May 6, 2020

Last Updated on January 15, 2024


Escalating third-party risk is among the top information security challenges from COVID-19. If your business entrusts sensitive data to third parties, or handles sensitive data on behalf of customers, you need to know how remote working and other recent changes to your IT environment may have impacted your information security posture.
Further, if you’re a service provider, you also need a concrete way give clients and prospects peace of mind and answer their information security questions quickly and efficiently.

“The purpose [of the SCA] is to have it in black and white and for you to be able to present … what you have done and the results of your analysis.”


If you’re faced with one or more of these challenges, one of the most interesting alternatives out there is the Standardized Control Assessment (SCA) Procedure Tools from the Shared Assessments Program. Offering high flexibility, low cost and quick time-to-value, the increasingly popular SCA solves a wide range of problems for SMBs.
For a top-to-bottom dialog on the SCA and its use cases and business value, the latest episode of The Virtual CISO Podcast features Tom Garrubba, VP and CISO for the Shared Assessments Program, speaking with host John Verry, CISO and Managing Partner at Pivot Point Security, a longstanding Shared Assessments Program member.

  1. According to Tom, the SCA’s top 3 use cases are:
    For organizations that don’t have a vendor risk management (VRM) or third-party risk management (TPRM) program in place, Shared Assessments and the SCA can form the basis (the “verify” portion) of your program and/or support it in multiple ways. The SCA is comprehensive, includes multiple reporting templates, and can be “scoped” to a wide range of environments and scenarios. Used this way, it can be used when you need to conduct vendor assessments for critical vendors.
  2. For companies like SaaS vendors that need to respond to a lot of VRM inquiries and due diligence questionnaires, the SCA can be an ideal tool for internal self-assessment. It’s an excellent “gut check” or “test script” for how your security controls will look to customers and other stakeholders—including where you need to improve. If your security and privacy controls can “self-pass” an SCA assessment, you stand a much better chance of looking good when customers and other stakeholders assess your environment. You can also use the results to self-attest to your security posture.
  3. Organizations that need to prove they are secure and/or compliant can leverage the SCA as an alternative to a SOC 2 report or ISO 27001 certification as the basis for a third-party information security audit/attestation. Customizable as to scope and highly detailed, the SCA can potentially offer much of the value and information of a SOC 2 report or similar third-party attestation but at a significantly lower cost and possibly in a shorter time period.

But as Tom emphasizes, one thing the SCA does not offer, strictly speaking, is an auditor’s subjective opinion regarding your security. “The purpose [of the SCA] is to have it in black and white and for you to be able to present … what you have done and the results of your analysis.” Although, as John points out, “The results in and of themselves to some extent are an opinion.”
To evaluate whether the SCA right for your organization, check out the full episode (and a lot more where that came from) here. If you don’t use Apple Podcasts, you can find all our episodes here.