SaaSFort Why Enterprise Buyers Send SIG Questionnaires
When an enterprise procurement team evaluates your SaaS product, the Standardized Information Gathering (SIG) questionnaire from Shared Assessments is one of the most common assessments you’ll face. Unlike ad-hoc security questionnaires, the SIG follows a structured format with standardized risk domains — making it both predictable and demanding.
The SIG serves two purposes for buyers:
- Risk classification — Categorize your product’s risk level before onboarding
- Due diligence documentation — Create an auditable record of vendor security posture
For SaaS vendors selling into financial services, healthcare, or Fortune 500 companies, receiving a SIG is not a question of “if” but “when.” If you are new to security questionnaires, the SIG is among the most structured and demanding formats you will encounter.
SIG Core vs SIG Lite: Which One Will You Receive?
The Shared Assessments program offers two primary questionnaire versions. Understanding the difference shapes your preparation strategy.
| Feature | SIG Lite | SIG Core |
|---|---|---|
| Questions | ~126 | ~855 |
| Risk domains | 19 (high-level) | 19 (detailed) |
| Typical use | Low-to-medium risk vendors | High-risk / data-sensitive vendors |
| Time to complete | 2–5 days | 2–4 weeks |
| When you’ll see it | Initial screening, non-sensitive data access | Full onboarding, PII/financial data access |
| Evidence required | Policies and attestations | Policies, procedures, technical evidence, screenshots |
SaaSFort Tip: If a buyer sends you SIG Lite, treat it as a gateway. A strong Lite response can prevent escalation to SIG Core — saving you weeks of effort.
When Buyers Escalate to SIG Core
Escalation triggers include:
- Your product handles PII, PHI, or financial data
- You integrate with the buyer’s internal systems (SSO, APIs, data feeds)
- Your initial SIG Lite responses reveal gaps or inconsistencies
- Regulatory requirements mandate comprehensive assessment (PCI DSS, HIPAA, SOX)
The 19 SIG Risk Domains — What Each Covers
Every SIG questionnaire — Lite or Core — is organized around 19 risk domains. Here’s what each one examines and where SaaS vendors commonly struggle.
Domain-by-Domain Breakdown
| # | Domain | What It Covers | Common SaaS Gaps |
|---|---|---|---|
| 1 | Enterprise Risk Management | Risk governance, risk appetite, board oversight | No documented risk register |
| 2 | Security Policy | Written security policies, review cadence | Policies exist but haven’t been reviewed in 12+ months |
| 3 | Organizational Security | Security team structure, CISO/DPO role | No dedicated security role below 100 employees |
| 4 | Asset Management | Asset inventory, classification, ownership | Shadow IT, untracked cloud services |
| 5 | Human Resources Security | Background checks, security training, termination | No annual security awareness training |
| 6 | Physical & Environmental | Data center security, environmental controls | Relying on cloud provider (AWS/GCP) without documenting shared responsibility |
| 7 | IT Operations Management | Change management, capacity, logging | No formal change management process |
| 8 | Access Control | IAM policies, MFA, privileged access management | No MFA on admin accounts, shared credentials |
| 9 | Application Security | SDLC, code review, vulnerability management | No documented SDLC, no regular pen testing |
| 10 | Cybersecurity Incident Management | IR plan, notification procedures, tabletop exercises | IR plan exists but never tested |
| 11 | Operational Resilience | BCP/DR plans, RTO/RPO, backup testing | RTO/RPO undefined, backups not tested |
| 12 | Compliance & Legal | Regulatory mapping, audit history, certifications | No SOC2 or ISO 27001, no NIS2 compliance mapping |
| 13 | End User Device Management | Endpoint security, MDM, BYOD policy | No MDM solution, BYOD without controls |
| 14 | Network Security | Segmentation, firewall rules, IDS/IPS | Flat network architecture |
| 15 | Privacy | GDPR/CCPA compliance, DPA, data processing records | No ROPA (Record of Processing Activities) |
| 16 | Threat Management | Threat intelligence, vulnerability scanning | No continuous scanning program |
| 17 | Server Security | Hardening standards, patching cadence | No documented hardening baseline |
| 18 | Cloud Hosting & Shared Responsibility | CSP agreements, shared responsibility documentation | Cannot articulate shared responsibility model |
| 19 | Supply Chain Risk Management | Fourth-party risk, subprocessor inventory | No subprocessor inventory or notification process |
5-Step Response Strategy
Step 1: Triage and Scope
Before answering a single question:
- Identify which version you received (Lite vs Core)
- Map which domains are marked as “in scope” — buyers often exclude irrelevant domains
- Note the deadline and contact for clarification questions
- Check if the buyer accepts references to existing certifications (SOC2 report, ISO 27001 certificate) instead of full answers
Step 2: Gather Your Evidence Library
Build a reusable evidence library that maps to SIG domains:
- Policies — Information security policy, acceptable use, data classification, incident response
- Technical evidence — Scan reports (generate a free security report), pen test summaries, architecture diagrams
- Certifications — SOC2 Type II report, ISO 27001 certificate, privacy certifications
- Process documentation — SDLC description, change management process, BCP/DR plans
- Compliance records — GDPR ROPA, DPA template, subprocessor list
SaaSFort Tip: A well-organized evidence library can cut SIG completion time by 60%. Store everything in a shared drive with consistent naming:
[Domain#]-[DocumentType]-[Date].pdf
Step 3: Answer with the STAR Format
For each SIG question, structure your response using STAR:
- Situation — Acknowledge the risk area
- Task — State your policy or control objective
- Action — Describe what you specifically do
- Result — Provide evidence or metrics
Example for Domain 8 (Access Control):
“All production systems require MFA via Okta SSO. Privileged access follows just-in-time provisioning with 4-hour expiry. Access reviews are conducted quarterly — last review completed January 2026 with 100% coverage. Evidence: Okta access report, quarterly review log.”
