What Is a SIG Questionnaire?

A SIG questionnaire (Standardized Information Gathering questionnaire) is one of the most common documents a SaaS vendor will encounter during enterprise due diligence. If a buyer's procurement or security team has sent you a sprawling Excel file with hundreds of questions about your controls, policies, and compliance posture, there is a good chance it is a SIG. Understanding what the SIG is, how it is structured, and how to respond to it efficiently can meaningfully reduce friction in your enterprise sales cycles.

What Is a SIG Questionnaire?

A SIG questionnaire — short for Standardized Information Gathering questionnaire — is a comprehensive vendor risk assessment tool developed and maintained by Shared Assessments, a nonprofit membership organization founded in 2005 by five large banks, the big four consulting firms, and several major vendors. Its purpose is to standardize how enterprises gather and evaluate information about their third-party vendors' security controls, replacing the fragmented, bespoke questionnaires that each organization previously built from scratch.

The SIG questionnaire covers 19 risk domains and maps every question to a wide set of regulatory frameworks and industry standards. This dual function — assessing vendor risk and demonstrating compliance simultaneously — is what makes it the preferred tool for third-party risk management programs in financial services, healthcare, technology, and other regulated industries. When a buyer sends you a SIG, they are not just asking about your security practices: they are using your answers to satisfy their own auditors and regulators.

The SIG is closely related to the broader category of security questionnaires, but it is a specific, standardized framework rather than a generic term. Knowing the difference matters when you are preparing your response team and answer library.

Who Created the SIG Questionnaire and Why?

Shared Assessments created the SIG in 2005 to solve a problem that was costing enterprises significant time and money: every organization was building its own vendor questionnaire, and every vendor was answering dozens of slightly different versions of the same questions. The duplication was wasteful on both sides. Buyers spent time designing questionnaires. Vendors spent time answering them. Neither side benefited from the inconsistency.

The founding insight was that most third-party risk questions draw from the same set of underlying controls and regulatory requirements. By creating a single, comprehensive, industry-vetted question set — updated annually to reflect emerging threats, new regulations, and evolving standards — Shared Assessments made it possible for vendors to complete one rigorous assessment and reuse those answers across multiple buyer relationships.

Today the SIG is updated every year and maps to dozens of frameworks including SOC 2, ISO 27001, NIST CSF, HIPAA, PCI DSS, GDPR, and CCPA. Google Cloud, Zoom, and thousands of other enterprises use the SIG as the basis for their vendor risk programs, which is why a vendor who has completed a SIG once can respond to future assessments much faster by drawing on prior answers.

What Are the Different Versions of the SIG Questionnaire?

The SIG questionnaire comes in three main versions, each calibrated to a different level of vendor risk and assessment depth. Buyers choose the version that matches the sensitivity of the data the vendor will access and the maturity of their third-party risk management program.

The SIG Core is the full version, containing 855 questions across 19 risk domains. It is designed for vendors that store or process sensitive or regulated information — payment card data, protected health information, personal financial records, or other high-sensitivity data. The SIG Core is the standard tool for comprehensive vendor due diligence and is the version most commonly encountered by SaaS vendors selling into large enterprise accounts in regulated industries.

The SIG Lite is a condensed version with 126 questions focused on the core aspects of cybersecurity, compliance, and privacy. It is designed for lower-risk vendor relationships where a high-level overview of the vendor's security posture is sufficient — for example, a productivity tool with limited data access. Some buyers also use the SIG Lite as a preliminary screening before deciding whether to proceed to a full SIG Core assessment.

Custom SIG versions are also common. Buyers can add, remove, or modify questions to match their specific industry requirements, regulatory obligations, or internal risk standards. This flexibility is one of the SIG's defining strengths: a financial services firm can tailor the questionnaire to PCI DSS requirements, while a healthcare organization can weight it toward HIPAA controls, all within the same standardized framework.

What Domains Does the SIG Questionnaire Cover?

