Your sales team just forwarded you the SIG security questionnaire, and everyone wants to know how long it'll take to get back to the buyer. The answer depends on whether it's SIG Core (627 questions) or SIG Lite (128 questions), but more importantly, it depends on how ready your documentation is right now. The SIG security questionnaire pulls from your SOC 2 report, security policies, incident response plans, and vendor management docs, which means you're coordinating across multiple teams to get accurate answers. The trick is knowing what it covers before it arrives, so you're not scrambling when a deal is waiting.
TLDR:
- SIG questionnaires are 128-627 question vendor risk assessments sent by enterprise buyers
- Completing SIG Core manually takes weeks due to cross-department coordination across 21 domains
- 75% of vendors either skip or respond too late, directly stalling deal timelines
What Is a SIG Questionnaire?
The SIG questionnaire, short for Standardized Information Gathering, is a vendor risk assessment tool created by Shared Assessments. When an enterprise buyer wants to understand whether a vendor is secure enough to trust with their data, systems, or operations, they send a SIG (Standardized Information Gathering questionnaire).
It covers cybersecurity controls, data privacy, business continuity, and compliance. The goal is giving buyers a repeatable, structured way to assess third-party risk without reinventing the process from scratch every time.
For vendors, receiving a SIG means one thing: a lot of questions to answer before a deal can move forward.
Who Created the SIG Questionnaire and Why?
Shared Assessments was formed in 2005 by a coalition of five major banks, the Big Four consulting firms, and key industry vendors. The problem they were solving was straightforward: every organization was sending custom security questionnaires to vendors, and vendors were drowning in redundant requests covering the same ground in slightly different formats.
The SIG was their answer. One standardized framework vendors could complete once and share across multiple buyers. That "complete once, share many times" philosophy is what made it stick. Instead of every bank writing their own 200-question security review, they could all pull from the same structure, saving time on both sides of the assessment.
SIG Core vs. SIG Lite: Understanding the Differences
There are two versions, and which one lands in your inbox depends on how risky the buyer thinks you are.
SIG Core has 627 questions spanning all 21 risk domains. Buyers send it to vendors they consider high-risk: those handling sensitive data, running critical infrastructure, or sitting deep in their supply chain. It's the full picture.
SIG Lite cuts that down to 128 questions. It's used for lower-risk vendors or as a preliminary screen before deciding whether a full assessment is even warranted.
| SIG Core | SIG Lite | |
|---|---|---|
| Questions | 627 | 128 |
| Risk domains covered | All 21 | Subset |
| Typical use case | High-risk vendors | Lower-risk or preliminary |
| Completion time | Days to weeks | Hours to days |
If you're a SaaS vendor touching customer data, expect SIG Core. If you're a peripheral tool with limited data access, SIG Lite is more likely.
The 21 Risk Domains Covered in SIG Questionnaires
SIG security questionnaires pull answers from nearly every corner of your organization. That's what makes them hard.
The 21 risk domains span:
- Access control and identity management across your systems
- Application security covering your development and deployment practices
- AI governance policies for any AI-assisted processes
- Asset and inventory management for hardware and software
- Business continuity and disaster recovery planning
- Cloud hosting services and shared responsibility models
- Compliance management across applicable regulations
- Cyber incident response procedures and timelines
- Data privacy and protection controls
- Encryption and key management practices
- Environmental controls for physical infrastructure
- Human resources security from hiring through offboarding
- Information security policy documentation
- Network security architecture and monitoring
- Nth-party management for your vendors' vendors
- Physical and environmental security at your facilities
- Privacy compliance with regional and industry requirements
- Resilience management and recovery objectives
- Risk management frameworks and assessment cadences
- Security operations and monitoring capabilities
- Third-party management for your supplier relationships
No single team owns all of this. Your security team handles network controls. Engineering owns application security. Legal touches compliance and privacy. HR covers personnel policies. Answering SIG Core accurately means coordinating across all of them, tracking down documentation that may not exist in one place.
When Do Vendors Typically Receive SIG Questionnaires?
SIG security questionnaires don't arrive randomly. They show up at predictable points in the buyer-vendor relationship.
- During vendor onboarding, before granting system access through OneTrust portals
- As part of a formal RFP process, alongside pricing and technical requirements
- Before contract signing, when legal and procurement want risk sign-off
- During annual reassessments, when existing vendors go through regular review cycles
- When regulatory pressure kicks in, and buyers need documented proof their supply chain is clean
Most of these are deal-gate moments. Your response speed directly affects whether a contract moves forward or stalls. A buyer waiting three weeks for your SIG answers is doing more than getting impatient. They're questioning your security posture before you've even made your case.
How to Prepare for a SIG Questionnaire
Preparation beats reaction. When a SIG arrives mid-deal, scrambling for documentation slows everything down. Get these in order before the questionnaire lands.
