Member Projects and Activities

Shared Assessments members are national and international organizations of all sizes that understand the value of leveraging the knowledge of their risk management peers in the development and management of best-in-class third party risk management programs. They are leaders in their industries and members of a global community of risk management professionals working together to keep the Shared Assessments Program Tools at the forefront of third party risk management practices.

One of the primary reasons the Shared Assessments Program Tools have been able to maintain their status as the industry standard for third party risk assurance is that they are maintained by the very risk professionals who specialize in third party risk management issues. Shared Assessments offers opportunities for members to address global risk management challenges through its committees, Awareness Groups and special projects/interest groups.

Development Committee

All of the Shared Assessments Development Committees are conducted under the direction and oversight of the Shared Assessments Steering Committee. The Steering Committee, with input from each Development Committee Chair, establishes the annual initiatives and helps prioritize their efforts. The primary mission of the Development Committees is to ensure that the Shared Assessments Program standardized tools (SIG, AUP, and VRMMM) are relevant and thorough and responding to a range of new and emerging US and international guidelines for privacy, information and data security and business resiliency.

Who Serves on the Development Committee?

All Shared Assessment members are eligible to serve on a development committee or awareness group. Development committee members are risk management leaders from a range of industries. They are information security officers, privacy officers and other subject matter experts who are motivated to help build and sustain Shared Assessments’ rigorous standards. Participants include experts from the Big 4 accounting firms, which serve as technical advisors to the Shared Assessments Program.

Development committee members play an important leadership role in the Shared Assessments Program. Development committee membership offers:

  • Participation in a global community of risk management and information technology professionals.
  • Professional development opportunities.
  • Collaboration with industry peers on challenging issues in information and data security, privacy and business resiliency.

SIG Committee

The SIG Committee is responsible for the content of the SIG Tool. Their goal is to always ensure the SIG content is relevant and current with latest industry regulations, standards and best practices as it relates to information security. In 2017 the SIG Committee will further work on reducing the number of questions as well as work to create a mechanism within the tool to assist users with scoping the completion process. The Committee will also begin to review any gaps identified during the mapping process of the most critical regulations and standards that have been included in the 2017 SIG.

Privacy Committee

The Privacy Committee provides input on privacy issues to the SIG and AUP Committees based on new regulations, standards and guidance. Privacy professionals meet monthly to evaluate the need to update the privacy content included in the SIG and AUP, identifying and track changes in domestic and international privacy regulations, and then consider the development of briefing papers on privacy topics of interest. For the 2017 work year, the Privacy Committee will expand thought leadership on Privacy/Third Party Assurance to educate/inform on key privacy topics based on new regulations, as well as update and enhance Privacy Tools for the Shared Assessments Program.

Among the industry standards, regulations and guidance the Program Tools currently align to include:

  • US financial services and healthcare regulations and standards and guidance, including: FFIEC Appendix J and OCC-2013-29; Merchant Processing Handbook; and Healthcare Regulatory Guidance and Standards: HIPAA Incident Response Reporting Procedures.
  • Other pertinent US governmental guidance and standards in all industries for federal and/or state agencies, including: NIST Cybersecurity Framework (CSF); Computer Security Incident Handling Guide (NIST.SP.800-61r2); Title 21 of the Code of Federal Regulations (CFR) Part 11 Section 11.1 (a); DOJ Breach Procedures; and US CERT – Federal Incident Notification Guidelines.
  • US-based national and international standards: AICPA Incident Response Procedures; COBIT; Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM); ISO 27001, 27002; and PCI-DSS.
  • International standards, including UK Cyber Essentials Scheme and EU Data Protection Directive.

Mapping is underway to ensure we further align to:

  • Asia – Pacific – Japan (APJ): Asia-Pacific Economic Cooperation (APEC): Association of Banks in Singapore Outsourced Service Provider (OSP) Standardized Guidelines; Australian Prudential Regulatory Authority (APRA); Hong Kong Monetary Authority (HKMA); and Monitory Authority of Singapore (MAS).
  • Europe: EU – European Central Bank (ECB); Germany – Bundesbank/Central Bank of Germany (BuBA), German Federal Financial Supervisory Authority (BaFIN); Luxembourg – Commission de Surveillance du Secteur Financier (CSSF); Switzerland – Financial Market Supervision Act (FINMA); UK – Financial Conduct Authority (FCA); Financial Services Authority (FSA); and Prudential Regulation Authority (PRA) Rulebook.