The SIG questionnaire's 19 risk domains give it comprehensive coverage of a vendor's security and operational posture. Each domain corresponds to a distinct area of risk that enterprise buyers need to understand before granting a vendor access to their systems or data. For vendors preparing responses, understanding these domains is the first step toward building an effective answer library.

The domains include information security policy, organizational security, asset and information management, human resources security, physical and environmental security, IT operations management, access control, application security, change management, business resiliency, compliance, endpoint security, network security, privacy, threat and vulnerability management, server security, cloud hosting services, cybersecurity incident management, and — added in recent versions — Nth party risk, which addresses the security practices of your vendors' vendors.

The breadth of these domains reflects a core principle of the SIG: third-party risk is not just a technology question. It encompasses how a vendor hires and trains people, how they manage physical access, how they handle changes to their systems, and how they would respond if a breach occurred. Vendors who approach the SIG as purely a technical exercise often find themselves unprepared for the organizational security and human resources sections, which require input from HR, legal, and facilities teams in addition to engineering and security.

How Does the SIG Questionnaire Map to Compliance Frameworks?

One of the SIG's most valuable features — both for buyers and vendors — is its cross-mapping to regulatory frameworks and industry standards. Every question in the SIG is tagged to one or more external controls, which means a vendor's answers can simultaneously demonstrate compliance with multiple frameworks without requiring separate assessments for each one.

The SIG currently maps to frameworks including SOC 2 Trust Service Criteria, ISO 27001, NIST Cybersecurity Framework, NIST SP 800-53, HIPAA Security Rule, PCI DSS, GDPR, CCPA, and several others. For buyers, this means a completed SIG can serve as evidence across multiple compliance programs simultaneously. For vendors, it means that strong existing compliance certifications — particularly a current SOC 2 Type II report or ISO 27001 certificate — can be directly referenced to answer a significant portion of SIG questions, rather than drafting new answers from scratch.

This framework alignment also makes the SIG particularly useful in due diligence contexts. A vendor completing a DDQ alongside a SIG can cross-reference many answers, reducing duplication of effort across what would otherwise be two entirely separate workstreams.

What Is the Difference Between SIG Core and SIG Lite?

The choice between SIG Core and SIG Lite comes down to the sensitivity of the data the vendor handles and the depth of due diligence the buyer requires. SIG Core, with its 855 questions across 19 domains, is the standard for high-risk vendor relationships — vendors with access to sensitive personal data, financial records, or critical infrastructure. SIG Lite, at 126 questions, is appropriate for lower-risk vendors where a high-level security overview is sufficient.

From a vendor's perspective, receiving a SIG Core versus a SIG Lite signals something important about how the buyer categorizes your risk profile. A SIG Core request means the buyer considers your product or integration to be high-risk and will scrutinize your answers carefully. A SIG Lite request suggests a lower-risk classification, though buyers frequently escalate to SIG Core if the Lite responses reveal gaps or ambiguities.

Vendors who have completed a SIG Core previously are well-positioned to respond to SIG Lite requests quickly: the Lite questions are a subset of the Core. Running this in reverse — using SIG Lite answers to populate a SIG Core response — is not sufficient, since the Core covers substantially more ground. Building your answer library around SIG Core questions is the more durable investment for vendors expecting to sell into enterprise accounts regularly.

How Should Vendors Prepare to Respond to a SIG Questionnaire?

Preparing for a SIG questionnaire follows the same core principles as preparing for any security questionnaire, but the SIG's scale and structure create specific preparation priorities. With up to 855 questions across 19 domains, a SIG Core response requires coordinated input from multiple teams — security, IT, HR, legal, facilities, and operations — and cannot realistically be completed by a single person in a short timeframe without prior preparation.

The most effective preparation is building a domain-by-domain answer library from previous SIG responses. Because the SIG is updated annually but retains significant continuity between versions, answers from a previous year's SIG remain largely applicable. A vendor who completed a SIG Core eighteen months ago and maintained their answer library can respond to a new SIG Core in a fraction of the time it took the first time.

