Skip to main content

Glossary

SIG Questionnaire (Standardized Information Gathering)

The Standardized Information Gathering (SIG) questionnaire is a third-party risk assessment question set published by Shared Assessments. Organizations use it to evaluate the security, privacy, and operational controls of vendors and service providers with one consistent industry questionnaire instead of drafting their own custom question lists for every assessment.

In practice

Third-party risk management teams at banks, insurers, healthcare organizations, and other regulated companies send the SIG to prospective and existing vendors as part of onboarding and periodic review. Because the question set is standardized, a vendor can complete it once, keep it current, and reuse the answers across many customer requests.

The SIG comes in scoped versions. The full question library, commonly issued as SIG Core, covers a broad range of risk domains such as information security, privacy, resilience, and compliance. SIG Lite is a condensed subset used for lower-risk vendors or early screening, with the fuller version reserved for critical relationships.

For example, a regional bank might send SIG Lite to a marketing software vendor that handles limited data, while sending the full SIG to a payment processor that touches customer accounts. Shared Assessments updates the questionnaire regularly, so recipients should confirm which version a request is based on.

Keep reading

Related terms

For how vendors answer SIG requests efficiently, see the RocketDocs security questionnaire solution.

FAQ

Frequently asked questions

What does SIG stand for?

SIG stands for Standardized Information Gathering. The name reflects its purpose: giving outsourcers and their vendors a standardized way to collect the information needed to assess third-party risk, rather than every company inventing its own questionnaire from scratch.

What is the difference between the SIG and SIG Lite?

SIG Lite is a shortened version of the full SIG question library. It covers the highest-level questions across the same risk domains and is typically used for lower-risk vendors or initial screening, while the full SIG supports deeper assessments of critical vendors.

Who maintains the SIG questionnaire?

Shared Assessments, a member-driven organization focused on third-party risk management, develops and maintains the SIG. It releases updated versions on a regular cycle to reflect new regulations, threats, and industry practices, so organizations usually adopt the current release.

From definition to response

See how RocketDocs turns these concepts into a working response process: approved content, private AI drafting, and audit trails your compliance team can trust.