Key Takeaways
- The SIG (Standardized Information Gathering) questionnaire is maintained by Shared Assessments and is one of the most widely used third-party risk assessment tools in enterprise procurement.
- SIG comes in two versions: SIG Core with 800+ questions across 19 risk domains, and SIG Lite with roughly 200 questions for lower-risk assessments.
- The SIG maps directly to major compliance frameworks including ISO 27001, NIST CSF, SOC 2, PCI DSS, HIPAA, and GDPR - which means a single well-prepared knowledge base can cover most of it.
- Third-party cybersecurity risk is increasingly a deal-gating factor. Buyers are not moving contracts forward until your SIG is returned, reviewed, and approved. Completion speed directly affects deal velocity.
- Most SaaS teams spend 5 - 10 business days completing a SIG Core manually. Teams with a centralised knowledge base of past responses can cut that to hours.
What Is a SIG Questionnaire?
A SIG questionnaire (Standardized Information Gathering questionnaire) is a structured risk assessment tool created and maintained by Shared Assessments, a member-driven organisation focused on third-party risk management. It provides a standardised way for enterprises to evaluate the security, privacy, and operational controls of their vendors before signing a contract. If a prospect has sent you a SIG as part of their security review, it means they are serious about the deal - but need assurance that your security posture meets their requirements before they can move forward.
For most B2B SaaS companies, receiving a SIG is both a buying signal and a time sink. The questionnaire is comprehensive by design. It covers everything from access control and encryption to business continuity and physical security. And because it is standardised, your buyer’s security team expects thorough, accurate, and referenced answers - not vague assurances. The commercial stakes are real: a delayed or poorly completed SIG can stall a deal for weeks, and an incomplete one can disqualify you entirely.
What Does the SIG Cover? The 19 Risk Domains
The SIG organises its questions across 19 risk domains, each targeting a specific area of your organisation’s security and operational posture. Understanding these domains is the first step to building repeatable, reusable answers rather than starting from scratch every time.
Here are the core domains covered in the SIG:
| Domain | What It Assesses |
|---|---|
| Enterprise Risk Management | Governance structure, risk appetite, board oversight |
| Security Policy | Existence and maintenance of information security policies |
| Organisational Security | Roles, responsibilities, and security staffing |
| Asset and Information Management | Asset inventory, classification, handling procedures |
| Human Resource Security | Background checks, security training, termination procedures |
| Physical and Environmental Security | Data centre controls, office security, environmental protections |
| IT Operations Management | Change management, capacity planning, operational procedures |
| Access Control | Authentication, authorisation, privilege management |
| Application Security | SDLC security, code review, vulnerability management |
| Cybersecurity Incident Management | Incident response plans, detection, escalation procedures |
| Operational Resilience | Business continuity, disaster recovery, backup procedures |
| Compliance and Operational Risk | Regulatory compliance, audit practices, legal requirements |
| Endpoint Device Security | Mobile device management, endpoint protection |
| Network Security | Firewalls, segmentation, intrusion detection |
| Privacy | Data subject rights, consent management, data processing agreements |
| Threat Management | Threat intelligence, vulnerability scanning, penetration testing |
| Server Security | Server hardening, patching, configuration management |
| Cloud Hosting Services | Cloud provider assessments, shared responsibility model |
| Artificial Intelligence | AI governance, model risk, data handling in AI systems |
The AI domain is a more recent addition, reflecting the growing scrutiny around how vendors use machine learning and large language models in their products. If your SaaS product uses AI in any capacity, expect detailed questions here.
Why the domain structure matters for your workflow
Each domain maps to specific areas of your security programme. This means you can assign domains to the people who actually own those areas: your infrastructure lead handles Network Security and Cloud Hosting, your people ops lead covers Human Resource Security, and your security lead covers Incident Management and Threat Management. Trying to have one person answer all 19 domains is how teams end up spending two weeks on a single questionnaire - and how CTOs end up answering questions about fire suppression systems at 11pm on a Thursday.
SIG Core vs. SIG Lite: Which One Will You Receive?
Shared Assessments publishes two versions of the SIG, and the version your prospect sends depends on how much risk your engagement represents to them.
| SIG Core | SIG Lite | |
|---|---|---|
| Number of questions | 800+ | ~200 |
| Depth | Detailed, control-level questions with sub-questions | High-level, domain-level questions |
| Typical use case | Vendors handling sensitive data, critical infrastructure, or high-value contracts | Lower-risk vendors, initial screening, or non-critical services |
| Time to complete (manual) | 5 - 10 business days | 1 - 3 business days |
| Time to complete (with knowledge base) | Hours | Under an hour |
| Who sends it | Enterprise security teams, regulated industries (financial services, healthcare) | Mid-market companies, procurement teams doing initial triage |
If you are selling into financial services, healthcare, or any enterprise with a mature third-party risk management (TPRM) programme, expect the SIG Core. These organisations are often required by regulators to conduct thorough vendor assessments, and the SIG Core gives them the granularity they need.
