The Shared Assessments Program Tools

For the Effective Management of the Third Party Risk Management Lifecycle

The Shared Assessments Program Tools provide rigorous standards for building and enhancing risk management capabilities.

Managing Third Party Risk

The service provider control evaluation process has long been inefficient and costly. Each outsourcing organization produces and distributes its own proprietary questionnaire to each of its service providers. Service providers strain their resources to respond to diverse proprietary client information requests. Inconsistencies from questionnaire to questionnaire cause delays for all parties. Time and resource intensive onsite visits further burden both the issuer/outsourcer and the assessee.

Using industry established best practices, Shared Assessments follows a “trust, but verify” approach to conducting third party assessments which allows you to fine tune your third party risk management program to your company’s strategy for managing risk.

Which Tool Is Right For You?

Standardized Information Gathering (SIG) Questionnaire

The trust component of the Program is the Standardized Information Gathering (SIG) questionnaire. By using the SIG, an issuer/outsourcer can obtain all of the information necessary to conduct an initial assessment of a service provider’s cybersecurity, IT, privacy, data security and business resiliency controls. Questions within the SIG are filtered by the user to apply to the specific type of service outsourced to the third party. Assistance in developing a service type specific SIG is facilitated by a How To Guide provided with each SIG.

If the primary focus of your program (or your role in the organization) is obtaining information from your service providers through the use of questionnaires, then the SIG (the trust component of Shared Assessments) is right for you. You may want to start with the SIG Lite to conduct an initial evaluation of your service providers and use the full SIG for more complex services. Or, you can use the full SIG and simply filter the questions presented to the service provider based on the type of services they provide. While each component may be used independently, the use of both tools in tandem provides maximum protection from third party risks.

Agreed Upon Procedures (AUP)

The verify portion of the Program is facilitated by the Shared Assessments Agreed Upon Procedures (AUP) is a holistic tool for performing standardized onsite risk management assessments, including assessments of cybersecurity, IT, privacy, data security, and business resiliency. The AUP provides several vital functions. First it allows an outsourcer to validate the answers provided by a third party using the SIG questionnaire. Secondly, it sets forth the risk control areas to be assessed as part of an onsite assessment, as well as the procedures to be followed while conducting the assessment and the sampling procedures to be used. The companion document to the AUP, the AUP Report Template, provides a standardized approach to collecting and reporting onsite assessment results, further enhancing the efficiency of the onsite assessment process. While each component may be used independently, the use of both tools in tandem provides maximum protection from third party risks.

If the driving force of your third party risk program is the evaluation of service providers through onsite assessments, then the AUP is the tool for you. The AUP was created for use by a company’s IT/audit departments and accounting and assessment firms that conduct independent onsite audits of service provider controls. The AUP includes a comprehensive list of the controls a service provider should have in place to properly protect your data and systems. In addition, the AUP specifies the procedures to be used to conduct controls testing and recommends sampling parameters to obtain consistent and cost effective results. If this sounds like your approach to managing third party risk, then check out all of the details on the AUP on the AUP Learn More page. If you are uncertain which approach is right for you, or you believe that executing both components of the trust, but verify model is the way to go, we offer special pricing for a Complete Bundle for companies that want to use all of the Shared Assessments Program Tools.

Vendor Risk Management Maturity Model (VRMMM)

Perhaps your focus at this time is on the development or refinement of your third party risk management program. If that’s the case, the Vendor Risk Management Maturity Model (VRMMM) was designed with your needs in mind. The VRMMM incorporates vendor risk management best practices into a practical model, to assess the current and desired future state of a vendor risk management program and helps companies make well-informed decisions on how to spend limited resources to manage vendor-related risks effectively. With a scoring dashboard for reporting, the VRMMM will help you assess the current status of your program and plan for the future. This Tool is included when you purchase the SIG Bundle, AUP Bundle or our Complete Bundle or you can receive the VRMMM tool only at no cost.

Bundle Features

INCLUDED FEATURES SIG 2017 BUNDLE SIG LITE 2017 BUNDLE AUP 2017 BUNDLE VENDOR RISK MANAGEMENT MATURITY MODEL 2017 COMPLETE 2017 BUNDLE
SIG 2017 X X
SIG 2017 LITE X X X
SIG 2017 MANAGEMENT TOOL X X
SIG LITE 2017 MANAGEMENT TOOL X X X
SIG OVERVIEW X X X
SIG HOW TO GUIDE X X X
SIG SCOPING COMPANION SAMPLE X X
AUP 2017 X X
AUP 2017 REPORT TEMPLATE X X
AUP 2017 OVERVIEW X X
VENDOR RISK MANAGEMENT MATURITY MODEL 2017 X X
VENDOR RISK MANAGEMENT MATURITY MODEL OVERVIEW 2017 X X

Select Your Assessment Tools

2017 Complete Bundle

Buy the Complete Bundle, which includes the Tools in both the SIG and AUP bundles, as well as the VRMMM, and save $4,000 off the cost of purchasing the Tools separately.

