Standardized Information Gathering (SIG) Questionnaire
The SIG is a comprehensive set of questions used to assess the cybersecurity, IT, data security, and privacy risks and controls of third-party service providers and vendors.
What is a SIG questionnaire?
The Standardized Information Gathering (SIG) questionnaire was developed by the Shared Assessments Program, which is a membership organization dedicated to standardizing and simplifying the vendor risk assessment process across industries. Their goal is to provide tools that organizations can use to more effectively manage the risks associated with outsourcing.
The SIG questionnaire can be used in several ways:
- Self-assessment: Organizations can use the SIG to evaluate their own internal cybersecurity and risk management controls.
- Vendor Assessment: It's commonly used to evaluate the risk controls of third-party service providers. By using a standardized questionnaire like the SIG, organizations can avoid creating their own custom questionnaires, which can be time-consuming and may not cover all relevant risk areas.
- Baseline for Custom Questionnaires: Some organizations may use the SIG as a starting point and then customize it further to fit their specific needs and risks.