Vendor Tips for the SIG Questionnaire
Michael Soohoo, Compliance Analyst, HYPR
3 Min. Read | March 10, 2023
Many companies understand the pain of constantly filling out extremely arduous customer- requested security questionnaires. Most of the time, the same common questions get asked over and over again. For some companies, the effort to go through a questionnaire requires a substantial company-wide commitment which can impact other projects and priorities.
What is Shared Assessments/SIG?
In 2005, Shared Assessments was created to help solve this issue. Formed by the top banks, consulting firms, and vendors, they standardized and created an industry-wide approved risk assessment questionnaire, which eventually became the Standardized Information Gathering (SIG) Questionnaire.
The Shared Assessments SIG vendor risk questionnaire is a standardized questionnaire typically used for initial assessments of vendors/third parties.
Aligned with industry standards, the questionnaire is updated on an annual basis to comply with new standards and regulations and to account for changes in the cybersecurity landscape. It is an effective way to test a vendor’s risk posture against 19 different risk domains ranging from Access Control to Threat Management. This is also beneficial/efficient for the vendor (themselves) as well as they only have to fill it once. As a security vendor, HYPR responds to numerous requests from customers to complete both custom and standardized assessment questionnaires. In order to make the process more efficient for both us and our customers, we decided to formalize the system using a third-party service. The SIG questionnaire is one that we encounter frequently and is one of the most rigorous. Most of the questions we get asked are covered within the SIG. The decision made, how does a company like HYPR obtain and officially use the SIG questionnaire?
Tips for Completing the SIG
Any organization can obtain access to the SIG questionnaire by paying an annual subscription on the Shared Assessments website. The questionnaire should be completed by experts in the company with knowledge of the specific risk domains covered. As the SIG is an extensive questionnaire, this can sometimes take several weeks. However, there are a few tip and tricks that can help a company accelerate the process
- Using RFP response software such as Loopio. Loopio allows companies to store previously filled questionnaires. Magic (their AI) will look through the library (maintained by someone in the company) and pick the answer it assumes answers the questions. If Magic’s answer doesn’t answer the question, one could search through the database of answers from previously filled questionnaires or through the library.
- Did the company filled out a different comprehensive standardized industry-wide accepted questionnaire such as CAIQ? If so, many of the questions are similar and could be used as a reference when filling out the SIG.
- If an organization went through an external audit such as the SOC or ISO audits, the evidence collected through the audits can serve as good references when filling out the SIG as well.
- Lastly, there are two types of SIG. SIG Core (More comprehensive SIG) and SIG Lite (basic level SIG). One could fill out the SIG Lite (126 questions) as a starting point before filling out the more comprehensive SIG Core.
Once filled and reviewed, this questionnaire can be shared with customers.
As a security company, HYPR customers routinely ask us for responses to various assessment questions, many of which are covered within the SIG. As seen below, HYPR is proud to announce the completion of our SIG questionnaire. If your organization is interested in obtaining a copy, feel free to request it from your account manager or sales contact.
Any company seeking for a more efficient way in responding to customer vendor risk assessments should consider filling out the SIG questionnaire.