How to answer a SIG questionnaire fast (with examples)
Step-by-step guide to answering a SIG (Standardized Information Gathering) questionnaire quickly. Includes example answers, common sections, and automation tips.
The SIG (Standardized Information Gathering) questionnaire is one of the most common security assessments you'll encounter when selling to enterprise. Created by Shared Assessments, the SIG comes in two flavors:
- SIG Core — The full version. 800+ questions across 19 domains. Takes 20–40 hours to complete manually.
- SIG Lite — The lighter version. ~200 questions. Still takes 4–8 hours.
If you just received a SIG and your deadline is this week, this guide will get you through it efficiently.
Understanding the SIG structure
The SIG questionnaire is organized into 19 risk domains:
| Domain | Code | What It Covers |
|---|---|---|
| Enterprise Risk Management | A | Risk governance, strategy |
| Security Policy | B | Written policies, reviews |
| Organizational Security | C | Roles, responsibilities |
| Asset and Info Management | D | Data classification, handling |
| Human Resource Security | E | Background checks, training |
| Physical Security | F | Facility access, environmental |
| IT Operations Management | G | Change management, capacity |
| Access Control | H | Authentication, authorization |
| Application Security | I | SDLC, code review, testing |
| Cybersecurity Incident Mgmt | J | Detection, response, recovery |
| Operational Resilience | K | BCP, DR, backups |
| Compliance and Ops Risk | L | Regulatory, legal, audit |
| Endpoint Device Security | M | MDM, encryption, patching |
| Network Security | N | Firewall, segmentation, monitoring |
| Privacy | O | Data subject rights, GDPR |
| Threat Management | P | Vulnerability mgmt, pen testing |
| Server Security | Q | Hardening, patching, monitoring |
| Cloud Hosting Services | R | Cloud security, shared responsibility |
| Artificial Intelligence | S | AI governance (new in recent versions) |
The fast-track method (4 steps)
Step 1: Start with your SOC 2 report
80% of SIG questions map directly to SOC 2 trust service criteria. If you have a SOC 2 Type II report, you already have most of the answers — they're just in a different format.
Quick mapping:
- SIG Domain H (Access Control) → SOC 2 CC6.1–CC6.3
- SIG Domain J (Incident Mgmt) → SOC 2 CC7.2–CC7.5
- SIG Domain K (Resilience) → SOC 2 A1.1–A1.3
- SIG Domain N (Network Security) → SOC 2 CC6.6–CC6.7
Step 2: Identify the "easy 60%"
These questions have standard answers for most modern SaaS companies:
Example: Domain H — Access Control
H.1: Does the organization enforce multi-factor authentication (MFA) for all remote access?
Yes. All remote access to production systems requires multi-factor authentication (MFA) via [Okta/Google Workspace/etc.]. MFA is enforced at the identity provider level and cannot be bypassed. This is documented in our Access Control Policy (v2.1, Section 4.3) and verified in our SOC 2 Type II report (CC6.1).
Example: Domain I — Application Security
I.3: Does the organization perform static and/or dynamic application security testing?
Yes. We perform both static application security testing (SAST) via [Snyk/SonarQube/etc.] integrated into our CI/CD pipeline, and annual dynamic application security testing (DAST) via third-party penetration testing conducted by [vendor name]. Results are reviewed by the engineering team and remediated per our Vulnerability Management Policy (Section 3.2). Most recent pen test: [date].
Step 3: Handle the "hard 20%"
These are company-specific questions that require input from other teams:
- Physical security (Domain F) → Facilities or office manager
- HR security (Domain E) → HR lead
- Privacy (Domain O) → Legal counsel
- Insurance / compliance (Domain L) → Finance or ops
Don't spend 3 hours guessing. Slack the right person with the specific question and a deadline.
Step 4: Quality check the critical sections
Before submitting, double-check:
- Consistency — Did you say "90 days" for data retention in one answer and "180 days" in another?
- Dates — Are your pen test dates, SOC 2 report dates, and policy review dates current?
- N/A answers — Mark questions as "Not Applicable" with a brief reason, never leave them blank.
Example answers for the most common SIG questions
"Describe your data encryption practices (at rest and in transit)."
All data at rest is encrypted using AES-256 encryption. Database encryption is managed by [AWS RDS/Google Cloud SQL/etc.] with keys managed through [AWS KMS/Google KMS]. All data in transit is encrypted using TLS 1.2 or higher. HTTPS is enforced on all endpoints with HSTS headers. Certificate management is automated through [Let's Encrypt/AWS Certificate Manager]. Reference: Information Security Policy v2.1, Section 5.2; SOC 2 Type II Report, CC6.7.
"How does the organization handle security incidents?"
We maintain a formal Incident Response Plan (IRP) reviewed annually. The plan defines severity classification (P1–P4), escalation procedures, communication protocols, and post-incident review requirements. Incidents are tracked in [Jira/PagerDuty/etc.]. Mean time to detect (MTTD) target: <1 hour for P1 incidents. Mean time to respond (MTTR) target: <4 hours. All P1/P2 incidents require a post-mortem within 5 business days. Reference: Incident Response Policy v1.3; SOC 2 Type II Report, CC7.2–CC7.5.
"Describe your employee security awareness training program."
All employees complete security awareness training during onboarding and annually thereafter. Training covers phishing recognition, password hygiene, data handling, social engineering, and incident reporting. Training is delivered through [KnowBe4/Curricula/etc.] with completion tracked and reported. Phishing simulations are conducted quarterly. Completion rate: >95% annually. Reference: Human Resource Security Policy v1.2, Section 3.1.
Automating SIG responses
If you're filling out SIGs regularly (2+/month), manual completion doesn't scale. Tools like FillBase can:
- Parse the SIG Excel format automatically
- Map questions to your SOC 2 and policy documents
- Generate source-cited answers for 80%+ of questions
- Flag the remaining questions for human review
- Export back to the original SIG Excel format
The first SIG takes 30 minutes with setup. Subsequent SIGs take ~10 minutes of review time.
