Standardized Control Assessment
Pivot Point Security (PPS) offers the SCA as part of our cybersecurity suite. We hold the necessary certification to help organizations develop and operate their third-party risk management program. Many organizations outsource vendor due diligence reviews, including SCAs, to PPS for high-risk vendors. The SCA can also be used as a standardized form of third-party attestation, such as ISO 27001 or SOC 2, or as a replacement for those certifications. In these scenarios, organizations may hire a third party, such as PPS, to conduct the SCA.
The SCA is a standardized set of assessment procedures used to assess high-risk service providers during onsite or virtual assessments as part of your Third Party Risk Management program. It is part of Shared Assessment’s Third-Party Risk Management (TPRM) Product Suite, which is used by over 15,000 organizations worldwide to simplify managing third party risk
There are two predominant use cases for the SCA:
- The SCA is used to plan, scope, and perform comprehensive third-party risk/control assessments on critical vendors/partners. Think of it as the “verify” portion of a third-party risk program. Typically, your third-party risk management team, or a trusted third party (like Pivot Point Security), will execute the program.
- It can be used as a standardized form of third-party attestation like ISO 27001 or SOC 2 . This approach is effective if key customers use the Shared Assessment Program as the basis of their vendor risk management programs, as the SCA is effectively third-party validation of the SIG questionnaire they typically send. We also have customers that use the SCA as an addendum to or a replacement for an ISO 27001/SOC 2 certification. In this scenario, they usually hire a third party to conduct the SCA.
What does an SCA include?
The SCA mirrors the 19 critical risk domains from the SIG and can be scoped to the organization being assessed.
- Access Control
- Application Security
- Asset and Information Management
- Cloud Hosting Services
- Compliance Management
- Cybersecurity Incident Management
- Endpoint Security
- Enterprise Risk Management
- Environmental, Social, and Governance (ESG)
- Human Resources Security
- Information Assurance
- IT Operations Management
- Network Security
- Nth Party Management
- Operational Resilience
- Physical and Environmental Security
- Privacy Management
- Server Security
- Threat Management
PPS holds the necessary certification (e.g., CTPRP, CTPRA) to help organizations develop and operate their third-party risk management program. Many of our clients outsource vendor due diligence reviews, including SCAs for high-risk vendors, to PPS.