The Standardized Control Assessment (SCA) Procedure Tools are a standardized set of assessment procedures. When scoped, the SCA is an efficient way to assess service providers during onsite or virtual assessments or to audit your own systems.
The Shared Assessments Standardized Control Assessment (SCA) Procedure Tools assists risk professionals in performing onsite or virtual assessments of vendors. This is the “verify” portion of a third party risk program. The SCA mirrors the 18 critical risk domains from the SIG, and can be scoped to an individual organizations’ needs. The SCA package includes the SCA Report Template, which provides a standardized approach to collecting and reporting assessment results.
SCA Procedure Tools
The SCA is a holistic tool for onsite assessments of cybersecurity, IT, privacy, data security and business resiliency in an information technology environment.
Upgrade to the TPRM Toolkit $10,000
Add the SIG Questionnaire Tools for building, analyzing and storing questionnaires, the VRMMM for benchmarking programs and the GDPR Privacy Tools.
Become an Assessment Firm Member
Assessment Firms work with the Shared Assessments onsite assessment tool, the Standardized Control Assessment (SCA, for organizations that need validation of their vendor risk controls.
2019 SCA Features
- Your download of the SCA will include:
SCA Practitioner’s Guide
- – Familiarizes users with the tool, the parties and the assessment process. It contains all the reference material needed to use the SCA Report Template for assessing an organization. A large part of the guide focuses on the details around preparing for, executing and reporting the results of an assessment.
SCA Standards – Standards for Assessment Firms performing distributable SCAs.
SCA Report Template – Standardized and customizable set of testing procedures provided in excel format.
Onsite Assessment Best Practices Checklist – Best practices for planning and executiion of an SCA engagement.
SCA Executive Summary Templates – Instructions and selection of optional sample templates that can be modified to create an executive summary report.
SCA Executive Summary Sample Template – Sample tables you can use to craft your SCA Executive Summary.
SCA Industry Reference Guide – Citations to external standards, regulations and frameworks that inform the SCA Procedures.
The SCA evaluates controls in the following risk domains:
- Risk Assessment and Treatment
- Security Policy
- Organization Security
- Asset and Information Management
- Human Resource Security
- Physical and Environmental Security
- Operations Management
- Access Control
- Application Security
- Incident Event and Communications Management
- Business Resiliency
- End User Device Security
- Network Security
- Treatment Management
- Server Security
- Cloud Hosting
2019 Standardized Control Assessment (SCA) Procedure Tools Enhancements:
The SCA tools are a standardized set of assessment procedures, designed and vetted by hundreds of experienced third party risk professionals from our Membership. When combined with the Standardized Information Gathering (SIG) Questionnaire Tools, it provides an end-to-end vendor assessment system. Scoped properly, the SCA is a cost-efficient and time-efficient way to assess service providers during onsite or virtual assessments or audit your own systems and those of affiliates or potential acquisitions.
Content Reorganization and Updates:
Updated Guidance Documentation: The SCA document includes new reference material that helps users complete assessments faster and with better understanding of the controls being assessed.
SCA Spreadsheet Reporting Template: Due to member and user feedback, the SCA Report Template is now in excel, making it easier to document findings while onsite, copy and paste data and use it on a mobile device.
Executive Summary Template: A new Executive Summary Template is included that will assist in creating a lightweight summary report of the SCA findings for management.
SIG Integration and Automatic SCA Scoping: Using the SIG with its embedded SCA content means that SCA Procedure Tools will match just the questions that were scoped and answered by the Assessee in the SIG. Integrated content brings efficiency to the onsite and virtual assessment process.
SCA Standards: Standards for creating distributable reports from Assessment Firms, means an outsourcer can trust SCAs at a higher level. These standards are new in 2019 (compliance date of 5/31/19) and mandate specific rigorous requirements.
Privacy and Compliance Updates: The SCA content was updated with the most relevant and current U.S. and international regulatory and privacy requirements including an update of GDPR-related content.
SIG Alignment: The SCA has been thoroughly reviewed and updated to align more closely with the SIG, using matching terminology and making it simpler to follow the “Trust, but Verify” model of third party risk management.
GDPR Privacy Tools Alignment: The GDPR Tools align completely with the SCA, ensuring SCA-based assessments address the most current privacy considerations.