The Shared Assessments Program Tools
For the Effective Management of the Third Party Risk Management Lifecycle
The Shared Assessments Program Tools provide rigorous standards for building and enhancing risk management capabilities.
Managing Third Party Risk
The service provider control evaluation process has long been inefficient and costly. Each outsourcing organization produces and distributes its own proprietary questionnaire to each of its service providers. Service providers strain their resources to respond to diverse proprietary client information requests. Inconsistencies from questionnaire to questionnaire cause delays for all parties. Time and resource intensive onsite visits further burden both the issuer/outsourcer and the assessee.
Using industry established best practices, Shared Assessments follows a “trust, but verify” approach to conducting third party assessments which allows you to fine tune your third party risk management program to your company’s strategy for managing risk.
Which Tool Is Right For You?
Standardized Information Gathering (SIG) Questionnaire
If the primary focus of your program (or your role in the organization) is obtaining information from your service providers through the use of questionnaires, then the SIG (the trust component of Shared Assessments) is right for you. You may want to start with the SIG Lite to conduct an initial evaluation of your service providers and use the full SIG for more complex services. Or, you can use the full SIG and simply filter the questions presented to the service provider based on the type of services they provide. While each component may be used independently, the use of both tools in tandem provides maximum protection from third party risks.
Agreed Upon Procedures (AUP)
If the driving force of your third party risk program is the evaluation of service providers through onsite assessments, then the AUP is the tool for you. The AUP was created for use by a company’s IT/audit departments and accounting and assessment firms that conduct independent onsite audits of service provider controls. The AUP includes a comprehensive list of the controls a service provider should have in place to properly protect your data and systems. In addition, the AUP specifies the procedures to be used to conduct controls testing and recommends sampling parameters to obtain consistent and cost effective results. If this sounds like your approach to managing third party risk, then check out all of the details on the AUP on the AUP Learn More page. If you are uncertain which approach is right for you, or you believe that executing both components of the trust, but verify model is the way to go, we offer special pricing for a Complete Bundle for companies that want to use all of the Shared Assessments Program Tools.
Vendor Risk Management Maturity Model (VRMMM)
|INCLUDED FEATURES||SIG 2017 BUNDLE||SIG LITE 2017 BUNDLE||AUP 2017 BUNDLE||VENDOR RISK MANAGEMENT MATURITY MODEL 2017||COMPLETE 2017 BUNDLE|
|SIG 2017 LITE||X||X||X|
|SIG 2017 MANAGEMENT TOOL||X||X|
|SIG LITE 2017 MANAGEMENT TOOL||X||X||X|
|SIG HOW TO GUIDE||X||X||X|
|SIG SCOPING COMPANION SAMPLE||X||X|
|AUP 2017 REPORT TEMPLATE||X||X|
|AUP 2017 OVERVIEW||X||X|
|VENDOR RISK MANAGEMENT MATURITY MODEL 2017||X||X|
|VENDOR RISK MANAGEMENT MATURITY MODEL OVERVIEW 2017||X||X|
Select Your Assessment Tools
2017 Complete Bundle
Buy the Complete Bundle, which includes the Tools in both the SIG and AUP bundles, as well as the VRMMM, and save $4,000 off the cost of purchasing the Tools separately.
2017 AUP Bundle
The Shared Assessments Agreed Upon Procedures (AUP) is a holistic tool for performing standardized onsite risk management assessments, including assessments of cybersecurity, IT, privacy, data security and business resiliency controls. Use of this tool facilitates onsite verification of SIG responses.
2017 SIG Bundle
The Standardized Information Gathering (SIG) questionnaire is a holistic tool for risk management assessments of cybersecurity, IT, privacy, data security and business resiliency in an information technology environment.
2017 SIG Lite Bundle
The SIG Lite is a compilation of all the top-level questions from the detail tabs of the full SIG, allowing an initial assessment of a service providers risk controls.
2017 Vendor Risk Management Maturity Model (VRMMM)
Using governance as the foundational element, the 2017 VRMMM identifies the framework elements critical to a successful program.
"Early Warning adheres to a security program ensures we protect all of our customers’ data, including Personally Identifiable Information (PII). Through active participation and membership in the Shared Assessments program, we leverage the Program’s tools and resources to make our customer audits as efficient as possible."
— Glen Sgambati, CISM, CIPP, CRISC, CTP, CTPRP
Become a Shared Assessments Program Member
Shared Assessments members are national and international organizations of all sizes that understand the importance of comprehensive standards for managing third party risk. They include financial institutions, healthcare organizations, energy/utility, retailers and telecommunications companies.
They are service providers of all sizes, consulting companies, and assessment firms. They are the best in their class, members of a global community of vendor risk management professionals who understand the value of implementing efficient and effective industry-standard practices.
- Free access to the Shared Assessments Program Tools.
- Working on one of the Program’s Standing Committees (SIG, AUP or VRMMM) to continue to refine the Program’s Tools. Member input is what keeps the Shared Assessments Program Tools on the leading edge of third party risk assurance issues.
- Participate in Special Projects and Interest Groups. Join your peers to identify, discuss and address the issues you (and your management) feel are top priorities for resolution.
- Participants in Shared Assessments committees, projects and special interest groups earn CPE credits while demonstrating risk management and compliance leadership.
- Join the monthly Member Forum and other special interest calls. Listen to key industry and regulatory thought leaders presenting on the latest developments in vendor risk management and regulatory compliance.
- Access to third party risk management training and education, white papers, project documents, and case studies.
- Discounts on registration for Shared Assessments events and educational workshops.
Reminder: If you have already purchased the Shared Assessments Tools, become a Shared Assessments Program member and reduce your annual dues by the total amount of your purchase, if done so within 6 months of your Program Tool Purchase.