Announcing the 2018 Shared Assessments Risk Assessment Program Tools

Pen Chart

Tools That Empower Vendor Risk Management Confidence

Shared Assessments is excited to announce the release of the updated 2018 Shared Assessments Program Tools, which serve organizations for risk management, regardless of size and industry. The Tools help both outsourcers and providers to meet regulatory, consumer and business scrutiny within the constantly evolving landscape of cyber and other security threats and vulnerabilities.

The Program Tools are an important component of the Shared Assessments Third Party Risk Management Framework, which helps organizations manage the full lifecycle of a third party relationship, from planning for third party engagement, to due diligence and vendor selection, contract negotiations, ongoing and continuous monitoring and termination. The Tools embody a “Trust, but Verify” approach for conducting third party risk management assessments and use a substantiation-based, standardized, efficient methodology.

The Shared Assessments Program Tools are:

  • 2018 Standardized Information Gathering (SIG) questionnaire for remote assessment;
  • 2018 Shared Assessment Standardized Control Assessment (SCA) procedures for performing onsite assessments;
  • 2018 Vendor Risk Management Maturity Model (VRMMM) for evaluating programs against a comprehensive set of best practices; and
  • The new EU General Data Protection Regulation (GDPR) Tool Kit

Creating Sustainable Standardization in Today’s High Risk, Cyber-Based Environment
Continuous quality improvement evaluation of the Program Tools and our other third party risk management resources is conducted to ensure that:

  • Content updates are in line with modifications in domestic and international regulations, changes in industry standards and guidelines, and the emergence of new risks.
  • Program Tools remain relevant in response to the growing and shifting nature of cyber security threats and vulnerabilities.
  • A standardized process and tools are available that employ a clear, consistent methodology for third party service provider management strategy and risk control verification assessments to reduce duplication of effort for outsourcers and providers.

Updated 2018 Program Tools
These updated Tools respond to the many cybersecurity and other third party risk management issues that are at the forefront of everyone’s concerns.

The 2018 Standardized Information Gathering (SIG) Questionnaire

  • The SIG employs a holistic set of industry best practices for gathering and assessing information technology, cybersecurity, privacy and data security risks and their corresponding controls. It serves as the “trust” component for outsourcers who wish to obtain succinct, scoped initial assessment information regarding a service provider’s controls. The SIG can also be used proactively by providers, to reduce initial assessment duplication and assessment fatigue.

Enhancements to the 2018 SIG include:

  • SIG Scoping: In response to user feedback, the most significant change you will notice is the addition of a new Scoping Tab, which allows for multiple ways to customize the SIG questions for a company’s individual needs. This tab will be the first stop in starting a new SIG. From this tab, the LITE, CORE, or FULL SIG will be available. The CORE SIG is a new designation and will be used for assessing service providers that run business critical functions, data, and systems. It is meant to meet the needs of most assessments.
  • Industry References: Updates for 2018 that reflect industry and regulatory standards included:
    • New York State, Department of Financial Services (NYSDFS) 23 NYCRR 500.
    • European Union (EU) General Data Protection Regulation (GDPR) 2016/679.
  • Content Organization and Updates:
    • Tab K. Business Resiliency was updated for current threat environment and recovery planning best practices.
    • Tab P. Privacy was updated to reflect current privacy rules, GDPR & domestic rule updates.
    • Tab U. System Hardening Standards was updated to reflect new industry best practices.
    • Tab V. Cloud Hosting was created to organize cloud security questions into its own separate tab and updated to reflect new industry standards and best practices.
    • The total number of questions has been decreased by removing duplication and redundancy.

    The 2018 Shared Assessments Standardized Control Assessment (SCA) Procedures – Formerly the Agreed Upon Procedures (AUP)

    To better communicate the function of the tool and its alignment with the SIG questionnaire, the Agreed Upon Procedures (AUP) has been renamed the Standardized Control Assessment (SCA) procedures. This name change will also help eliminate any confusion with the formal definition of AUP within the AICPA practice standards, allowing for expansion of general attestation engagements to their client base using the SCA Tool and SCA Report Template.

