June 8, 2020
Improving Your Vendor Risk Program: Should I Use The SIG Questionnaire?
I talk to a lot of people about their vendor risk program and since the process is so maddeningly difficult, people usually want to know what are simple things they can do to improve. There are a number of things you can do but I believe adopting the SIG is generally the most important thing that a team can do to improve their program.
What Is The SIG? The SIG stands for Standardized Information Gathering and is an information security questionnaire that was created with the intent of moving away from individual customized questionnaires that exist among various organizations and companies. The SIG questionnaire is maintainted by the organization Shared Assessments.
The value of the SIG is apparent, whether you are assessing your vendors or responding to customers.
1. Maintaining The Right Question Set: When you want to create your own security question set, it can be extremely difficult to start somewhere, much less know what questions to include. The SIG uses a question set that is deliberated over by many individuals across various industry sectors. They try to map the questions to fit all the leading cybersecurity frameworks. In addition, the question set is updated annually which can be a further challenge for someone to do at their own organization.
2. Increase Vendor Response: Many vendors will rank customer security assessments as the number one cause of pain in their ENTIRE business. Is it because they don’t have good security? On the contrary, too much variation in the questionnaires they receive is a huge part of the problem. However, many vendors have at one point filled out a SIG and are more than happy to reuse the questionnaire to speed up their sales process. In fact, they can repeatedly use the SIG and improve their answers over time. Vendors should love the SIG and suggest to share it with their customer whenever they undergo an information security review.
3. The SIG Is Recognized By Regulators And Auditors: When a company has their vendor risk program reviewed by a regulator or auditor, they are going to want as many markers of a well run program as possible. The SIG questionnaire is recognized as a leading, authoritative questionnaire that meets many leading security framework requirements.
4. Ecosystem Of The SIG: With any modern product or tool, a great ecosystem can add enormous value to how you use that tool. With the SIG, there are a very healthy number of technology applications, service firms, online content and education all centered around the SIG questionnaire. If you’ve chosen to adopt the SIG, you are now able to take advantage of this ecosystem.