Compliance certifications are the second most important preparation. A current SOC 2 Type II report directly addresses a large portion of SIG questions in the information security, access control, and incident management domains. ISO 27001 certification covers significant ground in the organizational security and policy domains. Attaching these as supporting evidence alongside your questionnaire answers both accelerates the buyer's review and reduces the number of questions requiring detailed written responses.

Assigning domain ownership before a questionnaire arrives is equally important. The Nth party risk domain requires input from your vendor management team. The physical and environmental security domain requires input from whoever manages your office or data center access. The human resources security domain requires input from HR or people operations. Mapping these owners in advance — and giving each one a pre-populated template of prior answers to review rather than a blank form — is the single most effective way to hit a tight deadline without errors.

How Does the SIG Questionnaire Compare to Other Security Frameworks?

The SIG is one of several standardized frameworks enterprises use for vendor risk assessment, and understanding how it compares to the alternatives helps vendors prioritize their preparation and understand which assessment they are actually dealing with.

The CAIQ (Consensus Assessments Initiative Questionnaire), published by the Cloud Security Alliance, is the most direct comparison. The CAIQ maps to the CSA Cloud Controls Matrix and is specifically designed for cloud service providers. It is shorter than the SIG Core and more focused on cloud architecture and infrastructure controls. Buyers in technology-heavy industries sometimes use the CAIQ in place of or alongside the SIG. Google Cloud's compliance program, for example, maintains both a CAIQ self-assessment and SIG alignment.

The VSA (Vendor Security Alliance) questionnaire, published by a coalition including Airbnb, Atlassian, and Uber, is a free alternative that covers eight domains in its full version. It is widely used among technology companies but is generally less comprehensive than the SIG Core. The SIG's advantage is its framework cross-mapping: a completed SIG simultaneously satisfies multiple regulatory requirements in a way that neither the CAIQ nor the VSA does as broadly.

For vendors receiving an RFP or a DDQ alongside a SIG, many of the underlying questions overlap. A unified answer library that spans these document types prevents duplicated effort and ensures consistency across the different responses a buyer's various teams will review.

What Are the Most Common Challenges When Responding to a SIG?

Responding to a SIG questionnaire, particularly a SIG Core, is one of the most demanding exercises a vendor's security and operations teams will face. The challenges are predictable enough that vendors who know what to expect can plan around them effectively.

Volume is the first challenge. 855 questions is a significant body of work, and the temptation to reuse answers without reviewing them — or to leave questions blank where the answer is unclear — is strong under deadline pressure. Both shortcuts create risk: reused stale answers may no longer be accurate, and blank answers signal to experienced reviewers that the vendor either does not understand the question or does not have the relevant control in place.

Cross-functional coordination is the second challenge. A SIG Core requires input from teams that do not normally work together on sales-related tasks. Getting timely, accurate input from HR on security training policies, from legal on data processing agreements, and from IT on network architecture requires a coordination process that most vendors do not have fully built out the first time they encounter a SIG. The answer library and domain ownership map are the two tools that solve this problem over time.

The Nth party domain is a newer challenge that catches many vendors unprepared. Buyers increasingly want to understand not just your security practices but those of your key subprocessors and technology vendors. Having a current list of your critical third-party providers, along with their relevant certifications or completed questionnaires, is now a standard expectation in a thorough SIG response.

What Role Does Automation Play in Completing SIG Questionnaires?

Automation has become a practical necessity for vendors who receive SIG questionnaires regularly. A SIG Core response completed manually — reading each question, finding the relevant prior answer or writing a new one, routing it to the appropriate SME, consolidating inputs, and reviewing for consistency — can consume dozens of hours of senior staff time per questionnaire. At higher deal volumes, this becomes a bottleneck that delays revenue and exhausts the teams involved.

