Due Diligence and Ongoing Monitoring

 View Only
  • 1.  SIG Questionnaire

    Posted 07-20-2022 09:14 AM
    Hi Does anyone have a blank SIG questionnaire? I know normally a vendor provides their own but I was curious if anyone had developed their own. Thank you!

  • 2.  RE: SIG Questionnaire

    Posted 08-24-2022 08:29 AM
    The SIG was developed out of BITS many years ago; and it broke out as it's own business called Shared Assessments (its parent being the Santa Fe Group); which was subsequently acquired by One Trust in May 2021. So the Standardized Information Gathering Questionnaire (the SIG) is considered the Intellectual Property of One Trust. And as such, they charge a fee to have a copy of the SIG. It is a Self Assessment of Security Controls. 

    That said, the risk assessment boilerplate in most TPRM platforms is based on the SIG or the SIG Lite. 

    Think about your Risk categories; and work with Subject Matter Experts (SMEs) to develop the questions for the Vendors/ThirdParties.
    In some engagements, the SME may want to see specific Controls; so have some flexibility in our Control Assessment process (tools and work flows don't always work; one size does not fit all).

    The more difficult questionnaire is how you discover risk. The internal Questionnaire is the more difficult. You don't want to ask Business Units to complete an Initial Risk Questionnaire that's 100s of questions... and asking only 10 or 12 won't get you far either. More than 30 and less than 50 is about where we should be.  The challenge is, the TPRM platforms fail us when conditional responses or branching logic isn't available. and when you can't set multiples choices... We are living in a binary world of risk assessments when we only have Yes or No or Low,Med,High.

    Hopefully they will get smarter... :-) 

    Bradley Martin