SIG-Lite security questionnaire — pre-filled scaffold
Procurement teams know the SIG. Here is ours, pre-filled, ungated, hash-verifiable. Read it before the call, not during it.
Download the SIG-Lite scaffold PDF →
What is the SIG-Lite?
The Shared Assessments Standardized Information Gathering (SIG) questionnaire is the de-facto vendor-risk assessment used by financial-services, healthcare, and increasingly government / multilateral procurement. The Lite tier is the most common starting point — roughly 280 questions across security, privacy, business continuity, and compliance. Most vendors hand a SIG back filled in; we are doing it differently:
What's different about ours
- Pre-filled before you ask. 80% of the questionnaire is answered against IMS architecture as it exists today. You don't have to spend three weeks of email back-and-forth to learn what we do and don't have.
- Honest status tags on every row. ANSWERED · PARTIAL · PLANNED · ORG-SPEC · N/A. We do not mark a row "ANSWERED" unless the control is actually in place and verifiable.
- SHA-256 in the footer. Same chain-of-custody discipline as our incident briefs. A reader who alters the PDF breaks the hash.
- Free and ungated. No NDA required to read it. No "request access" form.
How to read the status tags
| Status | What it means |
|---|---|
| ANSWERED | Control is in place today, grounded in IMS architecture, defensible in an audit. |
| PARTIAL | Architectural / operational basis is in place but documentation or formalisation is on the roadmap. Evidence available; not yet packaged for audit. |
| PLANNED | On the roadmap. Honest "no" today. Usually attached to a milestone (most often the SOC 2 Type I engagement). |
| ORG-SPEC | Requires a Quintessentia officer to complete (HR, finance, legal, contract specifics). Will be filled before final delivery to a procurement counterparty. |
| N/A | Not applicable to IMS at this stage (e.g. physical office security — we have none). |
Roadmap to a final SIG-Lite
- v1 (today): Scaffold published. ORG-SPEC rows marked clearly.
- v2 (with first founding partner): ORG-SPEC rows completed by Quintessentia officers and reviewed by external counsel.
- v3 (Q3 2026, SOC 2 Type I scoping): All PLANNED items moved to ANSWERED with auditor-verifiable evidence.
Companion documents
- Methodology — the engineering basis for the ANSWERED rows
- Privacy Policy — backs the Privacy domain
- DPA template — backs the Compliance and Privacy domains
- Source registry — backs the Asset Management domain
- Live status — backs the Operations Management domain
- What we don't have yet — the prose version of the PARTIAL and PLANNED rows
- Audit-trail walkthrough PDF — operational evidence for several Application Security and Incident Management rows
Send corrections, questions, or requests for evidence on any specific row to trust@quintarthai.com. We respond within one business day.