The SIG Lite is more common in initial vendor screening or when your product handles less sensitive data. Some organisations use it as a first pass: if your SIG Lite answers raise concerns, they escalate to a SIG Core.
The practical impact on your team
A SIG Core with 800+ questions is not something you knock out in an afternoon. Nothing says “welcome to enterprise sales” quite like opening an Excel file with 20 tabs and a README that is longer than your last board deck.
Without a system for managing your responses, each SIG becomes a mini-project: hunting through Google Drive for the right policy, pinging your engineering lead on Slack for a technical detail, copy-pasting answers from the last questionnaire you completed and hoping nothing has changed. It is the kind of work that eats into evenings and weekends, especially when three of them land at the same time - and they always land at the same time.
How the SIG Maps to Compliance Frameworks
One of the SIG’s most useful features is its cross-referencing to major compliance frameworks. Shared Assessments explicitly maps SIG questions to the controls in frameworks your buyers already care about.
Here is how the SIG aligns with the frameworks you are most likely already working with:
| Framework | SIG Mapping |
|---|---|
| ISO 27001 | SIG domains map to Annex A controls, particularly around access control, cryptography, operations security, and supplier relationships |
| SOC 2 | Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy) align with multiple SIG domains |
| NIST CSF | The five NIST functions (Identify, Protect, Detect, Respond, Recover) are covered across SIG’s risk management, incident management, and resilience domains |
| PCI DSS | Network security, access control, and encryption domains map directly to PCI DSS requirements |
| HIPAA | Privacy, access control, and incident management domains cover key HIPAA safeguards |
| GDPR | The Privacy domain addresses data subject rights, lawful basis for processing, and cross-border transfer requirements |
What this means for your response strategy
If you have already documented your controls for SOC 2 or ISO 27001, you have already done a significant portion of the work required to answer a SIG. The problem is that most teams do not have those answers in a format that makes them easy to reuse. Your SOC 2 report lives in one place, your ISO 27001 Statement of Applicability in another, and your internal security policies in a wiki that may or may not be up to date.
The teams that complete SIGs quickly are the ones who have built a single source of truth: one centralised knowledge base where policies, control descriptions, and past questionnaire answers are all searchable and referenceable. When a SIG question asks about your encryption practices, you should be able to pull the answer from the same place whether it was originally written for SOC 2, ISO 27001, or a previous SIG.
A Repeatable SIG Response Process in 5 Steps
Completing a SIG does not have to be a scramble. Here is a repeatable process we use at ResponseHub - both internally when completing our own assessments and as the workflow we have built into the product for our customers.
Step 1: Scope and triage (30 minutes)
Before you answer a single question, scan the entire questionnaire and identify which domains are relevant to your product and engagement. Not every domain applies. If you do not operate physical data centres, the Physical and Environmental Security section may only need a brief “N/A - we use [cloud provider]” response with a link to their compliance page.
Step 2: Pull from your knowledge base (1 - 2 hours)
Match each question to existing answers from your centralised repository. If you have completed any previous SIG, SOC 2 questionnaire, or CAIQ (Consensus Assessments Initiative Questionnaire from the Cloud Security Alliance), many answers will carry over directly. This is where having a searchable, structured knowledge base saves you days.
Step 3: Fill gaps with policy owners (2 - 4 hours)
For questions where you do not have an existing answer, route them to the person who owns that domain. Your application security questions go to your engineering lead. Your HR security questions go to your people operations lead. Give them the specific question and the context of what the buyer is looking for - not a link to a 300-row spreadsheet with a message that says “can you check rows 47 through 112?”
Step 4: Review and cite sources (1 - 2 hours)
Every answer should reference the specific policy, control, or document that supports it. Enterprise security teams are not just reading your answers. They are checking whether those answers are backed by documented, implemented controls. An answer like “We encrypt data at rest using AES-256 as documented in our Data Protection Policy, Section 3.2” carries far more weight than “Yes, we encrypt data.”
Step 5: Submit and archive (30 minutes)
Submit the completed SIG and immediately archive it in your knowledge base. Every completed SIG makes the next one faster. The answers you write today become the foundation for every future assessment.
Using this process, a well-prepared team can complete a SIG Lite in under an hour and a SIG Core in a single working day - not the 5 - 10 days it takes when you are starting from scratch every time.
Why SIG Completion Speed Is a Revenue Problem
Security questionnaires sit directly in the critical path of your sales cycle. When a buyer sends you a SIG, the deal does not move forward until you return it completed and your answers pass their review. Every day you spend assembling responses is a day the contract is not signed.