Step 4: Address Gaps Honestly
Every SaaS vendor has gaps. How you handle them determines whether the buyer proceeds or walks away.
| Gap Response | Buyer Reaction |
|---|---|
| Ignore the question or leave blank | Immediate red flag — often deal-ending |
| Answer “N/A” without explanation | Suggests you don’t understand the risk |
| Acknowledge gap + provide remediation timeline | Professional, shows maturity |
| Acknowledge gap + show compensating control | Strong — demonstrates risk awareness |
Template for gap responses:
“[Control] is not currently implemented. Compensating control: [alternative measure]. Remediation plan: [specific action] by [date]. Risk owner: [name/role].”
Step 5: Internal Review Before Submission
Before sending your SIG response:
- Cross-check answers against your SOC2/ISO 27001 report (if you have one) for consistency
- Have a second person review for accuracy and completeness
- Verify all referenced evidence documents are attached or accessible
- Check that dates, versions, and names are current (not from last year’s response)
- Ensure gap responses include remediation timelines
SIG vs Other Security Questionnaires
SaaS vendors often receive multiple questionnaire formats. Here’s how SIG compares:
| Questionnaire | Owner | Questions | Focus | Best For |
|---|---|---|---|---|
| SIG Core | Shared Assessments | ~855 | Comprehensive risk | Financial services, high-risk vendors |
| SIG Lite | Shared Assessments | ~126 | High-level screening | Initial assessments, low-risk vendors |
| CAIQ v4 | Cloud Security Alliance | ~260 | Cloud-specific controls | Cloud/SaaS vendors, CSA STAR |
| HECVAT | EDUCAUSE | ~200 | Higher education | EdTech vendors |
| VSA/VRAQ | Various | 50–300 | Custom buyer requirements | Ad-hoc enterprise assessments |
| DDQ | Custom | Varies | Due diligence (M&A, partnerships) | Investment and partnership evaluation |
Key insight: A strong SIG response library gives you 70–80% coverage for most other security questionnaires. The SIG’s 19 domains map cleanly to ISO 27001 Annex A, NIST CSF, and SOC2 Trust Services Criteria.
Common Mistakes That Kill SIG Responses
1. Copy-Pasting Generic Answers
Enterprise buyers review hundreds of SIG responses. They recognize generic, templated answers immediately. Tailor each response to your actual environment.
2. Confusing “We Plan To” with “We Do”
SIG questions ask about current state. If you don’t have a control in place, don’t describe it as if you do. Use the gap response template above instead.
3. Ignoring the Shared Responsibility Model
For Domain 18 (Cloud Hosting), many SaaS vendors answer “AWS handles that” without documenting their side of shared responsibility. Buyers need to see that you understand what AWS manages vs what you manage.
4. Not Versioning Your Responses
When a buyer renews their assessment next year, they’ll compare your new SIG response against last year’s. Inconsistencies erode trust. Version your responses and track changes.
5. Treating SIG as a One-Time Exercise
The most successful SaaS vendors maintain a living SIG response document that gets updated quarterly — not rebuilt from scratch every time a buyer asks.
Automating SIG Evidence with SaaSFort
Manual SIG completion is a time sink. Here’s how SaaSFort accelerates the process:
| SIG Domain | Manual Approach | SaaSFort Approach |
|---|---|---|
| Application Security (D9) | Run one-off pen test, wait 4–8 weeks | Continuous OWASP scanning, always-current report |
| Threat Management (D16) | Hire external scanner annually | Automated vulnerability scanning across 13 categories |
| Network Security (D14) | Manual firewall review | SSL/TLS, DNS security, header analysis on every scan |
| Cloud Hosting (D18) | Write shared responsibility narrative | Auto-generated security posture report with evidence |
| Cybersecurity Incident (D10) | Reference outdated pen test | Deal Report with current findings and remediation status |
With SaaSFort, Domains 9, 14, 16, and 18 are covered by continuous scanning data. Your Deal Report serves as always-current evidence that can be attached directly to your SIG response.
