Best Practices

Third Party Onsite Assessment Best Practices: Practitioner Guide

Shared Assessments is providing this updated onsite assessment guide in response to the call from CISOs and other practitioners to remedy the lack of standardization across assessments within sectors, as well as cross-industry (RSAC-ESAF, 2023; Shared Assessments, 2023). Assessors and third parties contributing to this paper indicate that when participants do not share a common understanding of the assessment purpose and mechanics, assessments may take longer to complete, resulting in inefficient use of resources and potential deterioration to relationships between the parties involved. A lack of a common understanding can also yield inconsistent results and the overall objective of the assessment may not be met.

The Third Party Assessment Process

The information security, privacy and third party risk management communities—regardless of industry—can use this guidance to improve assessment and auditing processes.

  • Step-by-step guidance for assessment planning and scoping, executing (processes and procedures), and reporting and issue resolution in a manner consistent within the organization’s internal control framework and risk appetite.
  • The guidance can be tailored to each relationship and used alongside industry best practice assessor tools in alignment with the outsourcing company’s risk management strategy.
  • A standalone Executive Summary is also available.

This deep dive provides the foundation for planning and executing assessments in a consistent, documented, logical, and transparent manner to carry out an efficient onsite engagement. It includes detailed discussion of the drivers for onsite assessments and ways to optimize them.

SA GlobalBPCmtee OnsiteAssmtPaper DriverGraphic 01DEC2023 (1)The guide is complementary to existing practices in third-party risk assessment and management. Once tailored, the guide and the accompanying TPRM Practitioner Onsite Assessment Plan can be incorporated into governance modeling for successful management and monitoring programs to meet demands for appropriate and effective controls.

This paper represents the work of the Shared Assessments Global TPRM Best Practices Committee and project team of SMEs who stepped forward to update this guide. The best practice solutions that have evolved over the past two decades are brought together and refined by this group, which this year has chosen to focus on ransomware preparedness, reputational risk, and onsite assessment best practices.


The Global TPRM Best Practices Committee, open to members and non-members, currently has more than 260 registered individuals from 185 organizations spanning 15 time zones. If you would like to join, we’d love to have you. You can learn about our other committees at

The Onsite Assessment Best Practice Executive Summary is available here.
The full paper and Practitioner Guide are available for download here.