2017 AUP Bundle

The Shared Assessments Agreed Upon Procedures (AUP) is a holistic tool for performing standardized onsite risk management assessments, including assessments of cybersecurity, IT, privacy, data security and business resiliency controls. Use of this tool facilitates onsite verification of SIG responses.

2017 SIG Bundle

The Standardized Information Gathering (SIG) questionnaire is a holistic tool for risk management assessments of cybersecurity, IT, privacy, data security and business resiliency in an information technology environment.

2017 SIG Lite Bundle

The SIG Lite is a compilation of all the top-level questions from the detail tabs of the full SIG, allowing an initial assessment of a service providers risk controls.

2017 Vendor Risk Management Maturity Model (VRMMM)

Using governance as the foundational element, the 2017 VRMMM identifies the framework elements critical to a successful program.

"Implemented correctly, the Shared Assessments Program serves two critical purposes: satisfying requisite regulatory requirements, and, honoring one's fiduciary responsibility to maximize the overall cost efficiency of their third-party vendor risk management program."
— Ken Peterson, President and CEO, Churchill & Harriman, Inc., Shared Assessments Program Advisory Board Member

Become a Shared Assessments Program Member

Shared Assessments members are national and international organizations of all sizes that understand the importance of comprehensive standards for managing third party risk. They include financial institutions, healthcare organizations, energy/utility, retailers and telecommunications companies.

They are service providers of all sizes, consulting companies, and assessment firms. They are the best in their class, members of a global community of vendor risk management professionals who understand the value of implementing efficient and effective industry-standard practices.

Member benefits include:
  • Free access to the Shared Assessments Program Tools.
  • Working on one of the Program’s Standing Committees (SIG, AUP or VRMMM) to continue to refine the Program’s Tools. Member input is what keeps the Shared Assessments Program Tools on the leading edge of third party risk assurance issues.
  • Participate in Special Projects and Interest Groups. Join your peers to identify, discuss and address the issues you (and your management) feel are top priorities for resolution.
  • Participants in Shared Assessments committees, projects and special interest groups earn CPE credits while demonstrating risk management and compliance leadership.
  • Join the monthly Member Forum and other special interest calls. Listen to key industry and regulatory thought leaders presenting on the latest developments in vendor risk management and regulatory compliance.
  • Access to third party risk management training and education, white papers, project documents, and case studies.
  • Discounts on registration for Shared Assessments events and educational workshops.

Reminder: If you have already purchased the Shared Assessments Tools, become a Shared Assessments Program member and reduce your annual dues by the total amount of your purchase, if done so within 6 months of your Program Tool Purchase.

Learn more »

Shared Assessments Licensee ControlCase
PCV-logo-web
Shared Assessments Licensee White Hat
Shared Assessments Logo Deluxe Corp
SecureState165x100x72-web
OPTIV_rgb-bw-web
Shared Assessments Licensee Bank of the West
Shared Assessments Licensee ZS logo
Shared Assessments Licensee ctg
acupay_176x84-bw-web
dealogic-20logo-high-20res_165x100x72_web
Shared Assessments Licensee Pro Teck
Shared Assessments Logo dtcc
veracode-logo-web
TreliantSolutions_logo_84hbwweb
Shared Assessments Logo first data
Shared Assessments Licensee Protiviti
Shared Assessments Licensee Pivot Point Security
advance-america-logo-web-2
logo-rsabw
GT_logo_165x100x72_web
intralinks-logo
HNE_logobw
CoalfireLogo_OrangeBWWeb
enode-logobw
Fidelity_Logobw
Shared Assessments Logo radian
Shared Assessments Logo sei
Ashland_Partners_LogoBW
RN_Logo_Main_CMYK-bw-web
Shared Assessments Logo Deloitte
ez-shield-logo-web-2
Shared Assessments Logo pwc
MetricStream logo
fis-logo-web
BWSecurityScorecard165x100x72-web
NationalStudentClearinghouse
Shared Assessments Licensee Caanes
Shared Assessments Licensee Lockpath
ProcessUnitybanner
Shared Assessments Licensee Rsam
prevalent-logo-web-2
CRIF Logo
Early Warning Logo
Shared Assessments Logo yodlee
Shared Assessments Logo Iron Mountain
Shared Assessments Logo Ernst & Young
el paso electric logo
kpmg-logo-web-2
CyberCura 84x84 Logoweb
BSI Logo CMYK png bwRS
Genpact-logo-web
Stroz F_Logo_100K Web
sti-logo-web
Shared Assessments Program licensee Churchill & Harriman logo
Shared Assessments Logo Bank Of New York Mellon
Shared Assessments Logo usbank
Shared Assessments Licensee Identity Theft 911
crowdstrikebw
waynecounty_logo_165x100x72_web
Shared Assessments Licensee TD Ameritrade
Qualys_Logo-RS-bw2
Shared Assessments Licensee Power Advocate
Online-Wordmark-RGB-Vertical bwweb
Logo-Nasdaq_BWise-JPGbw2
Viewpoint Logo
riskvision_logo_largebw-web
Ellie Mae Logo
ce_logo_bw
Shared Assessments Licensee-Copytalk
165x100x72-web