The Shared Assessments Program Tools provide rigorous standards for building and enhancing third party risk programs. Using industry best practices, the tools follow a “trust, but verify” approach to conducting vendor assessments. The SIG provides its users with a standardized assessment tool, using a robust compilation of questions targeted to gathering pertinent information to determine how cybersecurity, IT, operating and data security risks are managed across a broad spectrum of 18 risk control areas or ‘domains’ within a third party’s environment.
It employs a holistic set of industry best practices and was developed to enable an Assessee or service provider to compile complete information about these risk areas in one document. By compiling all this information in one document, a service provider is able to complete one questionnaire, which can then be shared with multiple clients. The SIG can be used in a number of ways by both the Outsourcer and the third party provider (Assessee).
SIG LITE: Designed to provide a broad but high-level understanding about an Assessee’s internal information security controls. This level is for Assessees that need a basic level of due diligence. It can also be used as a preliminary assessment before a more detailed review.
CORE: Designed for assessing service providers that store or manage highly sensitive or regulated information, such as consumer information or trade secrets. This level is meant to provide a deeper level of understanding about how a service provider secures information and services. It is meant to meet the needs of almost all assessments, based on industry standards.
Covered Risk Domains
|A. Risk Assessment and Treatment||J. Incident Event and Communications Management|
|B. Security Policy||K. Business Resiliency|
|C. Organizational Security||L. Compliance|
|D. Asset and Information Management||M. End User Device Security|
|E. Human Resources Security||N. Network Security|
|F. Physical and Environmental Security||P. Privacy|
|G. Operations Management||T. Threat Management|
|H. Access Control||U. Server Security|
|I. Application Security||V. Cloud Hosting|
For more details, visit