Companies and organizations increasingly rely on suppliers, vendors, and outsourcing partners to do business. But if you choose the wrong partner, you expose your company to very real financial, regulatory, legal, and reputational risks.
In the current climate, customers, investors, and other stakeholders want ever-stronger environmental, social, and governance (ESG) policies. Governments want absolute compliance with difficult-to-implement know your customer (KYC), anti-money laundering (AML), and sanctions policies.
The Standardized Information Gathering questionnaire (or SIG questionnaire) was created to mitigate these third-party risks. Many procurement and risk management professionals use the SIG questionnaire prior to onboarding new trading partners.
In this article, we cover:
- What a SIG questionnaire is
- How companies use SIG questionnaires as part of their assessment process
- How SIGs differ from other vendor risk assessment questionnaires
- How procurement and risk management professionals can benefit from SIG
What Is a SIG Questionnaire?
The SIG questionnaire is a type of Standardized Control Assessment (SCA). SCAs are used by procurement and risk managers to assess levels of exposure to third-party risks.
Developed by the Shared Assessments Program, the SIG assessment questionnaire has been designed solely for use as a vendor risk management tool.
SIG questionnaires help businesses and organizations evaluate how effective a prospective third-party partner’s security controls are. Requiring potential suppliers to complete a SIG questionnaire can form part of a company’s enhanced due diligence process.
SIG questionnaires assess vulnerability in the following 19 areas:
- Access control: Who can access data and systems
- Application security: Protections in place to stop unauthorized access or modification
- Asset and information management: Management and protection of assets and information
- Cloud hosting services: Level of security employed by cloud hosting services and transmission of data to and from the cloud at rest and in transit
- Compliance management: Level of compliance with regulations, applicable laws, and general industry standards
- Cybersecurity incident management: Detection of, response to, and recovery from cybersecurity attacks
- Endpoint security: Security design to spot cybersecurity attacks on endpoints (e.g., devices that can connect to company data and systems, like laptops and mobile devices)
- Enterprise risk management: Identification, assessment, and management of organizational risks
- ESG: Approach to operational environmental, social, and governance issues
- Human resources security: Level of security to prevent employee information data breaches and unauthorized access to systems
- Information assurance: Measures taken to defend the availability, integrity, and confidentiality of information assets
- IT operations management: How reliability and security is managed in IT operations
- Network security: Protection of networks against cybersecurity threats
- Nth-party management: Risk management of subcontractors and third parties involved in service delivery
- Operational resilience: How operational continuity is ensured during disasters or disruptions
- Physical and environmental security: Protections in place to secure physical facilities (e.g., data centers) against unauthorized access or damage (e.g., from environmental factors like fire)
- Privacy management: Compliance of personal data management to relevant privacy laws
- Server security: Protections in place to secure servers that hold sensitive data
- Business continuity and resiliency: Ability to carry on business during disasters and disruptions
How Do Companies Use SIG Questionnaires?
Popular use cases for SIG are:
- Third-party security control and risk posture evaluations: When a potential vendor or supplier sends back their completed questionnaire, you can quickly identify any weaknesses or gaps in a third party’s security profile.
- Proof of adequate security controls: Some vendors and suppliers choose to complete a SIG questionnaire instead of a client’s proprietary third-party security assessment questionnaire to save time. Given SIG’s popularity, many procurement and risk managers are happy to accept it.
- Sales aids: SIGs are often sent with replies to client RFPs to indicate clearly a company’s commitment to meeting industry standards on security issues.
- Self-assessments: Some businesses and financial service providers take the SIG test to identify gaps in their own security controls.
Many firms now use software to automate sending out and collecting third-party vendor questionnaires like SIG. Many software platforms can analyze responses, outputting metrics to display how aligned a supplier or vendor’s security profile is.
How Does SIG Compare to Other Vendor Risk Assessment Questionnaires?
The two most commonly used security questionnaires are the NIST SP 800-53 and ISO 27001. Below, we provide a short summary of how these two questionnaires differ from SIG with regard to scope, areas of focus, and level of detail.
