SecurSentry
← All notes
Security questionnaires

What Is a SIG Questionnaire? SIG, CAIQ and DDQs Explained for Small Suppliers

A prospect has just asked you to complete a SIG, a CAIQ or a DDQ — and you've never seen one before. Here is what each one actually is, in plain English.

The short version

If a prospect has just asked you to complete a “SIG”, a “CAIQ” or a “DDQ” and you’ve never met any of them before, the first thing to know is that you have not been handed three different exams. So what is a SIG questionnaire, and how does it differ from the others? They are all the same underlying request, show us how you protect data, dressed in different formats. Once you understand what each acronym means and where it comes from, the panic tends to drain away. This guide explains all three in plain English.

Why standardised questionnaire formats exist

Standardised questionnaire formats exist so that customers and suppliers can use a shared, predictable structure instead of reinventing the same security questions every single time.

Imagine a large company with two hundred suppliers. If it wrote a bespoke questionnaire for each one, it would drown in inconsistent answers with no way to compare suppliers. And every supplier would face a different document, unable to reuse earlier work.

Published formats solve both problems. A customer picks a recognised questionnaire off the shelf, confident it covers the right ground. A supplier who has completed it before recognises the structure and reuses much of their previous effort. That shared language turns a chaotic scramble into something repeatable on both sides.

This matters more than it first appears. The more your security information is organised around these recognised structures, the less each new request costs you. We cover that compounding benefit in our guide to answering a security questionnaire step by step. But first, let’s meet the three formats you’re most likely to see.

SIG (Standardised Information Gathering): what it is

The SIG is a broad third-party risk questionnaire maintained by Shared Assessments, designed to assess a supplier across a wide range of security, privacy and resilience risks in one consistent document.

SIG stands for Standardized Information Gathering. It is produced by Shared Assessments, a membership organisation that has created third-party risk standards since 2005, with hundreds of members helping shape and vet its questions. The SIG is refreshed at least once a year to keep pace with new regulations, emerging threats and updated standards, so the version you see is rarely static.

What makes the SIG distinctive is its breadth. Rather than focusing on one narrow area, it spans a wide set of risk domains: cybersecurity, IT controls, privacy, data governance, supply-chain risk and business resilience, among others. The aim is a rounded picture of how a supplier manages risk overall, not just one slice of it.

It comes in more than one size, which is the practical detail that matters to you:

Check which version you've been sent

Before you start, confirm whether you've received a SIG Lite or a SIG Core. The difference in length is substantial. A Lite assessment is a manageable afternoon's work if your information is organised; a full Core is a bigger undertaking worth planning around. Knowing which you hold changes how you budget your time.

CAIQ (the Cloud Security Alliance questionnaire): what it is

The CAIQ is a cloud-focused security questionnaire from the Cloud Security Alliance, built around its Cloud Controls Matrix and answered largely with yes/no responses about your cloud security controls.

So what is CAIQ? It stands for Consensus Assessments Initiative Questionnaire, published by the Cloud Security Alliance (CSA), a not-for-profit focused specifically on cloud security best practice. With CAIQ explained simply: it is the questionnaire form of the CSA’s Cloud Controls Matrix (CCM), a widely used framework of cloud security controls. The CAIQ turns those controls into a set of questions, mostly answered yes or no, that a customer uses to gauge how a cloud provider handles security.

Its two defining features are its cloud focus and its structured answer format. Because the CAIQ derives directly from the Cloud Controls Matrix, its questions map cleanly to recognised cloud security controls. A strong answer is usually a factual statement about whether a specific control exists, rather than a free-form essay.

The CAIQ is freely available from the CSA, and providers can publish a completed one to CSA’s public STAR Registry, a directory where customers can look up a supplier’s self-assessment. If you offer a cloud-based product, this is the format you’re most likely to be asked for, and a completed CAIQ can double as a reusable asset you point future prospects towards.

The acronym on the email tells you the shape of the questions, not how secure you have to be. The security work underneath is the same whichever format lands in your inbox.

DDQs and bespoke questionnaires

A DDQ — due diligence questionnaire — is a set of vetting questions a customer uses before working with you, and in security terms it’s often a bespoke document written by the customer rather than a published standard.

DDQ stands for due diligence questionnaire. The term is used broadly across business (in finance, procurement and partnerships) for the checks a buyer runs before committing to a supplier. When the subject is information security, a security DDQ overlaps almost entirely with a security questionnaire: it asks how you protect data, systems and people.

The key difference from the SIG and CAIQ is that a DDQ is frequently bespoke. Rather than adopting a published standard, the customer writes their own questions, shaped by their concerns, their regulator, their insurer or their own contracts. So no two DDQs look quite the same, and you can’t rely on having seen the exact wording before.