AUP Committee

The AUP Committee is responsible for ensuring the content of the AUP is relevant and accurate by examining and discussing federal regulations, industry standards and guidelines and updating AUP content as needed. For the 2017 work year, the AUP Committee will work to further enhance the AUP by aligning the Practitioner Notes within the body of the AUP verses them being in an appendix at the end of the document. They will also work to ensure 100% alignment with the SIG Tool. Additionally, the Committee will review any gaps identified during the mapping efforts performed in 2016 to determine if new sections/procedures are needed to address them.

Vendor Risk Management Maturity Model (VRMMM) Committee

The Vendor Risk Management Maturity Model (VRMMM) incorporates vendor risk management best practices into a usable model, which can be used to assess the current and desired future state of a vendor risk management program while helping companies make well-informed decisions on how to spend limited resources to most effectively manage vendor-related risks. In 2017, the VRMMM Committee will consider developing a detailed How To Guide for utilizing the VRMMM as well as discuss and review the concept of incorporating Cybersecurity into the VRMMM.

Certified Third Party Risk Professional (CTPRP) Committee


Doing business in an outsourced economy requires special strategies, processes, and practices when evaluating and managing vendor risk and overseeing the security of sensitive data once it’s in the hands of third parties. Risk management professionals with the specialized skills and training required to manage third party risk have a significant advantage in the workplace. The Certified Third Party Risk Professional (CTPRP) designation from the Shared Assessments Program validates that expertise, providing professional credibility, recognition, and marketability. Join other CTPRP holders in the ongoing development and improvement of the CTPRP program, including improving existing workshops, testing and developing additional distribution methodologies, and study materials. In return you will earn CPE credits for your participation, which can be used to maintain your certification.

Awareness Groups

Best Practices for Third Party Risk Management & Assurance Awareness Group

The focus of this awareness group is to discuss challenges organizations face in managing third party risk, and to identify existing best practices in use today for implementation and effective execution of their third party risk management programs, or to develop new best practices to address those challenges. Examples of topics include internal and external implementation issues, procurement/sourcing processes and procedures, and assessment scoping. This Group coordinates with the Shared Assessments Development Committees when changes to the Program Tools are identified through research and discussion. Examples of deliverables developed by the Awareness Group include checklists, briefing papers, and other suggestions to enhance the Program Tools.

Regulatory Compliance Audits Awareness Group

A steady stream of new third party risk related regulations during the last few years has required both organizations and their service providers to regularly update third party oversight programs. With a new administration in place, the 2017 regulatory climate may change in ways that are hard to predict. In times of regulatory uncertainty, it is more important than ever for Shared Assessments Program members to come together to assess changes in the regulatory landscape and communicate their compliance consequences. As thought leaders, the group publishes white papers on specific topics, and on occasion may create content designed to identify pain points and address specific needs in focus areas determined by the group. The group regularly reviews and discusses draft and final third party regulatory guidance and rules, and – on occasion and when appropriate – has responded to regulatory requests for comments and feedback.

The Regulatory Compliance Audit Awareness Group will identify emerging trends and needs for third party assessment tools for consumer protection, operational risk and regulatory compliance monitoring to identify recommendations for enhancements to Shared Assessments Program content, and suggest other needed deliverables. This year, the group is creating a financial services subcommittee to focus on possible changes to regulation in that sector.

In 2017, the group will complete work that expand upon the previously released It Takes In-Tune Tone at the Top to Shape an Effective Risk Management Culture white paper with a follow-up tool designed to enable Boards of Directors to measure and improve the risk culture both on the Board and at the most senior management levels of an organization.

In this period of regulatory uncertainty please join the dialog with peer companies and help to build a better understanding of how you can optimize your compliance programs. Understand what it takes to create and maintain a more risk sensitive environment during a period when regulations may change in unexpected ways.