I know this because I lived it. When I was CTO of a VC-backed SaaS startup, we hit a stretch where SIGs and security questionnaires were arriving faster than we could turn them around. We had live deals waiting on completed assessments, and I was the one pulling answers together between sprint planning, investor updates, and actually building the product. That experience - the late nights, the frantic Slack messages, the copy-paste archaeology through old Google Docs - is exactly why I built ResponseHub.
In competitive deals where your prospect is evaluating multiple vendors simultaneously, the team that returns a thorough, well-cited SIG first has a material advantage. Procurement teams have timelines. If your competitor returns their SIG in three days and yours takes three weeks, you have handed them a head start that no demo or pricing discount can claw back.
The maths is straightforward. If your average contract value is £50,000 and a delayed SIG pushes the close date back by three weeks, that is three weeks of revenue you are not recognising. Multiply that across 10 - 15 SIGs per quarter and the impact on your annual numbers is not trivial.
This is particularly painful for smaller SaaS teams. You do not have a dedicated GRC team or a compliance analyst whose only job is answering questionnaires. It is your CTO, your head of engineering, or your VP of Sales pulling answers together between their actual responsibilities. The opportunity cost is enormous. Every hour spent on a SIG is an hour not spent closing deals, shipping product, or building your team.
Stop Treating SIGs as Fire Drills
The SIG questionnaire is not going away. As TPRM programmes mature and regulatory requirements tighten, the volume and complexity of these assessments will only increase. If anything, the trend is accelerating - more buyers are formalising their vendor risk processes, and the bar for what counts as an acceptable response keeps rising.
The good news is that the SIG’s standardised structure is actually an advantage if you build the right system around it. Because the domains are consistent and the questions map to known frameworks, every SIG you complete well makes the next one faster. Your knowledge base compounds. Your response times shrink. Your team stops losing weekends to spreadsheets.
The teams that treat SIG responses as a one-off fire drill will keep spending 5 - 10 days per questionnaire, every time. The teams that build a centralised, searchable knowledge base and a repeatable process will complete them in hours. Over a year, that gap adds up to weeks of recovered time and deals that close faster.
Start by centralising your existing policies and past questionnaire responses into a single source of truth. Map your answers to the SIG’s 19 domains. Build the muscle now, because the next SIG is already on its way.
Frequently Asked Questions
What is the difference between SIG Core and SIG Lite?
SIG Core contains 800+ detailed questions across 19 risk domains and is used for high-risk vendor assessments, particularly in regulated industries like financial services and healthcare. SIG Lite contains approximately 200 higher-level questions and is used for initial vendor screening or lower-risk engagements. Many organisations use SIG Lite as a first pass and escalate to SIG Core if the vendor’s responses warrant deeper scrutiny.
Who creates and maintains the SIG questionnaire?
The SIG is created and maintained by Shared Assessments, a member-driven organisation focused on third-party risk management. They update the SIG annually to reflect evolving threats, regulatory changes, and industry standards. The most recent versions include questions about AI governance and cloud-native architectures.
How long does it take to complete a SIG questionnaire?
Manually completing a SIG Core typically takes 5 - 10 business days for a team without a centralised knowledge base. SIG Lite takes 1 - 3 business days. Teams that maintain a structured repository of past responses, policies, and control documentation can complete a SIG Core in a single working day and a SIG Lite in under an hour.
Can I reuse answers from SOC 2 or ISO 27001 for a SIG?
Yes. The SIG explicitly maps to major compliance frameworks including SOC 2, ISO 27001, NIST CSF, PCI DSS, HIPAA, and GDPR. If you have already documented your controls for any of these frameworks, much of that work directly applies to SIG responses. The key is having those answers centralised and searchable so you can match them to SIG questions efficiently.
Is the SIG questionnaire free?
Access to the SIG questionnaire requires a Shared Assessments membership. Membership fees vary based on organisation size and type. However, as a vendor, you will typically receive the SIG directly from your prospect or customer as part of their procurement process, so you do not necessarily need your own membership to complete one.
How often is the SIG updated?
Shared Assessments updates the SIG annually. Each new version reflects changes in the threat landscape, regulatory environment, and industry best practices. The addition of the AI governance domain in recent versions is one example. If you are reusing answers from a previous SIG, check that your responses still align with the current year’s version and that no new domains or questions have been added that apply to your product.
Stop Losing Weeks to SIG Questionnaires
ResponseHub is built from the ground up to solve the exact problem this article describes: getting SIGs and security questionnaires done in hours, not days, with answers grounded in your actual policies and cited to the exact page and section.
Upload your policies, import your past questionnaire responses, and let AI draft accurate, referenced answers that your team reviews and approves. No more hunting through Google Drive. No more copy-paste archaeology. No more late nights before a deadline.
Get started in under 5 minutes - completely self-serve, free trial, no sales call needed.
