What is a SIG: Your Guide to the Standardized Information Gathering Questionnaire
If you work in cybersecurity, compliance, or vendor management, you have probably heard of the SIG. But what is a SIG, exactly? In short, it’s a standardized questionnaire used to assess the security posture of third party vendors. Think of it as a common language for security due diligence.
Instead of every company sending its own unique, time consuming security questionnaire, the SIG creates a consistent, widely accepted format. This saves everyone time, reduces redundant work, and helps organizations make faster, more informed risk decisions. Let’s dive into the details.
What is the Standardized Information Gathering Questionnaire (SIG)?
So, what is a SIG? The SIG (Standardized Information Gathering questionnaire) is a tool used to collect consistent and comparable information about a vendor’s security controls. It standardizes the initial assessment of third parties across numerous risk areas. Created and updated annually by the member driven organization Shared Assessments, the SIG is a cornerstone of many third party risk management (TPRM) programs. Its goal is to establish trust through a detailed questionnaire, which can then be verified with evidence.
The Purpose of the SIG in Vendor Risk
The main purpose of the SIG is to consistently evaluate a vendor’s security, privacy, and resilience controls. This helps organizations accelerate their due diligence process and reduce the burden of custom questionnaires on their vendors. Understanding what is a SIG is the first step toward leveraging this efficiency.
Key uses include:
Evaluating a vendor’s security controls to understand their risk posture.
Documenting due diligence efforts for auditors and regulators.
Standardizing security evaluations during the Request for Proposal (RFP) process. Tip: To keep RFPs moving, give buyers self‑serve access to your security docs via a Trust Center.
Allowing vendors to complete one assessment proactively to share with multiple customers.
Enabling organizations to perform self assessments to benchmark their own security posture.
Who Creates the SIG? Shared Assessments
The SIG is authored and maintained by Shared Assessments, a cross industry, member driven organization. Since 2005, Shared Assessments has provided best practices, certifications, and tools for third party risk professionals. The SIG is one of its core offerings, with updates vetted and informed by a diverse community of practitioners who track emerging risks and regulatory changes. This member-driven approach is fundamental to what is a SIG today.
SIG Types: Core and Lite
The answer to “what is a SIG?” is not one-size-fits-all. It comes in two primary pre built versions, SIG Lite and SIG Core, to match different risk levels. Organizations can also create a “Scoped SIG” for highly tailored assessments or use the full “Detail” version. There is even a standalone ESG SIG for environmental, social, and governance due diligence. The choice between Lite and Core typically depends on the vendor’s criticality and the sensitivity of the data they handle.
A Closer Look at SIG Core
So, what is a SIG Core questionnaire? It’s the more comprehensive version designed for vendors with higher inherent risk. This includes third parties that manage highly sensitive or regulated data, such as personal information (PII), health information (PHI), or payment card data. The 2025 SIG Core includes 627 questions, though this number can be customized based on the specific risk domains being assessed.
A Quick View of SIG Lite
SIG Lite is the shorter, more streamlined version of the questionnaire. It’s intended for lower risk vendors or as a preliminary review before a deeper assessment. The 2025 SIG Lite contains 128 questions that provide a high level overview of a vendor’s key controls. Many organizations use SIG Lite as a standard assessment for their low or medium low risk third parties. If you’re standardizing how you share SIG responses, this overview of what a Trust Center is can help.
How the SIG Compares to the CAIQ
When discussing what is a SIG, it’s helpful to compare it to other common questionnaires like the Consensus Assessments Initiative Questionnaire (CAIQ) from the Cloud Security Alliance (CSA). While both are valuable, they serve different purposes.
The SIG is broad, covering 21 risk domains relevant to almost any type of third party. The CAIQ, on the other hand, is specifically focused on cloud security and aligns directly with the CSA Cloud Controls Matrix (CCM). While cloud controls are a subset of what the SIG covers, the CAIQ is the go to tool for assessing cloud service providers and is tied to the CSA STAR Registry for transparency.
Manually answering any of these questionnaires can drain resources. Teams looking to automate their responses to SIGs and CAIQs often turn to Targhee’s AI Questionnaire Tool to streamline the process. If you’re evaluating tooling to support either approach, start with these vendor questionnaire tools.
What Risk Domains Does the SIG Cover?
The 2025 SIG covers 21 distinct risk domains, which are focus areas for assessing third party controls. These are organized under four major categories:
Governance & Risk Management
Information Protection
IT Operations & Business Resilience
Security Incident & Threat Management
Examples of specific domains include Access Control, Application Security, Artificial Intelligence (AI), Nth Party Management, and ESG. This comprehensive coverage is a key reason so many organizations ask, “what is a SIG?” when building their TPRM program.
