During geopolitical tensions, supply-chain uncertainties, and fast-moving regulatory changes, organizations accelerate their risk-management programs, especially when mitigating risks inherent in business relationships with other organizations.
With so many challenges and headwinds to face, risk managers are increasingly pressed to use every tool in their toolkits to stay ahead of security threats while remaining within the bounds of the law.
Among their most valuable tools is the Standard Information Gathering (SIG) Questionnaire, a widely used assessment that helps organizations evaluate the security, privacy, and compliance risks of their third-party service providers and vendors. The SIG questionnaire, which Shared Assessments developed, standardizes the process of gathering mission-critical information about vendors and their security protocols, sparing organizations the effort of creating custom questionnaires for each assessment.
Many business leaders have become adept at using the SIG Questionnaire, but this year, it has been updated in ways that every organization should know.
The updates found in SIG 2025 reflect a shift toward stricter regulatory compliance and third-party risk governance.
Organizations that adapt to these changes early will become more resilient, secure, and compliant in an increasingly complex vendor landscape.
The Role of SIG in Third-Party Risk Management
Tailor-making risk profiles for every service provider and vendor on the roster would consume more time and resources than most organizations have. This is why the SIG Questionnaire was developed. Its advantages include:
- Standardization via a consistent framework for evaluating vendors, making risk assessments comprehensive and comparable.
- Better efficiency by reducing the workload for both organizations and vendors by eliminating redundancies and streamlining the risk assessment process.
- Comprehensive analysis, addressing cybersecurity, data privacy, operational resilience, regulatory compliance, and business continuity.
- Alignment with regulations including ISO 27001, NIST, GDPR, HIPAA, SOC 2, and other laws, which simplifies complex compliance requirements.
Before onboarding a new vendor, organizations send the SIG questionnaire to them to get a sense of their security posture. Vendors and service providers also enjoy the benefits of standardization, as they can complete the questionnaire once and share it with multiple clients, saving time and effort.
Risk-management teams then analyze the responses to find gaps and determine whether additional controls or audits will be needed before onboarding the provider.
While the system works well, it also changes over time. This year will bring important updates to the SIG Questionnaire and understanding these is crucial in making third-party risk-management programs as effective as they can be.
Understanding the Changes
The 2025 SIG update includes new questions, expanded content mappings, and enhanced regulatory alignment. While no new risk domains have been added, there are other significant changes, including:
- Five new questions on response requirements and outsourced incident reporting.
- Four new questions assessing contingency planning, data governance, and resilience strategies.
- Three new questions that address evolving threats.
Users can also expect improved functionality and expanded compliance mapping. The latter deserves a closer look.
Mapping Compliance
The 2025 SIG directly maps to 31 reference documents, including new standards and regulations. This streamlines regulatory compliance and saves time.
SIG 2025 incorporates three key regulatory frameworks—and new controls for risk teams–to align with global cybersecurity and risk management trends:
- E.U. Digital Operational Resilience Act (DORA), which strengthens the financial sector’s ability to withstand cyber threats and operational disruptions. SIG 2025 includes control J.11, which evaluates whether an organization has outsourced its incident reporting responsibilities, aligning with DORA Article 18.
- E.U. Network and Information Security Directive 2 (NIS2), which mandates stricter security measures for supply chain security, requiring organizations to assess third-party risk exposure. SIG 2025 controls C.11 and C.12 were added to address Article 29, emphasizing information-sharing about cyber threats, vulnerabilities, and security incidents.
- NIST Cybersecurity Framework (CSF) 2.0:, which strengthens governance functions and aligns cybersecurity practices with enterprise risk management. SIG 2025 now incorporates NIST CSF principles to improve third-party cybersecurity governance and risk visibility.
As organizations surely realize, the updates to the SIG Questionnaire are substantial. So, how should risk managers best prepare for them?
Ready for the Future
To effectively integrate the important updates to SIG—which will save organizations time and reduce the risk of falling out of compliance—risk teams get familiar with the new functionalities and explore the enhanced features of the SIG Manager to streamline the assessment process. They should also update assessment templates to incorporate the latest regulatory mappings and use custom scoping to ensure assessments are comprehensive and compliant.
Risk teams should also attend webinars and other training sessions offered by Shared Assessments to stay current on the latest changes and best practices.
By proactively adapting to these enhancements, risk teams will strengthen their third-party risk management programs and maintain compliance with evolving standards.
The gradual evolution of SIG is a reflection of the world that businesses find themselves in today. Geopolitics continues to affect commerce and supply chains. Regulations safeguarding privacy and security continue to proliferate.
At the same time, organizations find they need to do business with an ever-growing roster of vendors and service providers, all of whom bring their own unique risks to the table.
Broader vendor risk management covering multiple risk domains is crucial as security and business continuity challenges continue to multiply. Risk teams need every possible tool at their disposal – and the updated SIG Questionnaire is among the most valuable.