Purpose-built automation tools address this by ingesting a vendor's existing documentation — prior SIG responses, security policies, compliance certifications, audit reports — and using AI to match incoming questions to relevant approved answers. The team's role shifts from drafting to reviewing: they confirm, edit, or flag AI-generated answers rather than writing from a blank page. This shift is faster, less error-prone, and substantially more scalable as deal volume increases.

For teams that handle SIG questionnaires, RFPs, and DDQs alongside each other, a unified platform that maintains a single answer library across all document types is significantly more efficient than managing separate tools for each. The cross-framework mapping built into the SIG means that answers prepared for one buyer can often be adapted for another with minimal editing — which is exactly the workflow that automation enables at scale.

For teams responding to SIG questionnaires, RFPs, and security reviews at volume, Steerlab.ai automates the answer generation process by pulling from your existing documentation and past SIG response history — so your team focuses on reviewing and approving rather than writing from scratch each time a new assessment arrives.

Frequently Asked Questions

What does SIG stand for in security?

SIG stands for Standardized Information Gathering. It refers to the third-party risk assessment questionnaire developed and maintained by Shared Assessments, a nonprofit organization founded in 2005. The SIG is used by enterprises across industries to evaluate vendor security controls in a consistent, framework-mapped format updated annually.

How many questions are in a SIG questionnaire?

The SIG Core contains 855 questions covering 19 risk domains. The SIG Lite contains 126 questions focused on core cybersecurity, compliance, and privacy controls. Buyers can also create custom versions by adding, removing, or modifying questions to match their specific regulatory requirements and risk appetite, so the exact number of questions you receive may vary.

Is the SIG questionnaire free?

No. The SIG is a paid product sold by Shared Assessments. Buyers must purchase a license to access and distribute the SIG questionnaire. Vendors who receive a SIG from a buyer do not need to purchase a license to respond — the cost is borne by the organization sending the questionnaire. This is different from frameworks like the VSA, which are free to download.

How long does it take to complete a SIG Core questionnaire?

Without an existing answer library, a SIG Core response typically takes two to four weeks for a vendor responding for the first time, depending on internal coordination speed and the availability of subject matter experts across 19 domains. Vendors with a maintained answer library and current compliance certifications can often complete a SIG Core in under a week. Tools like Steerlab.ai can reduce initial drafting time by 60–80%.

What compliance frameworks does the SIG map to?

The SIG maps to a wide range of frameworks including SOC 2 Trust Service Criteria, ISO 27001, NIST Cybersecurity Framework, NIST SP 800-53, HIPAA Security Rule, PCI DSS, GDPR, and CCPA, among others. This cross-mapping means a completed SIG can simultaneously serve as evidence for multiple compliance programs, which is one of its primary advantages over bespoke questionnaires.

What is the difference between a SIG and a CAIQ?

The SIG (Standardized Information Gathering) is a broad vendor risk assessment tool covering 19 domains across all types of vendors. The CAIQ (Consensus Assessments Initiative Questionnaire) is published by the Cloud Security Alliance and is specifically designed for cloud service providers, mapping to the CSA Cloud Controls Matrix. The SIG is generally more comprehensive and cross-maps to more regulatory frameworks, while the CAIQ is more targeted to cloud architecture controls.

Can you reuse SIG answers across multiple buyers?

Yes — and this is one of the SIG's core design intentions. Because buyers use the same standardized framework, a vendor's answers to one buyer's SIG are largely applicable to another buyer's SIG. Tools like Steerlab.ai make this reuse systematic by storing approved answers and automatically matching them to incoming SIG questions, so each new questionnaire requires only incremental effort rather than a full response from scratch.

What is the Nth party domain in the SIG?

The Nth party domain, added to the SIG in recent versions, addresses supply chain risk by asking vendors about the security practices of their own key subprocessors and technology providers. Buyers want to understand not just your security controls but the controls of the vendors you depend on. Preparing for this domain requires maintaining a current list of your critical third-party providers along with their relevant security certifications or completed assessments.