What is the Difference Between SIG vs. SIG Lite Questionnaires?

Blog post Team CENTRL 2022-01-28

If you want to enhance your business resiliency, you must include the security of your partners and third parties in your overall vendor risk management (VRM) strategy.

Today, businesses exist in such a state that interconnection is necessary, if not required. But don’t forget – your business is only as safe as the least secure of all of your vendors.

If you’re not yet using VRM to better manage your relationship with your vendors, you’re operating at a significant risk disadvantage. And even if you’re already using VRM, you still need to ensure its proper implementation for optimum results.

The best way to start doing this is to conduct due diligence, implement comprehensive vendor risk management, and use a standardized information-gathering questionnaire (SIG) for your vendor evaluation and onboarding.

What is a SIG questionnaire?

SIG questionnaires are security assessments created according to industry standards, designed to populate your VRM with self-assessed data from your third parties.

The SIG questionnaire, created by Shared Assessments, allows you to create, modify, analyze, and gather input from your vendor, which you will use to assess your levels of third-party risk.

This standardized questionnaire is used by over 15,000 organizations worldwide because it is both convenient and comprehensive.

You can configure the breadth of information that the questionnaire gathers depending on the level of risk of your service providers.

What Are The Different Types of SIG Questionnaires?

The SIG process is optimized for inclusion and ease of use. You can find three different variations of the questionnaire used for vendor assessment: the standard SIG questionnaire, SIG LITE, and SIG CORE.

SIG Questionnaire

The first variation is the standard SIG questionnaire. It was designed to be a comprehensive vendor assessment. It covers 18 industry-accepted essential risk controls that make up the vendor’s cybersecurity environment.

A comprehensive SIG questionnaire will be enough to tell you the overall security risks of your vendors regardless of their industry.

This is useful for companies that heavily outsource many of their tasks because it allows them to properly assess provider risk without extensive modification.

In addition to this, the standard SIG questionnaire is excellent for companies with self-assessing security teams to enhance protection.


Although the standard SIG questionnaire is an extensive process that covers all of the relevant risks that any third party might face, not all of those risks are going to apply to all of your third parties.

If you want to streamline your SIG questionnaire to ask fewer questions and still hit the mark, you should opt for SIG LITE.

SIG LITE is a type of SIG questionnaire suitable for less risky vendors. After all, third parties with fewer inherent risks don’t require the comprehensive coverage that the standard SIG includes.

Instead, the LITE version consolidates the main concepts of SIG into fewer questions and categories without sacrificing the level of detail in the self-assessments.

This way, you and your third parties won’t waste time answering questions that don’t apply to your specific situation while still managing to properly assess all the risks that need to be determined.


This modification to the standardized SIG assessment is made for personalized and detailed third-party risk assessment.

Released in 2018, the SIG CORE is a database of questions that security teams and decision-makers can choose from. Instead of a standardized questionnaire or a pared-down version of it, the SIG CORE is made to be customizable from the get-go.

By picking the relevant questions themselves, the appropriate parties can better assess and tailor them to their unique circumstances. This is useful for unique third-party relationships where no standardized versions can capture the details necessary for a proper assessment.

These questions include compliance regulations, such as GPDR and NIST-related topics.

The Differences Between SIG and SIG LITE

In comparing both assessment methods, let’s first settle on some common grounds and begin with their similarities. Both are standardized questionnaires that aim to determine the risks within a third-party relationship.

The SIG and SIG Lite have in-depth questions that produce detailed and actionable results.

However, despite having a similar end goal, SIG and SIG LITE differs in the purpose and method of assessment.

On the one hand, the SIG questionnaire is designed for detail. It covers broad and multidisciplinary topics regarding third-party risk management (TPRM). This is useful for high-level and complex third-party relationships.

On the other hand, the SIG LITE is made for vendors with less inherent risk.

It’s a pared-down version of the SIG questionnaire with much fewer questions; it still offers a decent level of detail, but vendors won’t have to spend time answering questions that might not apply to them.

Why Are SIG Questionnaires Important?

You can’t assess all the risks your third-party partnerships face, especially if you’re a large and complex organization.

The SIG questionnaire exists as an efficient way to understand the risks you face in your everyday operations. With the proper questionnaires, you can glean clear and actionable insights that you can use to implement security changes.

More than that, the SIG questionnaire also makes regulatory compliance much simpler because it is indexed to many international standards, such as:

  • ISO 27002:2013
  • ISA 62443
  • FFIEC Appendix J
  • FFIEC IT Management Handbook
  • EBA Guidelines, and many more.

While there are other data security questionnaires that you can use, such as the CSA CAIQ and ISO 27001, the SIG questionnaire remains one of the most-used questionnaires.

What Are Some Topics That Can Be Found SIG Questionnaires?

Here are some of the control areas SIG questionnaires can tackle to help you improve data security and better manage vendor risk:

  • Risk management practices
  • Information security controls
  • Security policy creation and implementation
  • Organizational security
  • Asset management policies and operations
  • Human resources security, and many more.

How CENTRL’s Vendor360 Can Help You Streamline Vendor Risk Management

SIG questionnaires can be a powerful tool for improving your third-party risk management practices, but they should only act as one part of a more extensive vendor risk management program.

Vendor360 also includes the SIG questionnaire and customizable templates, so you can forgo the added cost of purchasing the questionnaire separately. This way, you can optimize your vendor assessments to best fit your third-party risk profile.

With Vendor360, you can manage assessment progress, set due dates, and automate status updates of questionnaires throughout your third-party portfolio. The platform also provides a simple user interface with extensive automation and analytics.

Learn more about Vendor360 can help you scale your vendor risk management program by booking a demo today!

Similar resources

More resources