What is a SIG, and what to do when one lands in your inbox
A SIG is the Standardized Information Gathering questionnaire from Shared Assessments, a standardized way to assess a third party's security, privacy, and risk controls. Here is what it is, how SIG Core differs from SIG Lite, who fills it out, and how it relates to CAIQ and SOC 2.
The short version
What is a SIG?
A SIG, short for Standardized Information Gathering, is a questionnaire from the Shared Assessments Program used to evaluate a third party's security, privacy, and risk controls. Rather than every company inventing its own vendor questionnaire, the SIG offers a common, library-based set of questions across risk domains. A vendor answers it once and reuses the responses with many customers, and customers can compare vendors on a consistent basis. It comes in different depths, most notably SIG Core for fuller assessments and SIG Lite for a lighter, higher-level review, and it is one of the most widely used questionnaires in third-party and vendor risk management.
Updated . An independent explainer for vendor risk and security teams.
Where the SIG comes from
The SIG is published and maintained by the Shared Assessments Program, a member-driven body that develops standardized tools for third-party risk management. The point of standardizing is simple. Before standard questionnaires, every customer sent its own bespoke spreadsheet, so vendors answered the same questions a hundred different ways and customers had no consistent basis for comparison. The SIG replaces that with a shared question library, organized into risk domains, that the program updates on a regular release cycle to track changing regulations and frameworks.
SIG Core vs SIG Lite
Both draw from the same Shared Assessments question library. The difference is depth, and you choose based on how much risk a given vendor carries.
SIG Core
The deeper assessment
The more comprehensive set of questions, used for a thorough review of vendors that handle sensitive data or are otherwise higher risk. It covers more control domains in more detail, so it takes longer to complete and to review, and it is reserved for the relationships where that depth is worth it.
SIG Lite
The higher-level screen
A shorter, higher-level subset, used for a broad or lower-risk vendor population, or as a first-pass screen before deciding whether a fuller assessment is warranted. It is faster for the vendor to answer and quicker for the customer to review.
Many programs go further and build a scoped or custom SIG, selecting only the question domains relevant to a particular vendor. The right choice follows your risk tiering: a low-risk supplier may only warrant a Lite screen, while a vendor processing regulated data warrants Core.
How the SIG is used, and who fills it out
The SIG is the assessment step in the vendor risk lifecycle. The customer, the organization managing third-party risk, sends the questionnaire. The vendor, the third party being assessed, fills it out. Then the customer reviews the responses, flags gaps, requests evidence or remediation, and uses the result to inform onboarding, contracting, and ongoing monitoring.
Because the questionnaire spans many control domains, the vendor side is usually a team effort across security, compliance, IT, and sometimes legal or privacy. On the customer side, a vendor or third-party risk team decides which SIG to send based on how the vendor is tiered, then evaluates the answers. The standardized format is what makes this scalable: you can compare vendors against each other and reassess them on a recurring cadence without reinventing the questions each time.
Where RiskWatch fits: sending, collecting, scoring, and tracking these questionnaires across a vendor portfolio is exactly the work that breaks down in email and spreadsheets. That assessment, scoring, and evidence workflow is what RiskWatch vendor risk management software is built to run.
How the SIG relates to CAIQ and SOC 2
The SIG is not the only artifact in a vendor assessment, and people often confuse it with two others.
SIG vs CAIQ
The CAIQ, or Consensus Assessments Initiative Questionnaire, comes from the Cloud Security Alliance and is focused on cloud service providers, mapping to the CSA Cloud Controls Matrix. The SIG is broader and covers many third-party risk domains beyond cloud. Both are self-reported questionnaires that standardize how a vendor discloses its controls; a vendor may be asked for one, the other, or both depending on the service and the customer.
SIG vs SOC 2
A SOC 2 report is not a questionnaire at all. It is an independent attestation produced by a licensed CPA firm that examines a service organization's controls against the Trust Services Criteria. The SIG asks the vendor what it does; a SOC 2 report provides third-party assurance about what an auditor actually observed. Customers commonly review a vendor's completed SIG alongside its SOC 2 report, so they get both the breadth of the questionnaire and the independent assurance of the audit.
Vendor Risk Assessment Checklist
If a SIG just landed in your inbox, or you are about to send one, this free checklist gives you a structured starting point for assessing a third party's security and risk controls without licensing a full questionnaire to get going.
- Structured control areas to assess across a vendor relationship
- A practical way to tier vendors by risk before you assess them
- Maps cleanly to how SIG-style questionnaires are organized
- Built to plug into ongoing vendor monitoring, not a one-off review
- Free, no credit card, instant access
Frequently asked questions
Send, score, and track SIG-style assessments in one place
RiskWatch helps you tier vendors, send standardized assessments, score the responses, collect evidence like SOC 2 reports, and reassess on a schedule, so third-party risk becomes a managed program instead of an inbox full of spreadsheets. Start a free trial or book a demo.
No credit card required · 30-day free trial · Cancel anytime