The Standardized Information Gathering (SIG) questionnaire is used to perform an initial assessment of vendors, gathering information to determine how security risks are managed across 18 different risk domains. It was created to manage cybersecurity risk, particularly third-party risk, and fourth-party risk.
The questionnaire is common in the United States, especially in industries that are highly regulated or handle sensitive information, such as banking, pharmaceutical, insurance and technology.
There are three types of SIG questionnaire:
SIG questionnaire: The SIG assessment evaluates vendors based on 18 individual risk controls, which together determine how security risks are managed across the vendor's environment.
SIG LITE: The SIG questionnaire is extensive, targeting multiple risk areas across multiple disciplines.
SIG CORE: SIG CORE is a library of questions that security teams can pick and choose from.
The SIG questionnaire can be used in number of ways:
To evaluate a service provider's information security controls.
Completed by third-party vendors and used proactively as part of due diligence or a request for proposal (RFP) response.
Completed by a service provider and sent to their clients instead of completing one or multiple third-party risk assessments.
Used by an organization as part of the self-assessment process
Because SIG is indexed to many standards (ISO 27002: 2013, FFIEC Appendix J, FFIEC CAT, PCI, FFIEC IT Management Handbook, NIS SP 800-53 Rev 4, NIST CSF, HIPAA and GDPR), it makes compliance simpler.
In addition, as the security needs of organizations continue to change, many security teams have found that picking and choosing different questions from different assessments works best for their vendors.