. If you find SIG Lite insufficient but still don’t need the entire SIG Core questionnaire, you can create a custom SIG and select questions based on the following criteria:

  • Risk domain
  • Mapping reference
  • Control category

The custom SIG questionnaire might be particularly useful for self-assessments, especially those focused on meeting specific regulations, standards, or client expectations.

{{cta_webinar5="/cta-modules"}} | Questionnaire automation webinar

What is the SIG questionnaire used for?

The primary use case of the SIG questionnaire is the assessment of vendors and other third parties before working with them. You can send out a questionnaire to understand whether you should onboard a vendor or receive one while exploring your sales opportunities.

Other noteworthy use cases of the questionnaire include:

  • Evaluating current third parties’ security controls: You can use the SIG questionnaire to assess the security posture of your current third parties. You can choose to assess them routinely or after a security incident.
  • Internal assessments: The SIG questionnaire can be an excellent tool for internal security reviews and audits, especially the SIG Core version. It lets you assess all the relevant security controls and risk management practices, minimize exposure to threats, and be ready to fill out the security questionnaires you receive.
  • Demonstrating trust (as a vendor): Since a completed SIG questionnaire is proof of a solid security posture, it builds transparency and trust with customers, investors, partners, and other stakeholders impacted by your security practices.

How is the SIG questionnaire different from other security questionnaires?

The SIG questionnaire is not the only option you can use for well-rounded VRAs. Other popular options include CAIQ and VSAQ.

Here's a breakdown of these questionnaires:

Questionnaire Focal point Number of risk/security areas mapped Number of mappings Examples of mapped standards/regulations
SIG Third-party risk management 21 35+
CAIQ Cloud security transparency 17 10+
  • ISO 27001
  • NIST CSF
  • NIST 800-53
VSAQ Vendor Security 8 2+
  • NIST CSF
  • GDPR
  • CCPA

The SIG questionnaire is indexed to over 35 standards and regulations, making it among the most comprehensive options when it comes to security and risk coverage. It also comes with the most risk areas covered, so it’s a reliable option for VRAs in any industry.

Is the SIG questionnaire free?

Unlike CAIQ or VSAQ, the SIG questionnaire isn’t free for public use—it’s only available to Shared Assessment members. If you’re not a member yet, you have two corporate license options to choose from:

  1. One year: $6,500
  2. Two years: $12,300

Alternatively, you can get the SIG as a part of Shared Assessments’ Primary Product Suite for $7,200 per year. Besides the questionnaire, the suite includes two other products—Vendor Risk Management Maturity Model and Standardized Control Assessment Procedure, which can further support your security practices.

There are two additional tiers you can explore if you want to leverage Shared Assessments’ complete offering.

Tier What’s included Cost
Primary Plus Product Suite Everything in Primary Product Suite + Data Governance $9,000 per year
Comprehensive Product Suite Everything in Primary Plus Product Suite + Third Party Service Inherent Risk Rating and ESG SIG $11,000 per year

You can also buy the products from these suites separately to create a custom ecosystem of solutions specific to your team—although the individual cost of a product might be higher than what you’d pay for as part of a specific suite.

{{cta_withimage17="/cta-modules"}} | State of Trust Report 

3 tips for completing the SIG questionnaire

As a vendor, completing a SIG questionnaire from a prospect can be a formidable task due to its all-encompassing nature. This is especially true for teams that rely on manual work, such as going through multiple spreadsheets and security documents, to finalize each questionnaire they receive.

Excessive manual work during questionnaire completion slows down security teams and can even impact the success of your deals and sales opportunities. There’s also the risk of providing incomplete responses that fail to present an accurate overview of your security posture.

To ensure a cohesive workflow and complete the questionnaire effortlessly, you can follow these practical tips:

  1. Be proactive and prepare common responses
  2. Continuously review your security posture
  3. Automate questionnaire responses

1. Be proactive and prepare common responses

The best practice for organizations is to be prepared to answer security questionnaires at any time and keep a list of common responses that can be used for similar questions. The goal is to not wait for a prospect to send you a security questionnaire before you initiate the relevant workflows, including internal security assessments and data gathering.

Specifically, you can complete the SIG questionnaire as a part of your internal security reviews. Having a pre-filled questionnaire will ensure you have all the information you need to respond to a prospect’s questionnaire in a timely and efficient way.

2. Continuously review your security posture

The SIG questionnaire aims to verify numerous risk areas and threats, which calls for a more methodical approach to internal security reviews. You need to set up a granular overview of your security posture and third-party network, preferably in real time, and continuously adapt your risk management strategy and security controls to respond to new threats. This approach makes it likely you’ll have favorable responses to security questionnaires at any point in time. 

The ideal workflow here is to first inventory all your IT assets and third parties. List all the necessary components to map out the potential attack surface and third-party relationships. You should consider having a robust risk management software solution that can help monitor your attack surface and give you a unified view of your security posture at all times.

3. Automate questionnaire responses

If done manually, security reviews and questionnaire completion can be tedious, repetitive, and time-consuming. Processing the questions and filling out the responses alone can take quite some time, but the main source of inefficiencies is what happens between these two processes—evidence collection.

Sifting through documents and spreadsheets to find proof of effective security controls puts a considerable strain on your workflow and prevents your team from focusing on the tasks on their plate.

To overcome this obstacle, you can leverage questionnaire automation tools that take over mundane work and let your teams shift their time and energy to more high-value tasks. Such tools can significantly tighten your workflow and prevent deals from falling through due to inefficiencies.

{{cta_testimonial16="/cta-modules"}} | ComplyCube customer story

Complete SIG questionnaires faster with Vanta

Software-supported questionnaire completion gives you a major advantage over competitors, and Vanta can help you gain that edge. It’s a comprehensive trust management platform that automates compliance and security workflows—including the completion of questionnaires like SIG.

Vanta’s Questionnaire Automation product is a dedicated solution to reduce friction during the completion process. It offers plenty of automation features, most notably:

  • A centralized security knowledge base that unifies all your security data and documents
  • AI-enabled responses based on the information in your knowledge base (acceptance rate: 95 percent)
  • Multi-format questionnaire completion that lets you adapt to a prospect’s preferences
  • 73 percent coverage across security questions

These features enhance your ability to tackle multiple questionnaires at one time—enabling you to complete security reviews up to 5 times faster. You can request a custom demo for your team and see how to integrate the solution into your workflows.

Another key automation solution is the Trust Center. It's your custom portal where you can offer a real-time overview of your key security controls and compliance information to your prospects and build trust without extensive work. Watch this webinar for a hands-on overview of the service.

{{cta_simple13="/cta-modules"}} | Questionnaire automation product page

Get started with trust

Start your trust journey with these related resources.

Security

IDC Analyst Brief: How trust centers save time and accelerate sales

IDC outlines the many benefits trust centers can deliver for an organization and its customers as well as the key considerations for companies as they evaluate their trust center strategy.

IDC Analyst Brief: How trust centers save time and accelerate sales
IDC Analyst Brief: How trust centers save time and accelerate sales
Compliance

Save time on security reviews with Questionnaire Automation & Trust Center

Join us to learn how Questionnaire Automation & Trust Center help security teams with questionnaires.

Save time on security reviews with Questionnaire Automation & Trust Center
Save time on security reviews with Questionnaire Automation & Trust Center
Security

How Trust Centers Help Save Time and Accelerate Sales

Discover how trust centers enhance customer confidence, streamline security processes, and drive sales growth, based on IDC’s latest research.

How Trust Centers Help Save Time and Accelerate Sales
How Trust Centers Help Save Time and Accelerate Sales