Third Party Risk Management - Consultancy, Assessment & Advisory

Why the Shared Assessments SCA is the “Swiss-Army Knife” in Your Third Party Risk Assessment Toolbox

Shared Assessments SCA Swiss Army KnifeEveryone is familiar with the utility of the famous Swiss army knife; a penknife housing several blades and other tools such as files, scissors, and screwdrivers. The Shared Assessments’ Standardised Controls Assessment (previously known as the Shared Assessments’ Agreed Upon Procedure – or “AUP”) is acquiring a similar reputation in assurance circles as it’s been reported to being used not just in countless third party risk assessments to assist in verifying that a particular control exists, but for attesting to an outsourcer’s “in-house” controls as well.

Pivot Point Security’s CISO and Managing partner John Very asked me recently via the Virtual CISO Podcast about ways to use the SCA beyond third party risk assessments. In the same manner that Coca-Cola is used by do-it-yourself handymen as an agent to clean chrome and other metals, many organisations are beginning to see the value of using the SCA in the self-assessment process to reviewing their own internal controls and processes.

The reason for this is simple: your organisation is very likely a vendor to someone else and therefore the SCA is incredibly useful in helping to identify and test the effectiveness of key internal controls. The value proposition lies in the fact that as many organisations labour to adopt frameworks or to ensure adherence to certain regulations or guidance, they are finding the SCA’s controls already are mapped or aligned to the most readily referenced frameworks, regulations and guidance including ISO, NIST, and COBIT – regulations and laws from around the globe such as FFIEC, EBA, HIPAA, GDPR, and the CCPA; and industry standards such as PCI-DSS. 

Additionally, knowing that the SCA provides not only these test steps but additional features such as reporting templates add to the value of the tool. Lastly, an organisation can have their respective internal teams such as auditors, IT security, Human Resources, etc., execute the provided test steps. If the organisation would prefer an outside entity to perform this on their behalf, then an external assessment or security firm experienced in adhering to SCA Standards must perform the engagement.

The results of following the SCA unequivocal as it reports control gaps and allows management to make risk-based decisions to mitigating  gaps. With that design, no “opinion” is offered.


This article was originally written by Tom Garrubba and published by Shared Assessments and is shared with their kind permission.


For advice and information

DVV Solutions are here to help. We have developed a suite of managed services and automation tools based upon the Shared Assessments Program industry standard frameworks and protocols that improve your ability to manage the increasing volumes and complexity of Third Party supplier risk and regulatory compliance programs.

Let us help you take the pain out of Third Party Risk Management.

Call Us+44 (0) 161 476 8700

Contact Us: Complete our Contact Form

Learn more about our Third Party Risk Management Services and Solutions


About The Author

Tom Garrubba is Senior Director and CISO of Shared Assessments Program / The Santa Fe Group. Tom is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on Third Party Risk Management (TPRM) programs for Fortune 100 companies. He is an internationally recognised subject matter expert and top-rated speaker on Third Party risk.