From Weeks to Hours
A typical SIG completion timeline:
- Without automation: 2–4 weeks (SIG Core), 2–5 days (SIG Lite)
- With SaaSFort + evidence library: 3–5 days (SIG Core), 4–8 hours (SIG Lite)
For a broader look at how questionnaire automation reduces response times across all assessment formats, see our automation guide. Teams with ISO 27001 certification find that their existing evidence maps directly to most SIG domains.
30-Day SIG Readiness Plan
| Week | Actions |
|---|---|
| Week 1 | Inventory existing policies and documentation. Run initial SaaSFort scan to establish security baseline. Identify which of the 19 domains you can answer today. |
| Week 2 | Draft missing policies (IR plan, access control, data classification). Set up continuous scanning schedule. Create evidence library folder structure. |
| Week 3 | Complete gap analysis across all 19 domains. Write gap responses with remediation timelines. Conduct internal tabletop exercise for incident response. |
| Week 4 | Build reusable SIG Lite response template. Pre-populate answers for all 19 domains. Conduct dry-run review with a colleague acting as the buyer. |
Key Takeaways
- The SIG questionnaire covers 19 risk domains — prepare evidence for each before a buyer asks
- SIG Lite (~126 questions) is your gateway; a strong response prevents escalation to SIG Core (~855 questions)
- Build a reusable evidence library that cuts completion time by 60%
- Address gaps honestly with compensating controls and remediation timelines
- Automate application security evidence with continuous scanning to keep Domains 9, 14, 16, and 18 always current
- A single well-maintained SIG response covers 70–80% of other security questionnaires
Frequently Asked Questions
Q: What is the SIG questionnaire?
The Standardized Information Gathering (SIG) questionnaire is a vendor risk assessment tool from Shared Assessments. It covers 19 risk domains including security policy, access control, application security, incident management, and supply chain risk. It comes in two versions: SIG Lite (~126 questions) for initial screening and SIG Core (~855 questions) for comprehensive assessment of high-risk vendors.
Q: How long does it take to complete a SIG questionnaire?
Without automation or a pre-built evidence library, SIG Lite takes 2-5 days and SIG Core takes 2-4 weeks. With automated scanning tools and a reusable evidence library, completion times drop to 4-8 hours for SIG Lite and 3-5 days for SIG Core. The key is maintaining a living response document that gets updated quarterly rather than rebuilt from scratch each time.
Q: Which SIG domains are most important for SaaS vendors?
Application Security (Domain 9), Access Control (Domain 8), and Cybersecurity Incident Management (Domain 10) receive the most scrutiny for SaaS vendors. Cloud Hosting and Shared Responsibility (Domain 18) is also critical — many vendors fail by answering “our cloud provider handles that” without documenting their side of the shared responsibility model. Threat Management (Domain 16) is increasingly important as buyers expect continuous scanning evidence.
Q: Can my SIG response cover other security questionnaires too?
Yes. A well-maintained SIG response library provides 70-80% coverage for most other security questionnaires. The SIG’s 19 domains map cleanly to ISO 27001 Annex A, NIST CSF, and SOC2 Trust Services Criteria. Investing in a strong SIG response pays dividends across CAIQ, HECVAT, and custom DDQ formats.
Q: What evidence should I attach to my SIG response?
Attach policies (information security, incident response, data classification), technical evidence (scan reports, pen test summaries, architecture diagrams), certifications (SOC2 Type II, ISO 27001), process documentation (SDLC, change management, BCP/DR plans), and compliance records (GDPR ROPA, DPA template, subprocessor list). Use consistent naming conventions like [Domain#]-[DocumentType]-[Date].pdf for easy reference.
Your SIG response is not just compliance paperwork — it’s a sales tool. A fast, thorough, and honest response demonstrates security maturity that enterprise buyers reward with faster procurement cycles and larger contracts. See how to build your complete vendor security assessment checklist and package security evidence that closes enterprise deals. For NIS2-regulated vendors, our NIS2 compliance checklist maps directly to SIG Domains 9-11.
Run a free security scan to see your security grade in under 60 seconds. For a complete compliance framework, download our free SaaS Security Playbook 2026.
Von der Theorie zur Praxis
Scannen Sie Ihre Domain kostenlos. Erste Ergebnisse in unter 10 Sekunden — ohne Registrierung.