New vendor risk assessment with SIG questionnaire in 2022

Network vendor risk assessment

The Standard Information Gathering (SIG) questionnaire is a configurable tool to enable the scoping of a diverse vendor risk assessment using a comprehensive set of questions to assess third-party or vendor risk. It is updated every year to keep up-to-date with the ever-changing risk environment and priorities.  

Developed by Shared Assessments, the SIG questionnaire allows organisations to build, customise, analyse, and store vendor assessments for managing third-party risk. Its standard third-party risk toolkit is currently used by over 15,000 organisations worldwide. 

Available in Lite and Core versions, SIG allows organisations to leverage an industry-standard library of vetted questions that measure risk across 18 different risk domains. By mapping each question to regulatory requirements and multiple controls, this vendor risk assessment allows businesses to standardise and simplify their third-party risk management and compliance initiatives. 

Let’s take a closer look at the SIG questionnaire 2022 updates and how you can incorporate this industry-leading assessment within your organisation.

SIG questionnaire 2022 updates

The 2022 SIG questionnaire updates are arranged into three categories: 

  1. Re-ordered, reduced, and updated SIG Lite and SIG Core question sets. 
  1. Updated and new regulatory mappings and standards, including 13 updated and four new mappings. 
  1. Over 30 new domain and categories updates. 

SIG Core vs. SIG Lite 

Shared Assessments provides two versions of its SIG assessment: SIG Core and SIG Lite. 

SIG Core 

The SIG Core questionnaire is the more detailed out of the two versions. It is designed to assess third parties or vendors that either manage or store sensitive, regulated data, providing an extremely deep level of understanding about how third parties secure information. SIG Core contains 825 questions that target 18 risk domains. SIG Core also includes a library of questions that enables security teams to pick and choose from their vendors and includes information on privacy and compliance regulations. 

SIG Core 2022 updates: 

  • Groups questions by topic which makes it easier for users to understand controls 
  • Number of questions reduced by 25% 
  • More control-focused questions added 
  • Enhanced tiering by making questionnaires available for practitioners 

SIG Lite 

The SIG Lite questionnaire provides a broad and high-level understanding of a third party’s internal information security controls. It offers a more basic level of assessment due diligence. SIG Lite includes 150 questions which can be used as a preliminary vendor risk assessment before a more detailed questionnaire is undertaken.  

SIG Lite 2022 updates: 

  • Groups questions by topic which makes it easier for users to understand controls 
  • Number of questions reduced by 50% 
  • More control-focused questions added 
  • Enhanced tiering by making questionnaires available for practitioners 

SIG Lite questionnaire example

Here are just some of the SIG lite questions you can expect to see in a questionnaire:

  1. Is there a risk assessment program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the program?
  2. Is there a vendor management program?
  3. Is there an asset management policy or program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review?
  4. Is there a physical security program?
  5. Is there an Incident Management program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the program?

Updated and new regulatory control mappings for vendor risk assessment 

SIG updates also address regulatory control mappings. Shared Assessments keeps on top of standards, guidelines, and regulations for a variety of industries, and has integrated 1,600 Control Points from: 

  • DOJ June 2020 Guidance on Evaluation of Corporate Compliance Programs for publicly held U.S. Companies 
  • Industrial Automation and Control Systems Guidance EC-62443 
  • Consensus Assessments Initiative Questionnaire (CAIQ) v3.1 and Cloud Controls Matrix (CCM) Version 4 
  • GDPR Guidance on Standard Contractual Clauses (SCCs) 
  • State Privacy Laws (California, Colorado, Virginia) 
  • NIST 800-53 (Rev.5) Security and Privacy Controls for Information Systems and Organisations. The SIG questionnaires include Supply Chain Risk Management questions on system development (outsourcing), asset management, resilience and continuity, and threat and vulnerability management. 

Domain and category updates 

SIG 2022 has renamed some of the risk domains to add scope and to highlight that risk is not tied to specific roles or functions. Risk Management, for example, has been renamed Enterprise Risk Management to encapsulate risk across the whole organisation. Business Resiliency has been changed to Operational Resilience, and Physical Security is now Physical and Environmental Security. 

SIG questionnaire has also added new and adjusted categories that should improve assurance on relevant and timely topics such as environment, social and governance (ESG) and incident management best practices across the entire supply chain. 

  • ESG updates include codes of conduct and ethical sourcing, modern slavery, and environmental risk management. 
  • Incident management features expand documentation and detection. 
  • Fourth-party management expands the requirements for managing third parties to include the wider supply chain. Areas include vendor risk assessments, contractual requirements, personal data management, and operational resilience. 

Get in touch with RiskXchange to find out more about assessing third-party risk with SIG questionnaire in 2022. 

How RiskXchange can help

RiskXchange is one of the firms leading the fight against cybercrime, coming up with novel solutions to everyday problems experienced at the hands of hackers. 

With full visibility over your eco-systems’ entire attack surface in near real-time, you can regularly monitor and mitigate risks to prevent unnecessary exposures. Our passive data collection methods are effective and have no impact on your network performance. Using data-driven insights to prevent breaches is the best way to reduce an attack surface and prevent cyberattacks.   

About RiskXchange 

RiskXchange provides a powerful AI-assisted, yet simple automated and centralised 360-degree cybersecurity risk rating management approach. We generate objective and quantitative reporting on a company’s cyber security risk and performance, which enables organisations with evolving business requirements to conduct business securely in today’s open and collaborative digital world.  

RiskXchange is an information security technology company, which helps companies of all sizes fight the threat of cyber threats by providing instant risk ratings for any company across the globe. RiskXchange was founded and is led by recognised experts within the security industry, who have held leading roles within companies such as IBM Security.  

Find out more here