    Enhancements to the 2018 SCA include:

    Content Re-Organization and Updates:

    • The SCA, and its companion SCA Report Template, have been re-organized to align more closely with the SIG. The updated tool can be utilized for onsite or virtual assessments. All changes to content, including reorganization of section information, contain language that is in alignment with AICPA AT § 201.03: Agreed-Upon Procedures Engagements standards.((AT § 201.03: Agreed-Upon Procedures Engagements. American Institute of Certified Public Accountants (AICPA). June 1, 2001. Statement on Standards for Attestation Agreements (SSAE) No. 10. SSAE No. 11. AICPA. 2015; and as adopted by the Public Company Accounting Oversight Board (PCAOB), April 2003.))
    • Section A. Risk Assessment and Treatment procedures have been added for brevity and clarity.
    • Section I. Application Security subsections were added to more closely align with the SIG.
    • Section K. Business Resiliency was updated for current threat environment and recovery planning best practices.
    • Section P. Privacy was updated for current privacy rules, GDPR & domestic regulatory updates.
    • Section U. System Hardening Standards were updated to reflect new industry best practices.
    • Section V. Cloud Hosting has been added to align with the new SIG tab and to reflect the changing landscape of hosting options and vulnerabilities.
    • SIG Alignment: The SCA has been thoroughly reviewed and updated to align more closely with the SIG, using matching terminology and making it simpler to follow the “trust, but verify” model of third party risk management.

    Industry References: Updates reflect industry standards and regulatory including:

    • New York State, Department of Financial Services (NYSDFS) 23 NYCRR 500.
    • European Union (EU) General Data Protection Regulation (GDPR) 2016/679.
    • Open Web Application Security Project (OWASP) Top Ten 2017 Vulnerabilities RC2 Project.

    The 2018 Vendor Risk Management Maturity Model (VRMMM)

    • Greater adoption of the VRMMM will improve third party risk management overall by assisting industry members in assessing and benchmarking the maturity of their own third party risk management programs. The VRMMM also allows for better benchmarking within and across industries in the annual benchmarking study.
    • Access to this benchmarking tool is especially important to organizations new to third party risk and is aligned to the goal of Shared Assessments to advance the art of third party risk management.
    • To download the Shared Assessments’ Free VRMMM, go to:

    GDPR Data Processor Privacy Tool Kit:
    This new tool provides guidance for Data Processors who fall under compliance to the of the European Union’s (“EU”) General Data Protection Regulation (“GDPR”) 2016/679, stringent new requirements, which go into effect on May 25, 2018. To meet this deadline, organizations are being challenged with the very sizeable task of not only “re-papering” or modifying their vendor arrangements, but also of applying increased vigor in IT and privacy risk assessments to ensure that customer data is being processed according to the controller/processor contractual arrangements, in keeping with the regulation. Direct compliance liability for data protection provisions will now extend to the data processors or vendors.

    The Tool Kit is Free: The bundle provides a narrative introduction and a series of mini-tools to help determine how to meet the new requirements that will be imposed on how Controllers (i.e., outsourcers) may appoint and monitor Data Processors (i.e., third party vendors).

    Some of the insights provided by this Tool Kit – for both Controllers and Processors:

    • Questions to ask your vendors regarding the secure and private handling of your affected customer data.
    • Test steps to ensure controls are in effect and are operating as intended.
    • A scoping checklist designed to help manage or structure the contract provision tool set needed for compliance.
    • Identifying artifacts to support customer data controls and other privacy program efforts.

    Members of the Shared Assessments Program can access the tools in the Member section of the website by clicking here. If you are interested in purchasing the Program Tools please contact

    About the Shared Assessments Program
    The Shared Assessments Program is the trusted leader in third party risk management, with resources to effectively manage the critical components of the third party risk management lifecycle. These resources are creating efficiencies and lowering costs for all participants; kept current with regulations, industry standards and guidelines and the current threat environment; and adopted globally across a broad range of industries both by service providers and their customers. Shared Assessments membership and use of Shared Assessments third party risk management resources, including Program Tools, offers companies and their service providers a standardized, more efficient and less costly means of conducting rigorous assessments of controls for cybersecurity, IT, privacy, data security and business resiliency. The Shared Assessments Program ( is managed by The Santa Fe Group (, a strategic advisory company based in Santa Fe, New Mexico.

TESTING – Kelly Wagner

Sign up for our Newsletter

Learn about upcoming events, special offers from our partners and more.

Sub Topics