Shared Assessment SIG Questionnaire – What’s New for 2023?

Download the PDF version of this article here.

Do you ever feel the burden of endless third-party questionnaires? 

Do they seem to be slightly different, yet similar at the same time? Do they seem to relate to various other frameworks that you follow and document, but they are not exactly the same? 

If you feel any of these frustrations, some of the changes made to the Shared Assessments 2023 Standardized Information Gathering (SIG) Questionnaire may provide you a little sigh of relief! 

For those that are not familiar, the SIG Questionnaire is a widely accepted tool that is used by many organizations as a part for their third-party risk management process, with the goal of a standardized questionnaire that can be used and relied upon in the industry.

As 2022 is quickly rolling to a close, we are seeing the beginning of releases for new templates and guidance for 2023. One of those new releases is the 2023 Shared Assessment Third-Party Risk Management Product Suite, which includes the updated SIG Questionnaire. 

The various changes and additions to the SIG Questionnaire for 2023 will ensure that organizations have adequate coverage of all key and emerging risks as well as streamline the process and provide enhanced mapping to additional existing frameworks to avoid duplication of efforts, where possible.

The changes to the 2023 SIG fall into three buckets:

  1. Clarity/Organization/Functionality – As the SIG Questionnaire is a very large, comprehensive tool, it requires frequent updates to ensure that it remains relevant, clear, concise, and user friendly.  Shared Assessments updated 1,600 control points, retired legacy questions, assigned “control category” and “control attribute” to all questions, improved visibility to content across domains, expanded content based on mapping reference documents, reorganized questions in each domain by topic and sequence for easier evaluation, as well as made functionality enhancements to the template.
  2. Risk Domain Updates – As emerging topics and trends fluctuate, Shared Assessments re-evaluates the Risk Domains within the SIG Questionnaire to ensure adequate coverage, while maintaining efficiency and alignment. This year, there were four updates to the Risk Domains. First, for greater visibility, a Risk Domain was added to migrate existing Environment, Social, and Governance (ESG) content form the Compliance and Operations Risk Domains into its own Risk Domain. Second, after the ESG questions were migrated to their own Risk Domain, the Compliance Risk Domain was renamed to Compliance Management. hird, the Security Policy and Organization Security Risk Domains were merged together to create Information Assurance. Lastly, the Fourth Party questions were moved into their own Risk Domain for greater visibility as this continues to be an area of focus for organizations and regulators.
  3. New Key Mappings – In efforts to allow the SIG Questionnaire to be widely used and cross-referenced to existing standards/guidelines, Shared Assessments completed four new key mappings and two special initiatives. The SIG Questionnaire was newly mapped to the following four standards: Federal Financial Institutions Examination Council (FFIEC) Outsourcing Technology Services guidance, the Federal Financial Institutions Examination Council (FFIEC) Architecture, Infrastructure, and Operations (AIO) guidance, the Federal Risk and Authorization Management Program (FedRAMP), and the North American Electric Reliability Corporation (NERC) Reliability Standards. Additionally, one of the special initiatives for the year was around ESG and expanding the depth of coverage of this topic. Finally, Shared Assessments has partnered with Secure Controls Framework (SCF) and will now be able to map directly to SCF’s comprehensive controls catalog and mappings using questions in the SIG Questionnaire. This collaboration expands the SIG Questionnaire library related to frameworks, laws, and regulations.

In addition to the SIG Questionnaire, Shared Assessments also offers the Standardized Control Assessment (SCA) Procedure and a Vendor Risk Management Maturity Model (VRMMM) that were also updated for 2023 as well. 

Although these tools are less widely used, they are great resources to help your organization depending on the stage that your third-party risk management program is currently in. 

Additional information regarding these tools can be found at www.sharedassessments.org/products/.

About Schneider Downs Third-Party Risk Management

Schneider Downs is a registered assessment firm with the Shared Assessments Group, the clear leader in third-party risk management guidance. Our personnel are experienced in all facets of vendor risk management, and have the credentials necessary (CTPRP, CISA, CISSP, etc.) to achieve meaningful results to help your organization effectively achieve new vendor risk management heights. For more information or to get started contact us or visit us online at www.schneiderdowns.com/third-party-risk-management.

 

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2023 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
What are the OCC’s Key Areas of Focus for Fiscal Year 2024?
Dumb Money: An Honest Review of the Film Adaptation of the GameStop Short Squeeze
Deutsche Bank Fined $186 Million For Insufficient Anti-Money Laundering Controls
ESG and Internal Audit: Board and Audit Committee Considerations
ESG and Internal Audit
The Latest on the Department of Defense CMMC Certification Levels and Timeline
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us
Pittsburgh

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.

×