SIG (Standardised Information Gathering)
Definition
A vendor security questionnaire published by Shared Assessments. The SIG Core covers eighteen risk domains including access control, data security, and business continuity. The SIG Lite is a condensed version for lower-risk suppliers. Both versions map to ISO 27001, NIST CSF, and PCI-DSS, enabling cross-vendor comparison.
Related terms
- Audit rights clause
- A contractual provision giving the buying organisation the right to assess, inspect, or commission a third-party audit of the vendor's security controls....
- CAIQ (Consensus Assessments Initiative Questionnaire)
- A questionnaire published by the Cloud Security Alliance, designed specifically for cloud service providers. It maps to the CSA Cloud Controls Matrix...
- Fourth-party risk
- The risk arising from a vendor's own subcontractors and suppliers. If a critical vendor outsources key processes to a subcontractor, the organisation's...
- Inherent risk
- The level of risk a vendor relationship carries before any controls are applied. Inherent risk determines how deep an assessment must be:...
- SOC 2 Type II report
- An independent audit report on a service organisation's controls related to security, availability, processing integrity, confidentiality, and privacy. Type II reports cover...
Explained in
- Vendor Security Questionnaires and AssessmentsA vendor security questionnaire published by Shared Assessments. The SIG Core covers eighteen risk domains including access control, data security, and busines...