Scope refers to the range of risks each questionnaire attempts to measure. The scope of the three questionnaires are as follows:
- SIG was specifically created to measure vulnerabilities across the 19 risk domains identified by SAP. It was only ever designed to run vendor risk management exercises. Although, as we’ve seen, some companies use it to assess their own security posture.
- NIST SP 800-53 is specific security control guidance for federal agencies covering National Security Systems (NSS), non-National Security Systems (non-NSS), and mixed systems. Private businesses that work with the U.S. government also use NIST SP 800-53.
- ISO 27001 is a widely recognized standard used to set up, execute, maintain, and improve organizational information security management practices.
Area of focus refers to specific threats within the overall range of risks. The areas of focus for each question are:
- SIG covers a broad range of third-party security risks including business continuity, incident response, data protection, physical security, personnel security, and governance.
- NIST SP 800-53 focuses on business continuity planning, incident response, auditing, and accountability access controls, identification and authorization, risk assessment, and other factors. It’s designed to be a framework for individual federal agencies to develop privacy and security procedures and policies.
- ISO 27001 focuses on many of the same areas as NIST SP 800-53 but with a focus on putting in place specifically identified security controls. It shares some of the other areas of focus with SIG and NIST SP 800-53, including human resource security and business continuity.
Level of detail refers to how far investigations into specific threats and the overall range of risks go. For the three questionnaires, they are as follows:
- SIG allows you to choose the questions you include in your questionnaire, so the level of detail is up to you. The standard SIG questionnaire has around 800 questions. The SIG Core questionnaire has over 1,200 questions, while the SIG Lite questionnaire has 330 questions. Alternatively, you can choose which of the 1,200 questions you want for your assessment to match your exact needs. You can even add your own questions if you want.
- NIST SP 800-53 is a framework around which individual federal agencies can identify and achieve specific security objectives across 18 areas (“families”) — ranging from systems and communication protection to configuration management.
- ISO 27001 is both prescriptive and exhaustive, providing in-depth guidance on how to reach the standards it sets out. Its annex is over 100 pages long and split into 14 sections — detailing requirements in areas like incident management, asset management, and access control.
NIST SP 800-53 and ISO 27001 can, to a large extent, be mapped to each other for alignment.
In summary, SIG only focuses on measuring third-party risk across a set of 19 defined areas of vulnerability. In comparison, ISO 27001 and NIST SP 800-53 are much more rigid frameworks focused primarily on information security management.
How Procurement and Risk Management Professionals Can Benefit From SIG
Procurement and risk managers use SIG in their vendor selection processes for the following reasons:
- It’s comprehensive: You can identify both specific and general areas of concern in a third party’s security profile. Choosing suppliers and vendors that have the correct security procedures in place results in greater supply chain resilience.
- It maps to other risk frameworks: It’s possible to understand current third-party compliance with other frameworks like GDPR, PCI DSS, and HIPAA through supplier’s/vendor’s answers to the SIG questionnaire.
- It’s updated annually: SIG is updated once a year, meaning that it stays current with most regulatory changes and guidelines. SAP also reflects changing customer expectations and the overall risk landscape in revisions to questions too.
- It’s customizable: SIG gives greater flexibility in third-party risk discovery because, although it’s a defined framework, it can be customized to a business’s specific needs.
How SIG Questionnaire Responses Improve TPRM
Procurement and risk control professionals use the SIG framework to:
- Identify high-risk vendors and speed up remediation: Prioritize your efforts on working with vendors with security gaps that need immediate attention to mitigate the most severe risks.
- Strengthen relationships: By working with third parties to improve their security posture, you improve collaboration, which leads to mutually favorable outcomes for you and your supplier.
- Streamline assessment workflows: When integrated with risk management or GRC software, you can automate the dispatch, collection, and analysis of questionnaires. This accelerates the process of vendor/supplier selection.
- Stay compliant: SIG’s annual updates ensure that your third-party risk assessments are current with best practices, regulations, and threats.