SIG Questionnaire Guide: SIG Lite vs SIG Full

The Standardized Information Gathering (SIG) questionnaire, published by Shared Assessments, is one of the most widely adopted tools for third-party risk assessment. It provides a standardized framework for organizations to evaluate the cybersecurity, privacy, and operational resilience of their vendors and service providers. If you do business with financial services firms, healthcare organizations, or large enterprises, you will almost certainly encounter a SIG questionnaire. SIG comes in two versions: SIG Lite and SIG Full. SIG Lite is a streamlined assessment containing approximately 200 questions designed for lower-risk vendor relationships or as an initial screening tool. It covers the same 18 risk domains as SIG Full but at a higher level, focusing on whether controls exist rather than how they are implemented. SIG Full is the comprehensive assessment, containing over 800 questions with deep-dive inquiries into control implementation details, evidence requirements, and maturity levels. SIG Full is typically reserved for vendors classified as high-risk — those with access to sensitive data, critical system integrations, or significant operational dependencies. The SIG questionnaire is updated annually to reflect the evolving threat landscape and regulatory requirements. The current version aligns with major compliance frameworks including NIST CSF, ISO 27001, SOC 2 Trust Services Criteria, PCI DSS, HIPAA, and GDPR. This cross-framework mapping is one of SIG's greatest strengths — a single SIG completion can satisfy multiple client assessments because assessors can map your SIG responses to their preferred framework. Understanding which version you are expected to complete and preparing your documentation accordingly is critical to a successful assessment.

The SIG questionnaire organizes its questions across 18 risk domains, each covering a distinct area of organizational risk. Familiarity with these domains is essential for preparation. Enterprise Risk Management covers your overall risk governance, risk appetite statements, and risk assessment methodologies. Security Policy addresses your written information security policies, review cadence, and executive sponsorship. Organizational Security examines roles and responsibilities, including whether you have a designated CISO or security leader. Asset and Information Management covers data classification, asset inventory, and data lifecycle management. Human Resource Security addresses background checks, security awareness training, and employee onboarding/offboarding procedures. Physical and Environmental Security covers facility access controls, visitor management, and environmental protections. IT Operations Management examines change management, capacity planning, and operational procedures. Access Control is one of the most scrutinized domains, covering authentication mechanisms, MFA enforcement, privileged access management, and access review processes. Application Security covers your software development lifecycle (SDLC), code review practices, and application vulnerability management. Cybersecurity Incident Management addresses your incident response plan, breach notification procedures, and forensic capabilities. Operational Resilience covers business continuity planning, disaster recovery, and backup procedures. Compliance and Operational Risk examines regulatory compliance, audit programs, and legal requirements. The remaining domains cover Endpoint Device Security, Network Security, Privacy, Threat Management, Server Security, and Cloud Hosting Services. For each domain, Cyber Defense Agent's scan data provides verifiable evidence. Your DNS security, email authentication, TLS configuration, and vulnerability scan results map directly to multiple SIG domains, giving you concrete technical evidence to support your written responses. CDA's framework mapping feature shows exactly which SIG domains your scan data supports.

Organizations fail SIG assessments for predictable, avoidable reasons. Understanding these common pitfalls lets you prepare proactively and present a strong security posture. The most common failure is incomplete or vague responses. SIG assessors are trained professionals who can immediately spot generic, copy-pasted answers that do not address the specific question. Every response should directly answer what is asked, reference your specific policies or controls, and provide evidence where requested. If a question asks about your access review process, do not write "we review access regularly." Instead, write "we conduct quarterly access reviews using Azure AD access reviews, with manager attestation required for all privileged accounts, last completed March 2026." Lack of supporting documentation is the second major failure. SIG questions frequently require evidence attachments — your information security policy, network diagram, incident response plan, penetration test summary, or compliance certifications. Have these documents prepared, current, and in shareable format before you begin. Expired documents, missing policies, and draft-status documents signal immaturity. Control gaps without compensating controls are the third failure mode. Assessors understand that not every organization has enterprise-grade controls. What they look for is awareness of gaps and credible compensating measures. If you do not have a dedicated SOC, explain your managed detection and response arrangement. If you lack formal penetration testing, reference your continuous vulnerability scanning through Cyber Defense Agent and your remediation tracking process. Failing to demonstrate continuous improvement is increasingly a fourth failure area. Modern SIG assessments evaluate maturity, not just existence of controls. Maintain a record of security investments, control improvements, and remediation efforts over time. Cyber Defense Agent's historical scan data provides a verifiable timeline of your security posture improvements, which is powerful evidence of a maturing security program.