Understanding the SIG Questionnaire and The Importance of Vendor Risk Management

In today’s interconnected business ecosystem, organizations increasingly rely on third-party vendors for essential services, from cloud computing and data processing to customer service and supply chain management. The proliferation of these vendor relationships has introduced a complex web of vendor risks that can impact information security, privacy, and operational resilience. As part of onboarding vendors and managing existing vendor relationships, it is critical to identify, mitigate, and remediate risks related to the vendors that your organization works with. One component of a comprehensive vendor risk management program is to conduct comprehensive risk assessments. This blog will provide an overview of the Standardized Information Gathering (SIG) questionnaire, a risk assessment that is developed by Shared Assessments.

What is SIG

The SIG is a questionnaire that can help organizations manage supply chain-related risk. The SIG is particularly useful given the SIG controls are mapped to several other cybersecurity frameworks and guidelines, making it extensible across a number of use cases. The SIG questionnaire is available in 3 forms.

1. SIG Core: The SIG Core questionnaire is a comprehensive assessment with over 700 questions that cover 21 risk domains. The SIG Core is typically used to assess organizations that store or manage highly sensitive or regulated information.
2. SIG Lite: This preconfigured SIG template is designed to provide broad, but high-level information related to a vendor’s internal information security controls. This SIG Lite is typically used for lower-risk third parties.
3. SIG Custom: The SIG Core or SIG Lite can be customized to meet an organization’s specific requirements. This can be helpful as certain risk domains may be more relevant for certain companies based on the nature of the services being outsourced.

The SIG covers the below 21 risk domains, which can be classified across 4 subjects.

Governance & Risk Management

1. Compliance Management
2. Enterprise Risk Management
3. Environmental, Social, and Governance (ESG)
4. Human Resources Security
5. Information Assurance
6. Nth Party Management
7. Privacy Management
8. Supply Chain Risk Management

Information Protection

9. Access Control
10. Application Management
11. Cloud Services
12. Endpoint Security
13. Network Security
14. Physical & Environmental Security
15. Server Security
16. Artificial Intelligence

IT Operations & Business Resilience

17. Asset & Information Management
18. IT Operations Management
19. Operational Resilience

Security Incident & Threat Management

20. Cybersecurity Incident Management
21. Threat Management

New SIG Domains Indicate Increased Focus on Vendor Risk Management

The SIG is updated annually, and the risk domains are modified to reflect changes in the dynamic risk environment. Notably, Nth Party Management was introduced as a domain in 2023, and Supply Chain Risk Management and Artificial Intelligence (AI) domains were added for the 2024 edition. Below is a brief description of these risk domains.

• Nth Party Management: Organizations should implement and maintain a formalized Fourth-Nth Party risk governance plan and a continuous risk assessment process that will enable the organization to identify, quantify and prioritize Fourth-Nth Party risks based on the risk acceptance levels relevant to the organization. Nth party risks refer to those posed to your organization through the relationships a third-party vendor has with its own suppliers.
• Supply Chain Risk Management: Organizations should establish Cybersecurity Supply Chain Risk Management (C-SCRM) program standards that encompass the entire life cycle, from development to maintenance. These program standards can be achieved through research, resource provision, and stakeholder collaboration and will help organizations effectively manage cybersecurity risks in their supply chains.
• Artificial Intelligence (AI): The practice of understanding AI’s impacts, limitations, and enhancements to its performance, reliability, trustworthiness, and effectiveness. The organization should set goals and implement standards to assist AI developers, users, and evaluator systems reduce AI-related risks to individuals, organizations, society, and the environment.

The addition of the Nth Party Management and Supply Chain Risk Management domains reflects the heightened focus on risk related to an organization’s vendor network or supply chain. Utilizing the SIG not only serves as an effective method for assessing the maturity of your vendors’ vendor risk management programs, but it also demonstrates to customers and partners that your organization maintains robust controls for managing vendor-related risks.

How ProcessBolt Can Help

ProcessBolt offers the SIG questionnaire as part of our comprehensive, AI-driven vendor risk management platform. Organizations can leverage the SIG Core or SIG Lite, or we can work with your team to customize the SIG questionnaire based on your specific business objectives.

In addition to gaining access to the SIG questionnaire via ProcessBolt, organizations can leverage ProcessBolt AI to auto-populate responses to the SIG questionnaire based on vendor corporate documentation and attack surface data. This novel application of AI frees up internal resources to focus on other strategic priorities, provides instant verification of assessment responses with AI-generated citations, and accelerates the time to complete risk assessments.

Get in touch today to learn how we can help you leverage SIG as part of your vendor risk management program.