Complete a SIG questionnaire online — SIG Core & SIG lite in minutes
Need to complete a SIG questionnaire online? Upload your SOC 2, submit the SIG Core or SIG Lite, and get source-cited answers for 800+ questions in under 30 minutes.
A prospect just sent you a SIG Core. 800+ questions across 19 risk domains. Your deadline is Friday. Doing this manually will take 20–40 hours — a full work week of copy-pasting between your SOC 2, policies, and spreadsheet cells.
Here's how to complete a SIG questionnaire online without losing your week.
SIG Core vs. SIG Lite: What you're dealing with
| SIG Core | SIG Lite | |
|---|---|---|
| Questions | 800+ | ~200 |
| Domains | 19 (full risk assessment) | 19 (key questions only) |
| Manual completion time | 20–40 hours | 4–8 hours |
| With FillBase | ~30 minutes review | ~15 minutes review |
| When you get it | High-risk vendor classification | Initial assessment or low-to-medium risk |
If you're not sure which one you have, check the filename — it usually says "SIG Core" or "SIG Lite" in the title. SIG Core has 19 tabs in Excel (one per domain), SIG Lite typically has fewer.
The 19 SIG domains (and why AI handles most of them)
The SIG is organized into domains A through S:
- A–C: Enterprise Risk, Security Policy, Organizational Security — covered by your InfoSec policy
- D–F: Asset Management, HR Security, Physical Security — covered by your SOC 2 and HR policies
- G–I: IT Operations, Access Control, Application Security — covered by your SOC 2 and SDLC documentation
- J–L: Incident Management, Operational Resilience, Compliance — covered by your IR plan and BCP
- M–Q: Endpoint, Network, Privacy, Threat Mgmt, Server Security — covered by your SOC 2 technical controls
- R: Cloud Hosting — covered by your cloud security documentation
- S: Artificial Intelligence — newer domain, may need manual answers if you don't have an AI policy
With a SOC 2 report and 4–5 security policies uploaded to your knowledge base, AI can source-cite answers for 80–90% of these domains automatically.
How to complete a SIG online: Step by step
1. Upload your knowledge base (10 minutes, one-time)
The SIG pulls from these documents — upload them to FillBase:
- SOC 2 Type II report (covers domains A–C, G–I, J–K, M–R)
- Information Security Policy (domains B, C, H)
- Incident Response Plan (domain J)
- Business Continuity Plan (domain K)
- Data Retention / Privacy Policy (domains D, O)
- Access Control Policy (domain H)
- HR Security Policy (domain E) — if you have one
- Any previously completed SIG responses
The more documents you upload, the fewer questions you'll need to answer manually. But start with your SOC 2 and 3–4 core policies — you can add more after your first pass.
2. Submit the SIG spreadsheet (1 minute)
Upload the SIG Excel file. FillBase parses all 19 tabs, extracts every question, and maps the domain structure automatically. It understands the SIG's standardized layout — question IDs, response columns, evidence reference fields.
3. Review auto-generated answers (20–30 minutes for Core, 10–15 for Lite)
For each question, you'll see:
- The AI-generated answer, written in the expected SIG response format
- A source citation referencing the specific document and section
- A confidence score
For a SIG Core with a well-built knowledge base:
- ~650 questions will have high-confidence, source-cited answers — approve in batch
- ~100 questions will need a quick review or minor tweak
- ~50 questions will be flagged for your input — these are company-specific questions not covered by your documents
For SIG Lite, those numbers roughly quarter: ~150 auto-approved, ~30 review, ~20 manual.
4. Export the completed SIG (1 minute)
Export as Excel in the original SIG format — same tabs, same columns, same structure. Attach and send.
SIG-specific tips that save time
Use the SIG scoping worksheet first. Most SIG Core questionnaires come with a scoping section. If your prospect marks certain domains as "Not Applicable," those entire tabs get skipped. FillBase respects scoping — it won't generate answers for out-of-scope domains.
Domain S (AI) is new — prepare for it. The AI governance domain was added in recent SIG versions. If your company uses AI in its product, prepare a brief AI policy document and upload it. Questions cover training data handling, model monitoring, bias testing, and AI-specific incident response.
Evidence references matter. The SIG has a dedicated column for evidence references (document name, section, page). FillBase fills these automatically from source citations. This is the difference between a response that gets follow-up questions and one that doesn't.
Reuse across prospects. Once you've completed one SIG Core, your knowledge base covers 80–90% of the next one. The SIG is standardized — the same 50 questions appear everywhere. Second SIG completion takes half the time.
Why not just use the template approach?
We have a free DDQ response template that works for simple questionnaires. But for a SIG Core, templates break down:
- 800+ questions is too many for Ctrl+F
- 19 domains means answers are scattered across 6–8 different source documents
- The SIG's structured format (domain/subdomain/question ID) requires precise mapping
- Evidence references need to match actual documents, not generic placeholders
Templates work for your first DDQ. For a SIG Core, you need automation.
Frequently asked questions
How long does it take to complete a SIG Core online? With FillBase and a well-built knowledge base: about 30 minutes of review time. First-time setup (uploading documents) adds 10 minutes. Without automation, expect 20–40 hours.
Does FillBase handle the SIG scoping worksheet? Yes. If domains are marked out of scope, those questions are skipped in the auto-fill process.
Can I complete a SIG Lite online for free? FillBase's free tier covers 200 requirements per month. A SIG Lite (~200 questions) fits within the free tier. SIG Core exceeds it — you'd need the Starter plan ($149/mo).
What about SIG questionnaires received through portals? Export the SIG from the portal as Excel, complete it in FillBase, and re-import. Most assessment portals (OneTrust, ProcessUnity, Prevalent) support Excel export/import.
My prospect sent a modified SIG with custom questions added. Will that work? Yes. FillBase handles the standard SIG questions automatically and treats custom additions as regular DDQ questions matched against your knowledge base.
Complete your SIG without losing a week
The SIG is the longest standard questionnaire you'll encounter. It doesn't have to take 40 hours. Upload your SOC 2 to FillBase and complete it in a single sitting.
For a deeper look at SIG-specific answer strategies, see our guide on how to answer a SIG questionnaire fast.
