Due diligence is a critical component of effective third-party risk management (TPRM). Effective due diligence requires gathering a diverse range of information from third-party vendors to assess their risk management practices and controls accurately. The Standardized Information Gathering (SIG) questionnaire is a commonly used tool for this purpose.
In this blog, we will explore what a SIG questionnaire includes, the different types that are available, the benefits of using them, and tips for integrating them into your due diligence process.
What Is a Vendor SIG Questionnaire?
The SIG questionnaire is a valuable resource for collecting essential information from third-party vendors and service providers. Developed by Shared Assessments, a non-profit organization focused on TPRM, many organizations have widely adopted the SIG questionnaire to gather details about vendor security protocols, data privacy initiatives, and compliance with regulatory requirements. SIG questionnaire licenses are available for purchase through Shared Assessment.
SIG questionnaires cover 21 risk domains, including cybersecurity incident management, cloud services, privacy management, and network security. They’re aligned with current standards and regulations, such as PCI DSS, ISO, NIST, and the Interagency Guidance on Third-Party Relationships.
Shared Assessments regularly updates SIG questionnaires to incorporate the latest regulatory changes, including the EU's Digital Operational Resilience Act (DORA).
Types of SIG Questionnaires to Assess Vendors
There are three main types of SIG questionnaires your organization could use during your third-party due diligence process, each serving different assessment needs:
- SIG Core – The SIG Core is the most comprehensive questionnaire, containing about 855 questions across 19 risk domains. It’s designed to assess vendors that manage highly sensitive or regulated information. Key features of SIG Core:
- Offers a comprehensive overview of a vendor's security measures
- Suitable for assessing high-risk vendors
- Covers a wide range of compliance requirements
- SIG Lite – The SIG Lite is a shorter questionnaire, containing approximately 126 questions. This version is intended to offer a high-level overview of a vendor's security practices. Key features of SIG Lite:
- Offers a broad but less detailed assessment
- Ideal for preliminary evaluations or low-risk vendors
- Can be used as a starting point before a more comprehensive review
- Custom SIG – Organizations can create custom SIG questionnaires by choosing questions from the SIG content library, which features over 1,800 questions. This feature enables businesses to customize the assessment according to their specific needs and risk profiles. Key features of Custom SIG:
- Flexibility to add or remove questions based on business requirements
- Can be adapted to specific industries or compliance needs
- Allows for a more targeted assessment approach
Choosing the Right SIG Questionnaire for Your Third-Party Risk Management Needs
To effectively select a SIG questionnaire, consider the following factors:
- Vendor risk profile: The SIG Core questionnaire is better suited for high-risk vendors, while the SIG Lite is better for low-risk vendors or initial risk assessments.
- Resource availability: Keep in mind that SIG Core will require more time and resources to complete and review than SIG Lite, so plan accordingly.
- Compliance requirements: The questionnaire should align with all regulatory frameworks your organization must follow to ensure comprehensive coverage.
- Depth of assessment: Determine whether you need a comprehensive evaluation or a general overview and choose the questionnaire that best fits your assessment goals.
Benefits of Using SIG Questionnaires in Third-Party Risk Management
For organizations considering the cost vs benefits of integrating SIG questionnaires into your due diligence, it’s helpful to consider the following:
- Standardization: SIG provides a consistent approach to vendor assessments across industries.
- Efficiency: Pre-defined questions save time in creating and distributing assessments.
- Comprehensive coverage: SIG questionnaires are mapped to multiple regulations and control frameworks.
- Flexibility: The ability to customize questionnaires allows for tailored assessments.
- Regular updates: Shared Assessments updates the SIG annually to reflect new regulations and best practices.
SIG questionnaires also offer considerable benefits to vendors. After a vendor purchases a license and completes a SIG questionnaire, they can reuse that completed questionnaire multiple times. This process is much more efficient than filling out a new questionnaire for every organization that requests this information.
How To Use SIG Questionnaires in Third-Party Due Diligence
While SIG questionnaires are a valuable tool for standardizing and gathering third-party vendor information, verifying a vendor's risk management practices and controls takes more than a completed questionnaire. Organizations should always use SIG questionnaires in combination with vendor-provided documentation as part of a comprehensive due diligence process.
Here are six steps to take when using a SIG questionnaire during due diligence:
- Initial screening – Use SIG Lite (126 questions) for preliminary evaluations of vendors or low-risk third parties. This version provides a high-level view of their security. A SIG Lite can be a useful tool in narrowing down vendors during a formal RFP or RFI process.
- In-depth assessment – Use the SIG Core framework (855 questions) to evaluate 21 risk domains for high-risk or critical vendors. This version provides deeper insights into the vendor's security posture.
- Customization – Remember, one size doesn't fit all in TPRM. Tailor the SIG questionnaire by selecting relevant sections or risk domains based on the specific vendor relationship and services provided. If you select questions that aren’t applicable to the vendor’s product or service, the vendor may become frustrated, or you may have a difficult time getting a response.
- Gather documentation – Due diligence documentation should accompany the SIG as evidence of risk management practices and controls and be relevant to identified risks. Examples include:
- Subject matter expert (SME) risk assessment – Use qualified SMEs to analyze the combined information from SIG questionnaires and due diligence documentation to provide a qualified opinion on the sufficiency of the vendor's control environment and establish a comprehensive risk profile for each vendor.
- Ongoing monitoring – Implement a process to periodically re-assess vendors using SIG questionnaires and updated documentation to track changes in their risk posture over time.
By leveraging SIG questionnaires, organizations can enhance their TPRM processes, ensure compliance with industry standards, and make more informed decisions about their vendor relationships. SIG questionnaires are powerful tools for assessing vendor risk. Whether you opt for the comprehensive SIG Core, the streamlined SIG Lite, or a custom version, these standardized assessments can significantly improve your organization's ability to manage third-party risk effectively.