It seems that when most people hear “Shared Assessments” they immediately think of Vendor Risk Management. While that thought process is valid and makes a lot of sense, I think that it is limiting. For example, at Pivot Point Security we use the Shared Assessments Program extensively for “proactive attestation,” most commonly during ISO 27001 consulting engagements.
Vendor Risk Management and third-party attestation are two sides of the same coin.
- The organization looking to manage the risk associated with a vendor processing sensitive data on their behalf manages that risk via a Vendor Risk Management program.
- The organization processing the sensitive data responds to the vendor risk management request with “attestation” of their security posture, with third-party attestation (coming from an independent/objective party) being a strong and preferred form of attestation.
Because the Shared Assessments Program is the leading standard for running a Vendor Risk Management program, it makes a lot of sense for service providers to leverage the Shared Assessments Program as the basis of their attestation. Where it gets interesting is if you’re a client that also has a requirement to provide even more formal levels of Information Security attestation (e.g., SOC 2 or ISO 27001).
In most cases you would think that using something like ISO 27001 obviates the need for using the Shared Assessments Program, but we have found just the opposite: in heavily attestation-oriented industries, the two forms of attestation complement each other.
Here are the three ways that Pivot Point Security uses the Shared Assessment program during the Gap Assessment phase of our ISO 27001 consulting services (i.e., preparing our client for ISO 27001 certification):
- Use the AUP: Along with the Shared Assessments Standardized Information Gathering Questionnaire (SIG), the Shared Assessments Agreed Upon Procedures (AUP) lets outsourcers evaluate service provider controls. We look at the AUP as a “mini ISO certificate.” It’s a great approach if our client needs a well-recognized form of third-party attestation while they are working towards ISO 27001 certification. The design/compliance approach gives the party receiving the report a high degree of assurance that the information security programming is aligned with good practice. One of the main reasons that the AUP dovetails so nicely with ISO 27001 is that the Shared Assessments Program is largely based on ISO 27002.
- Use the SIG: If our client is getting “beat up” by numerous spreadsheet-based security questionnaires, we usually find that most of these are Shared Assessments SIG based. In these cases it may be preferable to conduct the gap assessment using the SIG so that at the end of the process our client has a filled-out SIG to use in response to future questionnaires.
- Use the AUP and SIG Lite together: For those clients that are subject to an extensive amount of Vendor Risk Management we will sometimes use both the AUP and the SIG Lite (or even SIG) questionnaire. This approach has the advantage of providing interim attestation (via both the SIG and AUP) prior to receiving an ISO 27001 certificate. We also find that our clients that have very risk-averse customers get a very good response by handing over both their ISO 27001 certificate and a SIG Lite (or SIG) as security attestation.
The post Shared Assessments – They’re Not Just Vendor Risk Management appeared first on Pivot Point Security.