**London**: In a world of escalating geopolitical and regulatory challenges, the updated Standard Information Gathering (SIG) Questionnaire emerges as a crucial instrument for organisations. This tool streamlines vendor assessments, ensuring compliance and reinforcing security measures in an increasingly complex business landscape.
In the current landscape marked by geopolitical tensions, supply-chain uncertainties, and rapid regulatory changes, the imperative for organizations to bolster their risk-management programs has never been greater. With these challenges intensifying, risk managers are pushed to utilise a variety of tools to counter security threats while remaining compliant with evolving legal frameworks.
Key among these tools is the Standard Information Gathering (SIG) Questionnaire, a vital assessment instrument that allows organisations to evaluate the security, privacy, and compliance risks associated with third-party service providers and vendors. Originally developed by Shared Assessments, the SIG Questionnaire standardises the process of gathering critical information about vendors and their security practices. This innovation not only alleviates the workload of crafting custom questionnaires but also establishes a consistent framework for risk evaluation.
Numerous business leaders are already well-versed in leveraging the SIG Questionnaire. However, 2025 has brought significant updates that organisations must assimilate to stay resilient, secure, and in compliance within an increasingly complex vendor ecosystem.
The SIG Questionnaire plays an essential role in third-party risk management, facilitating a streamlined approach to vendor assessments. By using a standardised format, organisations can efficiently gather and analyse information regarding cybersecurity, data privacy, operational resilience, and regulatory compliance. The questionnaire aligns with essential regulations, including ISO 27001, NIST, GDPR, HIPAA, and SOC 2, thereby simplifying the sometimes cumbersome compliance process.
Organisations typically distribute the SIG Questionnaire to new vendors prior to onboarding, allowing them to assess their prospective partners’ security posture. The standardisation of the questionnaire benefits vendors, as they can complete it once and distribute it to several clients, conserving their resources. Following the collection of responses, risk-management teams can pinpoint gaps in security protocols and determine if additional audits or controls are necessary.
The efficacy of this system relies on its adaptability to changes over time. The 2025 updates to the SIG Questionnaire introduce important modifications aimed at reinforcing regulatory compliance and improving third-party risk governance. Notable enhancements include five new questions focused on response requirements and outsourced incident reporting, four questions addressing contingency planning, data governance, and resilience strategies, and three questions that respond to evolving threats.
Furthermore, users can expect improved functionality and expanded compliance mapping within the SIG 2025. This update directly correlates with 31 reference documents, which include contemporary regulatory frameworks and standards. The new SIG integrates significant security frameworks such as:
- The E.U. Digital Operational Resilience Act (DORA), which fortifies the financial sector’s capacity to handle cyber threats. Control J.11 assesses if an organisation has delegated incident reporting responsibilities, aligning with DORA Article 18.
- The E.U. Network and Information Security Directive 2 (NIS2), which mandates stricter supply chain security measures requiring organisations to assess third-party risk exposure, with controls C.11 and C.12 added to enhance information-sharing on cyber threats and security incidents.
- The NIST Cybersecurity Framework (CSF) 2.0, which strengthens governance functions and aligns cybersecurity practices with enterprise risk management goals.
Risk managers are advised to prepare for these significant updates by familiarising themselves with the new functionalities and exploring the enhanced features available through the SIG Manager to optimise the assessment process. Additionally, updating assessment templates to reflect the latest regulatory mappings and employing custom scoping will bolster the comprehensiveness and compliance of assessments.
Participation in training sessions and webinars provided by Shared Assessments will further equip risk teams to stay abreast of the changes and refine their best practices.
These updates to the SIG Questionnaire are monumental and highlight the dynamic nature of business risk management amidst a landscape of growing vendor relationships and diverse risks. As the demands placed on organisations evolve, effective vendor risk management covering multiple domains will be indispensable for navigating the complexities of security and business continuity challenges. The updated SIG Questionnaire remains a pivotal tool for organisations striving to meet these demands.
Source: Noah Wire Services
Subscribe to Industry Updates
