Last Updated on January 22, 2020
The Standardized Control Assessment (SCA) tool is provided by the Shared Assessments program. It’s part of their “Trust but Verify” model, where the Standardized Information Gathering (SIG) Questionnaire is the “Trust” portion and the SCA is the “Verify” portion.
The SIG is a self-answered questionnaire. Many of your partners or vendors may ask you to fill one out so they can get a better understanding of your security environment. The weakness in this approach is that they are trusting that your answers are truthful and controls are fully implemented, without verification.
This is where the SCA comes in. Typically performed onsite by an independent, third-party auditor, the SCA provides a deeper level of risk assurance than the SIG can by itself.
Interestingly, a number of our clients that are ISO 27001 certified have encountered situations where their customers, vendors or other stakeholders want more information about their security environment and have required them to fill out a SIG or other security questionnaire. The ISO 27001 certificate by design only provides detail on the scope of the ISMS but not the results of the audit itself. Specific details of an organization’s control environment are not disclosed.
A creative way of addressing this issue is to utilize the SCA framework to conduct the periodic internal audits required by Clause 9.2 of the ISO 27001 standard. The benefit of this approach is that by conducting the internal audit using the widely-accepted SCA framework mapped against the ISO controls, you’ll have a detailed report of your security controls that you can then share with your customers and business partners. Having this detailed report can help address the needs of stakeholders that require more visibility into your organization’s controls than an ISO 27001 certification alone can provide.
For more information:
- Standardized Control Assessment—Why the AUP Became the SCA
- Shared Assessments—They’re Not Just Vendor Risk Management