- The Standardized Information Gathering (SIG) questionnaire collects the information necessary to conduct an initial assessment of a service provider’s controls
- The Standardized Control Assessment (SCA) procedures verifies a service provider’s answers to the SIG with onsite and other validation assessments
- The Vendor Risk Management Maturity Model (VRMMM) is a free tool to benchmark third party risk management programs
- The GDPR Privacy Tools helps organizations manage their privacy programs beyond the scope of GDPR to assess data processor controls
Shared Assessments SIG
The SIG questionnaire gathers relevant information to determine how a service provider manage its security risks. A spectrum of 18 risk control areas, or “domains”, is being used in the evaluation process. Users of SIG can build questionnaires in four classes: Lite, Core, Full, and Master. The level of inquiry details and questions volumes increases from Lite to Master. Users can build-up questionnaires based on the criticality level of a service provider’s functions.
The SIG 2019 update now includes two files in the package: the SIG Management Tool and the SIG How to Guide.
The SIG Management Tool has three key features
- Personalized Questionnaire Build-up. SIG Management Tool contains a Microsoft Exel workbook where users will build their SIG questionnaire using the Content Library as a bank of questions to draw from
- Responses Comparison. Users can use the SIG Management Tool to compare a service provider’s SIG responses to a Master SIG and create a report that lists the discrepancies between the SIGs for further analysis and follow up
- Portability. The SIG Management Tool can transfer responses from one SIG file version to another version, which makes it easy to update responses to a newer version of a SIG without starting from scratch
- Storage capacity. Users can store the SIGs that they created in the SIG Management Tool and to draw from that stock as they develop new SIG questionnaires for new vendors
The SIG How to Guide provides step by step instructions of using the SIG Management Tool to create, analyze and store SIGs. In the Guide, Users can also find the best practice guidance on administering the SIG as part of a third party risk management program.
SIG can be used in various ways:
- Used by an outsourcer to evaluate their service providers’ risk controls
- Completed by a service provider and used proactively as part of a request for proposal (RFP) response
- Completed by a service provider and sent to their client(s) instead of completing one or multiple proprietary questionnaires
- Used by an organization for self-assessment
Shared Assessments Third Party Risk Management Toolkit
SIG is one of the four tools promoted by Shared Assessments for third party risk management. The whole toolkit includes:
Standards and Frameworks
Shared Assessments SIG
The Standardized Information Gathering (SIG) is a questionnaire management tool help organizations to build, analyze and store vendor questionnaires in third party risk assessments. SIG is developed by Shared Assessments, an organization specialized in third party risk management and provides membership to its clients for its services.
Last Updated: July 24, 2019
OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.