Last Updated on April 15, 2019
Editor’s Note: This post was originally published in June 2013. It has been updated to reflect the name change from AUP to SCA.
It seems that when most people hear “Shared Assessments” they immediately think of Vendor Risk Management. While that thought process is valid and makes a lot of sense, I think that it is limiting. For example, at Pivot Point Security we use the Shared Assessments Program extensively for “proactive attestation,” most commonly during ISO 27001 consulting engagements.
Vendor Risk Management and third-party attestation are two sides of the same coin.
- The organization looking to manage the risk associated with a vendor processing sensitive data on their behalf manages that risk via a Vendor Risk Management program.
- The organization processing the sensitive data responds to the vendor risk management request with “attestation” of their security posture, with third-party attestation (coming from an independent/objective party) being a strong and preferred form of attestation.
Because the Shared Assessments Program is the leading standard for running a Vendor Risk Management program, it makes a lot of sense for service providers to leverage the Shared Assessments Program as the basis of their attestation. Where it gets interesting is if you’re a client that also has a requirement to provide even more formal levels of Information Security attestation (e.g., SOC 2 or ISO 27001).
In most cases you would think that using something like ISO 27001 obviates the need for using the Shared Assessments Program, but we have found just the opposite: in heavily attestation-oriented industries, the two forms of attestation complement each other.
Here are the three ways that Pivot Point Security uses the Shared Assessment program during the Gap Assessment phase of our ISO 27001 consulting services (i.e., preparing our client for ISO 27001 certification):
- Use the SCA: Along with the Shared Assessments Standardized Information Gathering Questionnaire (SIG), the Shared Assessments Standardized Control Assessment or SCA (formerly known as Agreed Upon Procedure, or AUP) lets outsourcers evaluate service provider controls. We look at the SCA as a “mini ISO certificate.” It’s a great approach if our client needs a well-recognized form of third-party attestation while they are working towards ISO 27001 certification. The design/compliance approach gives the party receiving the report a high degree of assurance that the information security programming is aligned with good practice. One of the main reasons that the SCA dovetails so nicely with ISO 27001 is that the Shared Assessments Program is largely based on ISO 27002.
- Use the SIG: If our client is getting “beat up” by numerous spreadsheet-based security questionnaires, we usually find that most of these are Shared Assessments SIG based. In these cases it may be preferable to conduct the gap assessment using the SIG so that at the end of the process our client has a filled-out SIG to use in response to future questionnaires.
- Use the SCA and SIG Lite together: For those clients that are subject to an extensive amount of Vendor Risk Management we will sometimes use both the SCA and the SIG Lite (or even SIG) questionnaire. This approach has the advantage of providing interim attestation (via both the SIG and SCA) prior to receiving an ISO 27001 certificate. We also find that our clients that have very risk-averse customers get a very good response by handing over both their ISO 27001 certificate and a SIG Lite (or SIG) as security attestation.