The reassuring part: a bespoke questionnaire still asks the same underlying things. Access controls, encryption, backups, staff training, incident response, supplier management. The core concerns are remarkably consistent whatever the format. If you’ve built honest, evidenced answers to those themes once, a new DDQ is a matter of mapping its questions onto answers you already hold, not starting from a blank page.

How a small supplier should approach any of them

Approach every format the same way: identify what each question is really asking, answer from your actual controls, mark genuine gaps honestly, and reuse your answers next time. The acronym changes far less than it seems.

Here’s the liberating truth once you’ve met all three: the format is the smallest part of the job. Whether it’s a SIG, a CAIQ or a bespoke DDQ, your task is the same.

  1. Read it through once before answering anything. Get the full picture first — which sections are mandatory, what the customer cares most about, and how heavy the document really is.
  2. Translate each question into plain English. Standard formats use precise, sometimes technical wording. Work out what’s actually being asked (“do you control who can access this data, and can you prove it?”) then answer from what you genuinely do.
  3. Answer from your real controls, not your aspirations. The most credible answers describe controls that truly exist. There’s a meaningful difference between saying you’re secure and being secure, and only the second protects you when a customer audits the claim or an incident tests it.
  4. Mark genuine gaps honestly. Where the honest answer is “not yet”, say so, ideally with a plan and a date. A gap framed as work-in-progress builds far more trust than an overstatement that unravels later. (If a customer is asking for a SOC 2 report you don’t have, our guide on what to do when you have no SOC 2 covers that exact situation.)
  5. Keep your answers — they’re an asset. Every question you answer properly becomes reusable. The work on your first SIG makes your first CAIQ faster, and a bespoke DDQ faster still, because the evidence already exists. Treating your security posture as a reusable sales asset rather than a recurring chore is what separates suppliers who dread these requests from those who answer them in an afternoon.

The one principle that covers all three

SIG, CAIQ and DDQ are different doors into the same room. The customer wants evidence that you take security seriously and can prove it. Know your own controls, answer honestly, close the gaps you can, and you can walk through any of those doors with the same preparation.

The acronyms feel like a wall when you first meet them, but they’re just labels for how a familiar set of questions is arranged. Understand your own security well enough to answer truthfully, organise your evidence so you can find it, and the format becomes a detail rather than an obstacle.

SecurSentry is being built to walk UK SMEs through a security questionnaire of any format: recognising the structure, mapping each question to the controls your business needs, guiding you as you put them in place, and helping you draft accurate, evidence-backed answers you can reuse next time. It is launching soon. Join the waitlist to be first to know.


This article is general information, not legal or compliance advice. If you have specific contractual, regulatory or legal obligations, please seek qualified professional guidance.

Frequently asked questions

What is a SIG questionnaire?

SIG stands for Standardized Information Gathering. It is a security and risk questionnaire maintained by Shared Assessments, an organisation that has produced third-party risk standards since 2005. It covers a broad set of risk areas — cybersecurity, IT controls, privacy, data governance and business resilience among them — and comes in a shorter 'Lite' version for lighter-touch checks and a much longer 'Core' version for higher-risk suppliers.

What is CAIQ and how is it different from SIG?

CAIQ stands for Consensus Assessments Initiative Questionnaire, published by the Cloud Security Alliance (CSA). It is built specifically around cloud security and derived from the CSA's Cloud Controls Matrix, mostly using yes/no answers. The SIG is broader and risk-management-focused across many domains; the CAIQ is narrower and cloud-specific. Customers choose whichever fits what they are assessing.

What is a due diligence questionnaire (DDQ)?

A due diligence questionnaire, or DDQ, is a set of questions a customer uses to vet a supplier before working with them. In a security context it overlaps heavily with a security questionnaire. DDQs are often bespoke — written by the customer for their own needs — so they vary more than a published standard, but they ask broadly the same things.

Do I need to be certified to complete a SIG or CAIQ?

No. Certification is not required to fill in any of these questionnaires. That said, holding a recognised certification such as Cyber Essentials means you already have documented evidence for many of the questions, which makes your answers faster to produce and more credible to the customer reading them.

Written by The SecurSentry Team

We write plain-English notes on security and compliance for small businesses — the things we wish someone had explained to us. Read more notes →

More from the blog

Cyber Essentials

How to Choose a Cyber Essentials Certification Body

4 Jul 2026 · 6 min
Cyber Essentials

What Cyber Essentials Plus Actually Costs

1 Jul 2026 · 6 min
SME security

The UK Small Business Compliance Journey: Cyber Essentials, GDPR and Security Questionnaires

29 Jun 2026 · 8 min

Be first to know when we launch.

Leave your email and we'll let you know the moment SecurSentry is ready. One email — no newsletters, no spam.

Just one email, at launch. We never share your data. Privacy policy.

You're on the list — we'll be in touch at launch.