Third Party Risk Management - Consultancy, Assessment & Advisory

Shared Assessments Program & Tools

Driving global standards in Third Party risk

DVV Solutions are proud members and contributors to the Shared Assessments Program.

The Shared Assessments Program is a member-driven community that advances industry-standard tools and best practices for consistent, efficient and cost-effective Third Party management. The Program has been setting the standard in Third Party risk management since 2005, when the Big Four and six global banks collaborated to form Shared Assessments to address the inefficiencies surrounding Third Party risk management.

A Shared Assessments Membership gives organisations not only access to the Program Tools and thought leadership, but also the opportunity to work alongside industry peers to influence and create them.

The Shared Assessments Program Tools provide rigorous standards for building and enhancing Third Party risk programs. Using industry best practices, the tools follow a “trust, but verify” approach to conducting supplier risk assessments.

SIG - Standardised Information Gathering Questionnaire

The SIG questionnaire is a holistic tool for risk management assessments of cybersecurity, IT, privacy, data security and business resiliency in an information technology environment.

Using a robust compilation of questions, the SIG gathers pertinent information to determine how security risks are managed across a spectrum of 18 risk control areas, or “domains”, within a service provider’s environment. It was developed to enable a service provider to compile complete information about these risk domains in one document. The SIG can be used in various ways:

  • Used by an outsourcer to evaluate their service providers’ risk controls.
  • Completed by a service provider and used proactively as part of a request for proposal (RFP) response.
  • Completed by a service provider and sent to their client(s) in lieu of completing one or multiple proprietary questionnaires.
  • Used by an organisation for self-assessment.

SCA - Standardised Control Assessment

The Standardised Control Assessment (SCA) is customisable to an individual organisation’s needs and defines 18 critical risk control areas, procedures and an onsite assessment reporting template.

The Shared Assessments Standardised Control Assessment (SCA) formerly the Agreed Upon Procedures (AUP) is a holistic tool for performing standardised verified or onsite risk management assessments, including assessments of cybersecurity, IT, privacy, data security and business resiliency controls. Use of this tool validates SIG responses.

The SCA content aligns to the SIG questionnaire to ensure a consistent and comprehensive assessment is achieved.

The Shared Assessment Program tools evaluate controls across these 18 key risk domains:

  • Risk assessment and treatment
  • Security policy
  • Organisation security
  • Asset and information management
  • Human resources security
  • Physical and environmental security
  • Operations management
  • Access control
  • Application security
  • Incident event and communications management
  • Business resiliency
  • Compliance
  • Network security
  • Privacy
  • Treatment management
  • System hardening standards
  • Server security
  • Cloud hosting

CTPRP - Certified Third Party Risk Professional

The CTPRP designation from the Shared Assessments Program validates expertise, providing professional credibility, recognition, and marketability in Third Party risk.

CTPRP holders demonstrate a thorough working knowledge of Third Party risk management concepts and principles, including:

  • Managing the vendor lifecycle.
  • Vendor risk identification and rating.
  • Knowledge of the fundamentals of vendor risk assessment, monitoring and management.

The CTPRP is designed for Third Party risk, procurement and compliance professionals, including business vendor managers, risk (vendor or operational) managers, vendor IT security managers, IT auditors / assessors and IS auditors / professionals.

VRMMM - Vendor Risk Management Maturity Model

The focus of the VRMMM is to provide Third Party risk managers with a tool they can use to evaluate their program against a comprehensive set of best practices.

The Vendor Risk Management Maturity Model (VRMMM) is a holistic tool for evaluating maturity of Third Party risk programs including cybersecurity, IT, privacy, data security and business resiliency controls.

The resulting assessment allows organisations at any stage of development or implementation of a Third Party risk program to better understand the critical areas for improvement and development whether you are just starting the program or if you have been running a Third Party risk program for years.


Program Membership

As a Shared Assessments program member and registered Assessment Firm, DVV Solutions have adopted these industry-standard practices as the foundation for our Third Party risk assessments.

All our IT Security Assurance Consultants are accredited to CTPRP standards and fully conversant in the execution and adaptation of the Program tools to deliver a world-class Third Party risk assessment service to our clients.

You can learn more about Program membership and its benefits on the Shared Assessments website.

Call today 0161 476 8700

or Submit a Contact Form

Why choose us?

We are specialists in Third Party Risk Management with over 20 years of experience in Cyber Security and Governance, Risk & Compliance and a dedicated team of experienced IT Security Assurance Consultants.
We are a vendor agnostic, managed service provider that is able to focus on delivering a TPRM program built around your specific risk-based, organisational and regulatory requirements.
We are a Shared Assessments Program member and recognised Assessment Firm with certified IT Security Assurance Consultants able to deliver a comprehensive service based on industry standards and best practice.