To participate in any of these committees or awareness groups, please send us an email at

Shared Assessments Blog

Third Party IoT Security: Interpreting Survey Results in the Context of a Shifting Security Paradigm

Published on July 17, 2017

Shared Assessment’s just published Ponemon research report The Internet of Things (IoT): A new Era of Third Party Risk provides a great snapshot of current

Internet of Things (IoT) and Third-Party Risk

Published on July 9, 2017

In our digital age, everything is connected. Cars can drive themselves, Planes can fly themselves, and your Refrigerator can use the internet to tell you

Best Practices in Third Party Risk Governance

Published on July 7, 2017

Part 3 in a series with Kenneth Peterson, Chairmam an CEO, Churchill & Harriman Q. What does the annual Shared Assessments Summit deliver to its

See all articles »

Questions about Membership, Licensing or Education & Services offerings?

Please use the form below to send any questions you may have regarding membership or licensing.

Newsletter Archive

August 2017
5 Steps to Take Now to Protect Against Emerging IoT Threats
July 2017
Evaluating Cloud Use Enterprise-Wide
June 2017
10th Annual Shared Assessments Summit
May 2017
Examining Fourth Party Risk Management Issues
April 2017
New York State Cybersecurity Requirements and Third Party Risk Management
March 2017
Including Risk Rating in Due Diligence
February 2017
Lines of Defense
January 2017
2016 Year in Review
December 2016
2017 Program Tools Released
November 2016
2016 Vendor Risk Management Benchmark Study
October 2016
Achieving a Robust Third Party Risk Program
September 2016
Best Practices for Building Third Party Risk Programs
August 2016
New Opportunities, New Obligations
July 2016
UK Brexit Vote
June 2016
Shared Assessments Summit 2016
May 2016
EU's GDPR and the EU-US Privacy Shield
April 2016
2016 Tone at the Top and Third Party Risk Study
February 2015
2016 Program Tool Updates
January 2015
FFIEC Examination Handbook
December 2015
Incident Response Management
November 2015
2015 - A Year in Review
October 2015
Tone at the Top
September 2015
International Standards
August 2015
Privacy Defense
July 2015
2015 Vendor Risk Managment Benchmark Study
June 2015
May 2015
2015 Shared Assessments Summit
April 2015
Payments Security: Will PCI Play a Role in Our Future?
March 2015
Voice Privacy: An Issue that Needs to be Heard
February 2015
The Boards Role in Third Party Risk
January 2015
2015 Third Party Risk Resolutions
December 2014
2014 A Year in Review
November 2014
Third Party Risk Certification
October 2014
The Emerging Mobile Payments Battle
September 2014
Obligations of HIPAA Business Associates
August 2014
Vendor Classification
July 2014
Third Party Software Security
June 2014
Experts Weigh In On Third Party Risk
May 2014
2014 Vendor Risk Management Benchmark Study
April 2014
The Board's Role in Risk Management
March 2014
Third Party Data Breach Incidences
February 2014
Shared Assessments Launches New 2014 Program Tools
Shared Assessments Logo Deluxe Corp
Shared Assessments Licensee Protiviti
Shared Assessments Licensee Lockpath
Shared Assessments Logo dtcc
Shared Assessments Logo Bank Of New York Mellon
Shared Assessments Licensee Pivot Point Security
Shared Assessments Licensee Power Advocate
MetricStream logo
Shared Assessments Logo first data
Shared Assessments Licensee Rsam
Shared Assessments Logo Deloitte
Viewpoint Logo
Shared Assessments Licensee ZS logo
Shared Assessments Program licensee Churchill & Harriman logo
Shared Assessments Logo Iron Mountain
Shared Assessments Licensee ControlCase
Shared Assessments Logo radian
Shared Assessments Logo pwc
Shared Assessments Logo Ernst & Young
Shared Assessments Licensee TD Ameritrade
Shared Assessments Licensee Bank of the West
Shared Assessments Logo usbank
Shared Assessments Logo sei