Standardized Control Assessment

Assess and simplify high-risk third-party management with the trusted Standardized Control Assessment (SCA) from Shared Assessment’s TPRM Product Suite.

Pivot Point Security (PPS) offers the SCA as part of our cybersecurity suite. We hold the necessary certification to help organizations develop and operate their third-party risk management program. Many organizations outsource vendor due diligence reviews, including SCAs, to PPS for high-risk vendors. The SCA can also be used as a standardized form of third-party attestation, such as ISO 27001 or SOC 2, or as a replacement for those certifications. In these scenarios, organizations may hire a third party, such as PPS, to conduct the SCA.

Standardized Control Assessment Procedure

The SCA is a standardized set of assessment procedures used to assess high-risk service providers during onsite or virtual assessments as part of your Third Party Risk Management program. It is part of Shared Assessment’s Third-Party Risk Management (TPRM) Product Suite, which is used by over 15,000 organizations worldwide to simplify managing third party risk

How would an organization use the SCA?

There are two predominant use cases for the SCA:

The SCA is used to plan, scope, and perform comprehensive third-party risk/control assessments on critical vendors/partners. Think of it as the “verify” portion of a third-party risk program. Typically, your third-party risk management team, or a trusted third party (like Pivot Point Security), will execute the program.
It can be used as a standardized form of third-party attestation like ISO 27001 or SOC 2 . This approach is effective if key customers use the Shared Assessment Program as the basis of their vendor risk management programs, as the SCA is effectively third-party validation of the SIG questionnaire they typically send. We also have customers that use the SCA as an addendum to or a replacement for an ISO 27001/SOC 2 certification. In this scenario, they usually hire a third party to conduct the SCA.

What does an SCA include?

The SCA mirrors the 19 critical risk domains from the SIG and can be scoped to the organization being assessed.

Access Control
Application Security
Asset and Information Management
Cloud Hosting Services
Compliance Management
Cybersecurity Incident Management
Endpoint Security
Enterprise Risk Management
Environmental, Social, and Governance (ESG)
Human Resources Security
Information Assurance
IT Operations Management
Network Security
Nth Party Management
Operational Resilience
Physical and Environmental Security
Privacy Management
Server Security
Threat Management

What role does PPS play with the SCA?

PPS holds the necessary certification (e.g., CTPRP, CTPRA) to help organizations develop and operate their third-party risk management program. Many of our clients outsource vendor due diligence reviews, including SCAs for high-risk vendors, to PPS.

Where can I find additional information on the SCA?

https://sharedassessments.org/sca/

Pivot Point is now part of CBIZ. Click Here for more information.

Standardized Control Assessment

Standardized Control Assessment Procedure