SIG Lite and CAIQ look different in the portal. Underneath, they ask the same operational questions: who can access production, how you encrypt data, how you respond to incidents, which subprocessors touch customer content. Teams burn weeks rewriting those answers because the “source of truth” is a folder of stale exports — not a living answer bank.
Why portals feel unique (but aren’t)
Buyers map their risk language onto your controls. Wording shifts (“MFA enforced” vs “phishing-resistant MFA for privileged access”), but themes stay stable. If you answer at the wording layer, every sheet is new work. If you answer at the theme layer with citations, most rows reuse.
The answer-bank shape
- Theme ID — access, encryption, SDLC, IR, backups, vendors, privacy, AI/data-use.
- Canonical claim — one or two sentences you are willing to stand behind today.
- Evidence pointer — policy section, architecture note, SOC excerpt, runbook, screenshot ID.
- Owner + last-verified date — who refreshes it and when it was last checked.
- Do-not-claim note — what you will not say (legacy admin panel, regional exceptions).
Export that row into SIG Lite / CAIQ / custom Excel. The portal format is packaging; the bank is the product.
SIG Lite vs CAIQ (practical differences)
SIG Lite
Often shorter and buyer-customized. Expect more free-text and “attach evidence” follow-ups. Keep claims short; lead with the citation buyers can request.
CAIQ / CCM-style packs
More structured control IDs. Map your theme rows to CCM domains once, then reuse. Don’t invent maturity scores you haven’t measured — mark gaps UNVERIFIED and assign an owner.
Refresh rules that prevent drift
- High-churn themes quarterly: subprocessors, encryption details, headcount-tied training stats.
- After architecture changes: update the cited source first, then re-export questionnaire rows.
- Never paste secrets into the sheet — cite the vault location instead.
- Reject AI-only drafts without citations; confident prose fails the first evidence request.
Where Trustfill fits
Trustfill drafts SIG / CAIQ / Excel answers from your evidence vault with citations and UNVERIFIED flags. You approve and export — self-serve at gettrustfill.com. It does not replace your auditor or your accountability for what you submit.
Related: evidence vault for vendor reviews · questionnaire automation.