The Trusted Source in
Third Party Risk Assurance

  • Creating efficiencies and cost savings to effectively
    manage the vendor risk management lifecycle
  • Tools follow "a trust, but verify" standardized approach,
    adopted globally across a broad range of industries
  • Kept current with regulations, industry standards
    and guidelines, and the current threat environment
  • Education, resources and tools for outsourcers,
    service providers, assessment firms and solution providers

Membership & Tools

Join our global community of risk management professionals and access our Tools and resources
Learn more about becoming a member of the Shared Assessments Program
Learn More »

Become a member of the Shared Assessments Program

"Integrating the full range of Shared Assessments content into our GRC platform gives our customers streamlined vendor management tools, empowering them to better manage the governance, risk and compliance issues surrounding their third-party relationships."
— Chris Caldwell, CEO, LockPath
  • Participate in a global community of information security, privacy, and third party risk management leaders
  • Gain access to members-only resources and the Shared Assessments Program Tools, including the SIG and AUP
  • Develop and demonstrate knowledge with industry peers on challenging issues in information and data security, privacy and business continuity
  • Gain opportunities to build, shape and refine vendor risk management tools and best practices
  • Network with information security officers, privacy officers, and other subject matter experts

Just the Tools

Purchase icon
Purchase our ready-to-use Tools to develop and manage your third party vendor assurance program.
Learn more about purchasing the world’s most comprehensive third party risk management tools
Learn More »

The world’s most comprehensive third party risk management tools

Shared Assessments Portrait Niall Browne
"Shared Assessments Program tools allow enterprise organizations to evaluate and measure the level of IT risk across their vendors in an quantifiable, objective and repeatable process."
— Niall Browne, Shared Assessments Steering Committee Member
  • Obtain efficiencies and cost savings by using just one document to establish and define your risk control environment
  • Reduce FTE costs by using one document to satisfy multiple client requests, rather than responding to multiple proprietary questionnaires
  • Used globally by financial institutions, healthcare organizations, energy/utility, retailers, telecommunications and others
  • Shared Assessments Program Tools kept current with regulatory and industry standards
"Early Warning adheres to a security program ensures we protect all of our customers’ data, including Personally Identifiable Information (PII). Through active participation and membership in the Shared Assessments program, we leverage the Program’s tools and resources to make our customer audits as efficient as possible."
— Glen Sgambati, CISM, CIPP, CRISC, CTP, CTPRP
Early Warning

Third Party IoT Security: Interpreting Survey Results in the Context of a Shifting Security Paradigm

Published on July 17, 2017 By | Posted in: Cyber Attacks, Data Protection, Internet of Things (IoT), News, Third Party Oversight, Third Party Risk, Vendor Risk Managment, Vendor Security, Vendor Threat

Shared Assessment’s just published Ponemon research report The Internet of Things (IoT): A new Era of Third Party Risk provides a great snapshot of current

Internet of Things (IoT) and Third-Party Risk

Published on July 9, 2017 By | Posted in: Compliance, Internet of Things (IoT), Larry Ponemon, News, Ponemon Institute, Risk Assessment, Risk Management, Third Party Risk

In our digital age, everything is connected. Cars can drive themselves, Planes can fly themselves, and your Refrigerator can use the internet to tell you

Best Practices in Third Party Risk Governance

Published on July 7, 2017 By | Posted in: News

Part 3 in a series with Kenneth Peterson, Chairmam an CEO, Churchill & Harriman Q. What does the annual Shared Assessments Summit deliver to its

Using Risk Rating to Optimize Your Third Party Risk Program

Creating a cost effective, objective approach to risk management,

Risk rating of third party providers is an essential aspect of a comprehensive risk management program. When based on pre-determined criteria, outsourcers can use risk rating to identify actual versus perceived risk as it relates to specific risk areas, such as financial health, security controls and resiliency.

Learn More and Access the Report »

Enterprise Cloud Risk Guide & Assessment Best Practices White Paper

Guidance for a more agile response to the unique challenges of cloud implementation

The Shared Assessments Program announces the release of two new program resources:

  • Evaluating Cloud Risk for the Enterprise: An Updated Shared Assessments Guide; and
  • The companion Assessment of Public Cloud Computing Vendors best practices white paper.

Learn More and Access the Report »

The Internet of Things (IoT): A New Era of Third-Party Risk

“Ready or not, IoT third party risk is here. Given the proliferation of connected devices, today’s cyber climate is evolving and organizations have to shift their focus to the security of external parties, now more than ever,” said Charlie Miller, Senior Vice President with the Shared Assessments Program. “In order to avoid becoming the next big headline, our security tactics have to evolve along with the threats.”

