The SIG Lite Questionnaire

What the SIG Lite Is

The Standardized Information Gathering (SIG) questionnaire is a security assessment tool developed by the Shared Assessments Program. The SIG Lite is the abbreviated version — typically 140–200 questions — used by enterprise customers, financial institutions, and regulated organizations to assess the security posture of vendors and service providers.

If you serve enterprise clients, you will receive a SIG Lite.

The 17 Sections

The questionnaire is organized into content areas labeled A through U (not all letters are used):

A — Risk Assessment and Treatment Risk management program, vendor oversight, subcontractor access, privacy risk assessments, compliance risk management.

B — Security Policy Information security policy existence, management approval, review cadence.

C — Organizational Security Information security function and ownership.

D — Asset and Information Management Asset management policy, data classification, removable media, encryption, data segmentation, retention programs.

E — Human Resource Security HR policy, background screening, employment agreements, security awareness training, termination process.

F — Physical and Environmental Security Physical security program, data center and office controls, visitor management.

G — Operations Management Change management, backup procedures, cloud service models provided, maintenance windows, incident status communication.

H — Access Control Individual user IDs, password policy, remote access, MFA, federated identity (SAML/OIDC), access to client data.

I — Application Security Web application controls, HTTPS enforcement, patch management, log protection, software development lifecycle.

J — Incident Event and Communications Management Incident response program, breach notification procedures, communication methods.

K — Business Resiliency Business continuity and disaster recovery planning, RTO/RPO, testing cadence.

L — Compliance Regulatory compliance frameworks, audit history, certifications (SOC 2, ISO 27001, PCI, HIPAA).

M — End User Device Security Endpoint protection, MDM/device management, encryption on endpoints.

N — Network Security Network segmentation, perimeter controls, wireless security, monitoring.

P — Privacy Privacy program, data subject rights, consent management, cross-border transfer controls.

T — Threat Management Threat intelligence, vulnerability scanning, penetration testing, red team exercises.

U — Server Security OS hardening, patch management on servers, privileged access controls.

How to Approach It

The SIG Lite is not a test you pass or fail. It's a baseline assessment that helps the requesting organization understand your risk profile. Overstating controls creates liability — if you represent controls you don't have and subsequently experience a breach, that representation becomes part of the incident.

Honest answers, with context where it helps, are better than inflated answers. "No, we don't have a formal written risk management program, but our risk discussions happen at the leadership level quarterly and are documented in board minutes" is a better answer than "Yes" when the honest answer is "No."

Common Problem Areas

Areas where organizations most often struggle:

Written security policies: controls that exist informally but aren't documented.

Formal risk management: many SMBs manage risk through experience and judgment rather than structured programs.

Vendor management: how do you assess the security posture of your own vendors?

DR/BCP documentation: backup procedures that haven't been formally documented or tested.

Encryption specifics: what algorithm, what key length, for what data — questions that require knowing the technical details of your own implementations.

Preparing Before You Receive One

Organizations that respond efficiently have already built their documentation library:

1. Information Security Policy
2. Access Control Policy
3. Data Classification and Handling Policy
4. Incident Response Plan
5. Business Continuity / DR documentation
6. Vendor Management Policy
7. Patch Management Policy

If you don't have these, the SIG Lite is a forcing function to build them — which is actually the right outcome.