May 12, 2020

Last Updated on January 18, 2024


If you’re familiar with the Standardized Control Assessment (SCA) from the Shared Assessments Program, you know it’s a valuable tool to assess information security risk, especially for third-party risk management (TPRM); e.g., evaluating the security postures of your critical SaaS providers.
The SCA works for both on-site and self-report assessments—but did you know it can even be used to audit your own controls?
A recent episode of The Virtual CISO Podcast featured Tom Garrubba, VP and CISO for the Shared Assessments Program, talking with host John Verry, CISO and Managing Partner at Pivot Point Security about “all things SCA.”

One of the most interesting facets of their wide-ranging discussion was a point John brought up from his extensive experience with clients’ ISO 27001 certification programs:

“So you know that we do a lot of work with the ISO 27001 standard. And I’m a huge fan of ISO 27001. I think it’s a great framework for effectively managing information-related risk.
“One potential negative of the ISO program is that you get a certificate. Basically it’s a single page and I hand it to you and there’s not a lot of meat to it. And there are some [vendor risk management] auditors who like a little bit more meat on whatever they’re getting. So they prefer a SOC 2 [report] for that reason.
“So the vendor risk manager will say, ‘Hey, I’d like to see a little bit more. Do you have a SOC 2 report?’ What we’ve been doing now during some of the ISO 27001 internal audits is using the SCA program. So now what happens when you get in a handoff is an ISO certificate and an SCA report. So you kind of have the best of both worlds,” John explains.
In other words, SMB’s can leverage their ISO 27001 certification process to get a value-added deliverable—a detailed SCA report—to share with clients that want additional specifics on their information security controls. The additional time, effort and cost involved are minimal, even in comparison to an ISO 27001/SOC 2 dual certification.
Part of a suite of user-friendly tools from Shared Assessments, the SCA is gaining traction with SMEs because of its flexibility for scoping purposes, as well as its support for a range of use cases. Another benefit of the SCA is that it is regularly updated to reflect emerging risks and regulations that TPRM auditors will be asking about.
To listen to the full podcast episode with Tom Garrubba (and many other awesome podcasts), click here. If you don’t use Apple Podcasts, you can access all our episodes from The Virtual CISO Podcast here.