Learn More and Access the Report »

Fourth Party Risk Management White Paper

Examining Fourth Party Risk Management Issues

Emerging Best Practices within the Supply Chain

Risk from downstream parties is increasing as outsourcing organizations engage more and more third parties who themselves have their own outside provider relationships. The proliferation of fourth party relationships provides the undesired opportunity for the existence of significant risk management gaps.

Learn More and Access the Report »

Continuous Monitoring of Third Party Vendors: Building Best Practices

Continuious Monitoring

Moving the Needle on Longitudinal Tracking for More Effective Processes

Continuous monitoring, a subset of ongoing monitoring, moves the risk posture of systems to a level that allows tracking over time, often in real-time, to raise awareness of changing vulnerabilities and processes for more effective decision-making and achieve discernable gains in risk management.

Learn More and Access the Report »

2016 Shared Assessments Benchmark Study

Benchmark 2016 Infograp The 2016 Vendor Risk Management Benchmark Study by Shared Assessments in collaboration with global consulting firm Protiviti examines the maturity of vendor risk management.

Learn More and Access the Report »

Building Best Practices in Third Party Risk Management: Involving Procurement White Paper

Screen Shot 2016-05-02 at 9.03.38 AM

Establishing a strong standard for risk management means including all stakeholders before a third party is brought on board. With the right tools and framework, the Procurement function can work closely, efficiently and effectively with all areas of an organization to help provide partners and regulators with a level of assurance that third parties are appropriately vetted and monitored throughout the life of the relationship. Procurement can also help facilitate a centralized process that is designed to mitigate many of the risks associated with these relationships and should therefore be seen as a critical function that organizations can leverage for more than just achieving cost savings.
The paper focuses on ways to effectively integrate Procurement into the third party oversight function.

Learn More and Access the Paper. »

2016 Tone at the Top and Third Party Risk Survey

Screen Shot 2016-05-02 at 9.03.38 AM

Tone at the Top and Third Party Risk examines the role of executives in third party risk management in a broad range of industries and the effect of tone at the top on minimizing business risks within organizations. This study is sponsored by Shared Assessments and conducted by the Ponemon Institute.

Key findings indicate that third party vendor risk is not being effectively implemented:

  • Only 26% of respondents believe that their organization’s third party risk assessment of controls is effective.
  • 50% of respondents do not believe the risk management process is aligned with their organization’s business goals.
  • Just 11% say their organizations are very effective at communicating values throughout the enterprise or to business partners, vendors and other third parties.

Learn More and Access the Paper. »

Financial Services Industry Call to Action

Call to Action Cover

The increased connectivity and complexity of critical infrastructure systems both nationally and globally puts economic and public security squarely at the forefront of risk management in every sector and industry vertical. A proactive stance is clearly required to establish best practices for more mature risk management programs industry-wide.

The financial services industry is in position to continue its leadership role in third party risk management, in order to improve the quality and efficiency of risk management programs at both the outsourcer and provider levels to collectively raise the bar and establish effective industry-wide risk management solutions.

Learn More and Access the Paper »

Onsite Assessments Best Practices White Paper

BP White Paper Cover

In 2015, a Shared Assessments awareness committee was established to create a best practice assessment and scoping guideline practical for all outsourcing organizations, onsite assessment teams, managers and service providers, regardless of industry or assessment scope. The guideline will work in concert with existing onsite assessment tools and processes. It provides a clear, consistent methodology to keep the assessment process on target and therefore reduce duplication of effort and assessment fatigue.

Learn More and Access the Paper »

Tone at the Top White Paper



Consensus is quickly growing that an effective risk culture cannot be developed without a “Tone at the Top” that demonstrates, beyond doubt, that the Board and C-Suite are active in building and maintaining an effective enterprise risk management culture and program, inclusive of third party risk issues. The right Tone at the Top and risk culture can become important drivers of improved organizational performance – companies that incorporate risk management into their strategic planning process and operating model gain clear competitive advantage

Learn More and Access the Paper »

Incident Response Briefing Paper

IRBP ImageThe Shared Assessments Program is pleased to announce our briefing paper, Building Best Practices for Effective Monitoring of a Third Party’s Incident Event Management Program.

To help organizations be better prepared against increasingly inevitable incidents, the Shared Assessments Program SIG Committee has released Building Best Practices for Effective Monitoring of a Third Party’s Incident Event Management Program. The paper outlines a newly developed best practices model of incident event management program creation.

