Critical vendors like cloud service providers and payroll processors can expose a business to massive cybersecurity risk. Understanding the risk that critical vendors present and how best to address it—including finding a more secure vendor, renegotiating a contract, etc.—may require more due diligence than just a self-report vendor questionnaire.
To help businesses assess third-party cybersecurity risk in-depth, Shared Assessments offers the Standardized Control Assessment (SCA) tools. Useful in both virtual and onsite vendor assessments, the SCA enables you to verify a critical vendor’s controls using a proven, standardized approach, and its 18 “risk domains” can be scoped/adapted to fit your needs. \
Another benefit of the SCA is that it works equally well as part of an in-house vendor due diligence program, or when conducted by third-party experts.
How much does an SCA cost?
In our experience, 90% of SCA engagements fall into a cost range of $15,000-$20,000 (on the low end) to $40,000-$50,000 (on the high end.)
Per-vendor costs under $25,000 are far more typical of SCA reports, while higher costs are rare.
SCA cost drivers
The actual cost for a specific SCA report depends mainly on the scope of the evaluation or audit, and what specifically you choose to include or leave out (e.g., privacy, application development) from among the SCA’s 18 risk domains.
Besides scope, other major cost factors include the number of vendor locations included in the assessment, and whether the assessment is done onsite or remotely. Remote SCA’s are only a recent phenomenon due to COVID-19. The assessment is meant to be performed onsite.