Deep Dive into the SIG Questionnaire

Kevin Qiu
January 12, 2022

In a previous blog post, we went through an overview of various standardized security questionnaires such as the CAIQ, CSA, HECVAT, and SIG. As a refresher, these security questionnaire standards were created to benefit both buyers and sellers:

  1. To provider buyers with a set of industry standard questions that they could use to evaluate the risk of third party vendors
  2. To provide sellers with a structured set of questions that can be provided proactively to prospects and customers to reduce the need for time consuming, custom questionnaires

After about a year of helping SaaS vendors build trust with their customers, we’ve come to see that the Shared Assessments SIG (Standard Information Gathering Questionnaire) has been by far the most popular and downloaded item out of the four we mentioned last time. Let’s take a deep dive to understand why this is the case!

Shared Assessments is responsible for maintaining and updating the SIG on an annual basis. 

The SIG is comprehensive

Perhaps the biggest reason that the SIG has become so popular is the quality and breadth of questions that are included in the Content Library. Vendors who choose to answer all questions available in the SIG have 1654 to choose from with the latest 2022 update. These 1654 questions cover the following 18 risk domains:

  • Enterprise Risk Management
  • Security Policy
  • Organizational Security
  • Asset and Information Management
  • Human Resources Security
  • Physical and Environmental Security
  • IT Operations Management
  • Access Control
  • Application Security
  • Cybersecurity Incident Management
  • Operational Resilience
  • Compliance and Operational Risk
  • Endpoint Device Security
  • Network Security
  • Privacy
  • Threat Management
  • Server Security
  • Cloud Hosting Services

As you can see, this list is quite exhaustive. From our observations, these questions usually cover at least 85-90% of those found in custom questionnaires, meaning security teams who have this asset available are able to save tens, if not hundreds, of hours a year during the vendor due diligence process. The other 3 standards also generally cover these topics, but do not goto the same level of depth, which typically results in less overlap with customer requests.

The SIG is customizable

In addition to being comprehensive, one of the best features of the SIG is that itwas designed to be customizable. Out of the box, the SIG comes with 2 predetermined templates created by the Shared Assessments members, SIG Core with 825questions, and an abbreviated SIG Lite with 150 questions. Many vendors choose to share both of these with prospects. For lower risk vendors, customers typically find the SIG Lite to be sufficient.

In addition to these formats, the SIG Manager allows you to specify your own scope and build a custom prefilled questionnaire using the responses in your Content Library. This allows you to put as many of the 1654 questions as you would like in your own format. For example, companies that use AWS/Azure/GPC etc. often end up with a bunch of N/A’s for questions about physical security. With a custom SIG, you can simply have one question regarding data center physical security and point the reader to the security page of the cloud infrastructure provider. In all, you can use custom SIG formats to go into as little or as much detail about a certain risk domain as you would like.

The SIG is updated frequently

The final benefit of using the SIG over some of the other formats is the frequency with which the questions are updated. Trends, technology, regulations and standards in the security world change at a rapid pace, and as a result ways in which companies evaluate risk evolve quickly as well. As the industry leading organization the SIG’s Content Library is updated on an annual basis through a collaboration between the Shared Assessments team and industry thought leaders that are in constant communication and discussion. We understand that some security professionals may hesitate at using a standard questionnaire that requires a paid license, but membership fees allow for Shared Assessments to produce one of the most high quality, up-to-date security assets that vendors can leverage to build trust with their customers.

Interested in purchasing a SIG license for your organization? SafeBase is an official reseller of the SIG and can bundle this along with a SafeBase plan. Contact us today for more details!

Discover SafeBase

Learn how SafeBase has helped companies speed through security assessments and expedite deals.