Learn More and Access the Paper. »

Collaborative Onsite Assessments Case Study

COA CoverThe Shared Assessments Program is pleased to present a case study based on our first in a series of pilots for our Collaborative Onsite Assessment program.

The goal of this pilot program is to create the opportunity for multiple industry outsourcers to perform a collaborative onsite assessment of a single service provider, performed by an independent assessment firm, leveraging the Shared Assessments Agreed Upon Procedures (AUP), the standardized testing procedures of the Shared Assessments Program, as a common onsite assessment vehicle. The case study outlines the methodology used and the results of this first pilot.

Access the Report »

Early Registration Discount: 2018 Shared Assessments Summit

2018 Shared Assessments Summit Dates
April 11-12, 2018
Ritz Carlton Pentagon City
Arlington, VA

Sign up now to lock in 2017 prices before 2018 prices are released.

April 9:

  • Pre-Summit Workshops

April 10:

  • Pre-Summit Workshops

April 11:

  • Shared Assessments Summit (full day session)

April 12

  • Shared Assessments Summit (full day session)

April 13

  • CTPRP Certification Workshop & Exam

Register Now »

2017 Program Tools

Our 2017 Shared Assessment Program Tools deliver comprehensive assessment of IT, privacy and data security controls to manage threats.

Learn which Program Tool is right for you »

Newsletter Archive

August 2017
5 Steps to Take Now to Protect Against Emerging IoT Threats
July 2017
Evaluating Cloud Use Enterprise-Wide
June 2017
10th Annual Shared Assessments Summit
May 2017
Examining Fourth Party Risk Management Issues
April 2017
New York State Cybersecurity Requirements and Third Party Risk Management
March 2017
Including Risk Rating in Due Diligence
February 2017
Lines of Defense
January 2017
2016 Year in Review
December 2016
2017 Program Tools Released
November 2016
2016 Vendor Risk Management Benchmark Study
October 2016
Achieving a Robust Third Party Risk Program
September 2016
Best Practices for Building Third Party Risk Programs
August 2016
New Opportunities, New Obligations
July 2016
UK Brexit Vote
June 2016
Shared Assessments Summit 2016
May 2016
EU's GDPR and the EU-US Privacy Shield
April 2016
2016 Tone at the Top and Third Party Risk Study
February 2016
2016 Program Tool Updates
January 2016
FFIEC Examination Handbook
December 2015
Incident Event Management
November 2015
2015 - A Year in Review
October 2015
Tone at the Top
September 2015
International Standards
August 2015
Privacy Defense
July 2015
2015 Vendor Risk Managment Benchmark Study
June 2015
May 2015
2015 Shared Assessments Summit
April 2015
Payments Security: Will PCI Play a Role in Our Future?
March 2015
Voice Privacy: An Issue that Needs to be Heard
February 2015
The Boards Role in Third Party Risk
January 2015
2015 Third Party Risk Resolutions
December 2014
2014 A Year in Review
November 2014
Third Party Risk Certification
October 2014
The Emerging Mobile Payments Battle
September 2014
Obligations of HIPAA Business Associates
August 2014
Vendor Classification
July 2014
Third Party Software Security
June 2014
Experts Weigh In On Third Party Risk
May 2014
2014 Vendor Risk Management Benchmark Study
April 2014
The Board's Role in Risk Management
March 2014
Third Party Data Breach Incidences
February 2014
Shared Assessments Launches New 2014 Program Tools

Shared Assessments Licensee Protiviti
Shared Assessments Logo pwc
Shared Assessments Program licensee Churchill & Harriman logo
Shared Assessments Licensee ZS logo
Shared Assessments Licensee Lockpath
Shared Assessments Logo sei
Shared Assessments Logo Deluxe Corp
Shared Assessments Licensee Bank of the West
Shared Assessments Logo Ernst & Young
Shared Assessments Licensee Rsam
Shared Assessments Logo radian
Viewpoint Logo
Shared Assessments Licensee Power Advocate
Shared Assessments Licensee ControlCase
Shared Assessments Logo usbank
Shared Assessments Logo Bank Of New York Mellon
MetricStream logo
Shared Assessments Logo Deloitte
Shared Assessments Logo first data
Shared Assessments Licensee TD Ameritrade
Shared Assessments Logo dtcc
Shared Assessments Logo Iron Mountain
Shared Assessments Licensee Pivot Point Security