The Shared Assessments Standard Information Gathering (SIG) questionnaire is a unified standard for assessing vendor risk across multiple domains. Mitratech is a licensee for these SIG questionnaires and includes them in the Mitratech Third-Party Risk Management solution.
The 2026 Shared Assessments SIG Questionnaire has evolved to address the two biggest elephants in the risk room: the rapid deployment of third-party AI and the challenges of complex supply chain resilience.
Below, we’ll discuss the key 2026 SIG updates, the new question breakdown, and what they mean for your program.
What’s New in SIG 2026?
The 2026 SIG update expands its scope to match the reality of a digitally interconnected supply chain. Although no new risk domains were added, the 2026 version explicitly codifies AI governance and operational resilience as standard requirements, adds critical mappings to relevant industry standards, and introduces new questions that target specific, high-stakes domains.
New SIG Questionnaire Content & Standards Mappings
The 2026 SIG update directly answers the market’s need for standardized checks on AI and resilience.
ISO 42001 Mapping: Standardizing AI Governance
The most significant addition is the comprehensive mapping to ISO 42001, the international standard for AI Management Systems.
Previous assessments often relied on ad-hoc questions about AI usage. The 2026 SIG standardizes this, allowing you to assess vendors on the whole AI lifecycle — from data collection and model training to deployment and bias monitoring.
This effectively turns “Shadow AI” risk into a visible, assessable metric. You can now systematically query vendors on their internal AI governance controls using recognized industry standards.
Operational Resilience Framework (ORF) Alignment
Building on the momentum of introducing DORA and NIS2 in 2025, the 2026 SIG integrates the Business Resilience Council (BRC) Operational Resilience Framework.
The questioning moves from verifying the existence of a disaster recovery plan to validating a vendor’s ability to sustain critical operations during disruptions.
New questions probe interdependency mapping, requiring vendors to demonstrate awareness of their own downstream critical dependencies. This is essential to comply with new EU regulations that require visibility into the entire supply chain, not just direct suppliers.
Enhanced NIST SP 800-171 Mapping
With increasing scrutiny on the Defense Industrial Base (DIB) and Controlled Unclassified Information (CUI), the mapping to NIST 800-171 has been significantly deepened.
This update provides more granular visibility into data privacy controls and specific reporting timelines required by emerging regulations like CIRCIA.
Scoping, Usability & SIG EV
Additionally, the 2026 release introduces “Hover Helpers” — embedded guidance for controls to reduce back-and-forth clarification with vendors. It also formalizes Scoping Presets (Lite, Core, Detail) to help teams quickly match the questionnaire depth to the vendor’s risk profile without manual editing.
In early 2026, Shared Assessments also plans to release SIG EV (Evolution), a cloud-based SaaS platform designed to replace the traditional Excel-heavy workflow. While the Excel “Workbook” format remains available, the move to a browser-based interface promises to eliminate the macro-heavy headaches of the past, offering real-time collaboration, dashboarding, and easier validation.
What Do The SIG 2026 Updates Mean for TPRM?
For risk professionals, the 2026 SIG update signals that AI risk and operational resilience are no longer emerging topics — they are standard due diligence.
- AI Due Diligence is Now Mandatory: With ISO 42001 questions available, failure to screen vendors for AI governance may be viewed as a gap in oversight.
- Resilience Requires Evidence: Compliance with DORA and similar mandates requires moving beyond “check-the-box” continuity planning to evidence-based resilience testing.
- Efficiency Through Integration: The depth of the new content emphasizes the need for automated platforms that can ingest, map, and score these complex datasets, freeing your team to focus on remediation rather than data gathering.
Seamless SIG Integration: The Mitratech Advantage
While Shared Assessments is launching its own cloud-based platform (SIG EV) to move away from Excel, Mitratech clients are already positioned to leverage these updates immediately.
Our TPRM platform is designed to absorb this complexity. The Mitratech TPRM solution embeds the updated 2026 SIG content directly into your existing workflow. This means you can deploy the new ISO 42001 and resilience-focused questions without needing to navigate a separate portal or manage manual spreadsheets.
With Mitratech TPRM, you get:
- Automated Mapping: Vendor responses to the new 2026 questions are automatically mapped to your internal risk frameworks (including ISO and NIST).
- Dynamic Scoping: Leveraging the SIG’s “Lite,” “Core,” and “Detail” scoping presets, our platform helps you right-size assessments instantly, ensuring low-risk vendors aren’t burdened with high-risk AI questionnaires.
- Unified View: Data from these new SIG domains flows directly into your risk register, giving you an immediate, defensible view of your AI and resilience posture across the extended enterprise.
Download the latest SIG Definitive Guide to learn how to apply the SIG questionnaire in your TPRM program, or request a demo today to discover how the Mitratech TPRM solution can power your vendor risk program.