Here are the documents you should have ready:
- SOC 2 Type II report, since it's your most-cited artifact and will be referenced across multiple SIG domains
- ISO 27001 or similar certifications if applicable to your organization
- Information security policy and acceptable use policy
- Incident response plan with defined timelines
- Business continuity and disaster recovery documentation
- Data processing agreements and privacy notices
- Vendor and third-party management policies
- Penetration test results from the past 12 months
Beyond documents, map your internal owners early. Security covers controls and monitoring. Engineering owns application and cloud security. Legal handles compliance and privacy. HR owns personnel policies. Knowing who answers what before questions arrive is half the battle. A SIG left waiting on four different people to coordinate will stall every time.
Common Challenges When Completing SIG Questionnaires
SIG Core can take weeks to complete manually, and the bottlenecks are predictable.
The core problems:
- Cross-department coordination stalls responses. Security, engineering, legal, and HR all own different domains, and no single person can answer the full questionnaire alone.
- Answers drift over time. Policies change, but saved responses don't always keep pace, leaving teams to fix outdated language under deadline pressure.
- Consistency breaks down across multiple SIGs sent by different buyers asking the same things in different formats, making it hard to reuse prior work cleanly.
The stakes are real. 84% of organizations use security questionnaires as their primary third-party risk method, yet up to 75% of vendors either skip them or respond too late. That gap costs deals.
How AI Questionnaire Automation Reduces SIG Completion Time
AI changes the math on SIG completion by flipping the workflow entirely. Instead of writing answers from scratch, it pulls from your existing documentation and auto-fills responses across every relevant question.
A few things that shift when AI handles the heavy lifting:
- Answers get generated from your actual policies, reports, and prior responses, with source citations attached so reviewers can verify every claim
- A self-updating knowledge base means your documentation stays current, so stale answers stop making it into new questionnaires
- Repeated questions across different buyers get answered consistently, since the AI draws from the same source material every time
The time difference is real. What takes a security team two to three weeks of cross-department coordination can compress into hours of review work instead of drafting.
How Leading Companies Handle SIG Questionnaires at Scale
Companies processing hundreds of security questionnaires per year don't wing it. Amplitude manages over 550 questionnaires annually. That volume only works with systems behind it.
The patterns that scale:
- A centralized knowledge base for all policies and answers, accessible to whoever needs it
- Reusable answer libraries mapped to recurring question patterns across SIG, CAIQ, and custom formats
- Clear domain ownership so questions route to the right person without back-and-forth
- Automation handling the first draft, leaving humans to review instead of write
The shift from reactive to systematic is what separates teams that close deals on schedule from those chasing approvals for weeks.
Automating SIG Questionnaires with Wolfia
Wolfia auto-fills SIG questionnaires across formats by pulling directly from your existing documentation: Notion, Google Drive, Confluence, SOC 2 reports, and prior responses. Every generated answer includes a source citation, so your team reviews with confidence instead of guessing.
When source documents change, Wolfia updates accordingly. No manual reconciliation. No stale answers slipping through.
For portal-based submissions in OneTrust or ServiceNow, the Portal Agent fills those end-to-end too.
Final Thoughts on SIG Questionnaire Completion
The difference between teams that close deals on schedule and teams that don't often comes down to how they handle SIG questionnaires. You can keep coordinating manually across security, legal, engineering, and HR for every submission, or you can automate the first draft and save your team for the review work that actually matters. Book a quick demo to see how automation changes the timeline.
FAQ
What is a SIG questionnaire?
A SIG questionnaire is a standardized vendor risk assessment created by Shared Assessments that assesses your cybersecurity controls, data privacy, business continuity, and compliance across 21 risk domains. Enterprise buyers send it to verify you're secure enough to trust with their data before signing contracts.
SIG Core vs SIG Lite questionnaire: which one will I receive?
You'll get SIG Core (627 questions) if the buyer considers you high-risk because you handle sensitive data or run critical infrastructure. SIG Lite (128 questions) goes to lower-risk vendors or serves as a preliminary screen before the buyer decides whether a full assessment is needed.
Can I complete a SIG questionnaire without coordinating across multiple teams?
No, and that's the main bottleneck. Security owns controls and monitoring, engineering handles application security, legal covers compliance and privacy, and HR manages personnel policies. SIG Core spans all 21 risk domains, so no single person can answer the full questionnaire accurately alone.
How long does it take to complete a SIG questionnaire manually?
Two to three weeks for SIG Core when coordinating across departments and drafting answers from scratch. With AI automation pulling from your existing documentation, that compresses to hours of review work instead of weeks of writing.
Where can I download the SIG questionnaire template for free?
Shared Assessments members can access the official SIG questionnaire Excel and PDF templates through their portal. If you're a vendor receiving a SIG, the buyer typically sends you the questionnaire directly instead of expecting you to download it yourself.
