Skip to content
Glossary

SIG (Standardized Information Gathering)

The SIG (Standardized Information Gathering) questionnaire is a standardized third-party risk assessment maintained by Shared Assessments. It provides a common library of questions across security, privacy, and resilience domains, and ships in scoped variants (such as SIG Core and SIG Lite) so assessors can right-size the depth of a vendor review.

Synonyms: SIG questionnaire, Standardized Information Gathering questionnaire, Shared Assessments SIG

The SIG (Standardized Information Gathering) questionnaire is a widely adopted, standardized way for organizations to assess a vendor’s controls across domains such as access management, data protection, privacy, incident response, and operational resilience. Because it draws on a shared question library maintained by Shared Assessments, it reduces the variation between one customer’s questionnaire and the next.

For the vendor answering it, the SIG’s standardization is the opportunity: answers to SIG questions can be maintained once, cited to source evidence, and reused across variants (SIG Lite for a lighter pass, SIG Core for depth) and across customers — provided each answer is kept current and reviewed by an owner rather than copy-pasted from a stale file.

Frequently asked questions

What is the difference between SIG Core and SIG Lite?
SIG Lite is a shorter, higher-level set for lower-risk vendors or a first pass; SIG Core is the deeper, more comprehensive set for higher-risk or in-depth reviews. Both draw from the same Shared Assessments question library, so answers map across variants.
Who maintains the SIG?
The SIG is maintained by Shared Assessments, an industry member organization, and is updated periodically to track regulations and control frameworks. It is widely used so vendors can reuse consistent answers across many customers.