What are the SIG Core and SIG Lite Assessments?
The Shared Assessments Program, managed by The Santa Fe Group, is a global membership organization focused on developing best practices, education and tools to drive third-party risk assurance. The Program helps organizations effectively manage third-party risk, using controls for cybersecurity, IT, privacy, data, security and business resiliency. Specifically, the Program produces and maintains tools and methods that standardize member organizations’ approach to assessing third-party service providers’ controls for people, processes and procedures. Program operations are kept up to date with industry need, regulations and the threat environment.
What are the SIG Lite and SIG Core Assessments?
The two assessments central to the Shared Assessments Program are:
- SIG Core: The Standardized Information Gathering (SIG) Core questionnaire is designed to assess third parties that store or manage highly sensitive or regulated information, such as payment card information or genetic data. This tool is meant to provide a deeper level of understanding about how a third party secures information and services. It is meant to meet the needs of almost all third-party risk assessments, based on industry standards.
- SIG Lite: The SIG Lite questionnaire is designed to provide a broad, but high-level understanding about a third party’s internal information security controls. This level is for organizations that need a basic level of assessment due diligence. It can also be used as a preliminary assessment before a more detailed review.
How Are the Assessments Used?
SIG assessments can be used in various ways, including:
- Used by an outsourcer to evaluate their service providers’ risk controls.
- Completed by a service provider and used proactively as part of a request for proposal (RFP) response.
- Completed by a service provider and sent to their client(s) in lieu of completing one or multiple proprietary questionnaires.
- Used by an organization for self-assessment.
Who Uses the Assessments?
Membership has grown drastically as companies across the globe and industries have adopted the Shared Assessments SIG Core and SIG Lite assessments. The current membership ecosystem consists of cross-industry organizations from outsourcers to vendors to regulators to technology providers.
What Questions Do the Assessments Ask?
Shared Assessments houses a comprehensive set of 1200 total questions, referred to as a content library. The content library contains mappings from each question to the most applicable standard controls, frameworks and regulations like NIST, ISO, GDPR, and more.
- SIG Core: The more comprehensive questionnaire, the SIG Core, asks approximately 850 questions targeting 18 individual risk controls.
- SIG Lite: The shorter of the two questionnaires, the SIG Lite, asks approximately 330 questions.
Companies can use either questionnaire although they cannot change the wording of the questions such that the assessments remain standardized. However, companies can add their own versions of questions to a separate library. The questions included on each SIG will vary depending on the business’s needs. Therefore, it’s important for responders to pay close attention to the wording of the questions.
How Can I Use the Assessments?
Organizations can use spreadsheets or third-party risk management tools like OneTrust Vendorpedia™ to conduct the assessments. The Vendorpedia platform empowers organizations around the world to leverage the 2020 SIG Core and SIG Lite questionnaires scale third-party risk management operations with purpose-built software to send, receive, and review the 2020 SIG with assessment automation workflows.