What is the SIG questionnaire? A 2026 guide for the vendor who just received one.

A customer — probably your biggest prospect this quarter — has sent you a spreadsheet called a SIG, and the deal is paused until it comes back. This guide explains what the SIG questionnaire is, why you received it, and how to answer it without burning weeks or signing up for commitments you can't keep.

What the SIG actually is

The SIG — Standard Information Gathering questionnaire — is a standardized third-party risk assessment maintained by Shared Assessments. Instead of every enterprise writing its own security questions, the SIG gives buyers a common question bank organized into risk domains: information security policy, access control, incident response, business continuity, cloud security, privacy, third-party management, and more.

When procurement says "please complete the attached SIG," they are asking you to document, in writing, how your company actually runs security. Your answers usually become part of the vendor file — and often part of the contract's representations.

SIG Core vs SIG Lite

There are two main editions, and which one lands on your desk tells you how the buyer has classified you:

• SIG Lite — the condensed screening version. Used for lower-risk vendors, smaller engagements, or as a first pass. Still substantial, but answerable in days.
• SIG Core — the full assessment, several times longer, with deeper questions per domain. Typically reserved for vendors that touch sensitive data or critical processes.

Some buyers also cherry-pick SIG content into their own spreadsheet. If the row IDs look like SIG numbering but the file has your customer's logo on it, treat it as a SIG — your answer library (more on that below) will still apply.

Why you received it

Someone on the buying side — security, procurement, or a GRC platform acting for them — flagged your product as a third-party risk. That is not an accusation; it's a process. The questionnaire is a gate in their purchase workflow, which means the deal does not move until it's returned. That asymmetry is why a document nobody budgeted time for becomes the most urgent thing on your desk.

What reviewers actually check

The person reading your answers is rarely impressed by volume. Experienced reviewers look for three things:

1. Internal consistency. If you claim quarterly access reviews in one domain and "not applicable" identity governance in another, you've told them you didn't read your own answers.
2. Evidence behind claims. Answers that cite a named policy, a tool, or a dated report read as real. Bare "Yes" answers read as hopeful.
3. Honest gaps. A "No — compensating control X, roadmap Y" earns more trust than a "Yes" that collapses in the follow-up call. Reviewers expect gaps; they're testing whether you know yours.

How to answer it yourself

If you're doing it in-house, this sequence saves the most time:

1. Triage before answering. Read every question once and tag it: know-it, need-to-ask, genuine-gap. The tag distribution tells you the real effort and who you need.
2. Answer to what you do, not what you intend. Aspirations belong in a roadmap note, not in the answer cell.
3. Cite as you go. Every "Yes" should name the policy, tool, or process behind it. This is also what makes answers reusable.
4. Keep the library. Most of the next questionnaire — from any prospect — repeats this one. Teams that keep a cited answer library reuse 70–90% of the work next time.

When to hand it off

The honest math: a SIG consumes days of your most senior engineering attention at exactly the moment a deal needs it. If the questions are landing on someone who didn't build the controls — or if the deadline is measured in days — a specialist who answers questionnaires all week is faster and usually more defensible. ThinSky's Questionnaire Rescue reads your SIG and your actual posture in parallel, drafts truthful cited answers in about 3 days, and hands back the answer library you keep.