Standardized Control Assessment Procedure
The SCA is a standardized set of assessment procedures used to assess high-risk service providers during onsite or virtual assessments as part of your Third Party Risk Management program. It is part of Shared Assessment’s Third-Party Risk Management (TPRM) Product Suite, which is used by over 15,000 organizations worldwide to simplify managing third party risk
How would an organization use the SCA?
There are two predominant use cases for the SCA:
- The SCA is used to plan, scope, and perform comprehensive third-party risk/control assessments on critical vendors/partners. Think of it as the “verify” portion of a third-party risk program. Typically, your third-party risk management team, or a trusted third party (like Pivot Point Security), will execute the program.
- It can be used as a standardized form of third-party attestation like ISO 27001 or SOC 2 . This approach is effective if key customers use the Shared Assessment Program as the basis of their vendor risk management programs, as the SCA is effectively third-party validation of the SIG questionnaire they typically send. We also have customers that use the SCA as an addendum to or a replacement for an ISO 27001/SOC 2 certification. In this scenario, they usually hire a third party to conduct the SCA.
What does an SCA include?
The SCA mirrors the 19 critical risk domains from the SIG and can be scoped to the organization being assessed.
- Access Control
- Application Security
- Asset and Information Management
- Cloud Hosting Services
- Compliance Management
- Cybersecurity Incident Management
- Endpoint Security
- Enterprise Risk Management
- Environmental, Social, and Governance (ESG)
- Human Resources Security
- Information Assurance
- IT Operations Management
- Network Security
- Nth Party Management
- Operational Resilience
- Physical and Environmental Security
- Privacy Management
- Server Security
- Threat Management
What role does PPS play with the SCA?
PPS holds the necessary certification (e.g., CTPRP, CTPRA) to help organizations develop and operate their third-party risk management program. Many of our clients outsource vendor due diligence reviews, including SCAs for high-risk vendors, to PPS.