Mapping to Frameworks and Regulations
One of the SIG’s most powerful features is its direct mapping to major regulations and security frameworks. The 2025 SIG Content Library contains mappings to 31 different reference documents. This allows vendors to reuse evidence and helps assessors align vendor controls with their own compliance obligations.
Key mappings include:
ISO/IEC 27001:2022 and ISO/IEC 27002:2022
NIST SP 800 53 Rev. 5
NIST Cybersecurity Framework (CSF 2.0)
DORA and NIS2
This built in alignment saves significant time and effort for both vendors and assessors. For a broader view of platforms that help operationalize these mappings, see our guide to compliance management software.
SIG Content Library and Question Count
The SIG is built from a central Content Library of questions. The total number of questions can be quite large, but it’s always scoped down for practical use.
SIG Detail (Full): 1,936 questions
SIG Core: 627 questions
SIG Lite: 128 questions
Users can also append up to 100 custom questions to tailor an assessment to their specific needs. The question counts evolve with each annual update as new risks and regulations emerge.
If your team is struggling to keep up with hundreds of questions across multiple assessments, a centralized platform can make all the difference. Learn how Targhee’s Trust Center centralizes security artifacts.
Real World Use Cases and Applications
Beyond defining what is a SIG, it’s important to see how it’s actually used in practice.
Vendor Due Diligence: Assessors use it to evaluate the security posture of potential and existing vendors.
Proactive Compliance: Vendors complete a SIG ahead of time and publish key artifacts in a Trust Center, speeding up sales cycles.
Procurement: SIGs are often included in RFPs to standardize the security evaluation of bidders.
Scaling TPRM: The SIG is integrated into over 30 GRC and TPRM platforms, enabling teams to manage assessments at scale.
SIG Adoption and User Base
The SIG is widely adopted across industries. More than 500 organizations and partners license the SIG for their security due diligence. Each year, over 100,000 SIG questionnaires are exchanged between companies, highlighting its role as an industry standard.
How to Access and Download the SIG
After learning what is a SIG, many teams want to know how to get it. The SIG is not a free tool. Access requires either a membership with Shared Assessments or a standalone subscription. As of 2025, a corporate license is listed at $6,500 for one year. The license includes the SIG product itself, the SIG Manager tool, a user guide, and other supporting documentation.
The Components of the SIG Framework
When you license the SIG, you get more than just a list of questions. The toolset includes:
SIG Manager: An Excel based engine used to scope questionnaires, apply framework mappings, and generate templates for vendors.
Content Library: The full bank of questions and mappings.
Response Template: A standardized format for vendors to provide their answers and comments.
User Guides: Documentation to help you get the most out of the tools.
How Often is the SIG Updated?
The SIG is updated annually to keep pace with the ever changing risk landscape. For example, the 2025 release added or updated mappings for DORA, NIS2, and NIST CSF 2.0. The 2024 update expanded the number of risk domains from 19 to 21. This regular cadence ensures the questionnaire remains relevant and aligned with current best practices.
Frequently Asked Questions about the SIG
What is a SIG in cybersecurity?
In cybersecurity, a SIG is a Standardized Information Gathering questionnaire. It is a tool used by organizations to assess the security and risk posture of their third party vendors in a consistent and efficient manner.
Is the SIG questionnaire free?
No, the SIG is not free. It requires a license from the organization Shared Assessments. A corporate license provides access to the questionnaire templates, the SIG Manager tool, and all supporting documentation.
What are the main types of SIGs?
The two primary types are SIG Lite and SIG Core. SIG Lite is a shorter version for lower risk vendors, while SIG Core is a more detailed questionnaire for vendors with higher risk or access to sensitive data.
How is the SIG different from SOC 2?
The SIG is a questionnaire used to gather information about a vendor’s controls. A SOC 2 report is an attestation from an independent auditor that verifies the effectiveness of those controls over a period of time. A completed SIG can help a company prepare for a SOC 2 audit, but they are not the same thing. Completing a SIG is often a prelude to providing a SOC 2 report.
Why do companies use the SIG?
Companies use the SIG to streamline their third party risk management process. It provides a standardized, comprehensive, and customizable way to conduct due diligence, saving time for both the assessor and the vendor. Automating SIG responses with Targhee’s AI Questionnaire Tool can reduce completion time by up to 80%.
