Using the Shared Assessments SCA for Added Benefits — Even If You’re Already ISO 27001 Certified

2 min readJan 22, 2020

SCA Standardized Control Assessment Shard Assessments Added Benefit

The Standardized Control Assessment (SCA) tool is provided by the Shared Assessments program. It’s part of their “Trust but Verify” model, where the Standardized Information Gathering (SIG) Questionnaire is the “Trust” portion and the SCA is the “Verify” portion.
The SIG is a self-answered questionnaire. Many of your partners or vendors may ask you to fill one out so they can get a better understanding of your security environment. The weakness in this approach is that they are trusting that your answers are truthful and controls are fully implemented, without verification.
This is where the SCA comes in. Typically performed onsite by an independent, third-party auditor, the SCA provides a deeper level of risk assurance than the SIG can by itself.
Interestingly, a number of our clients that are ISO 27001 certified have encountered situations where their customers, vendors or other stakeholders want more information about their security environment and have required them to fill out a SIG or other security questionnaire. The ISO 27001 certificate by design only provides detail on the scope of the ISMS but not the results of the audit itself. Specific details of an organization’s control environment are not disclosed.
A creative way of addressing this issue is to utilize the SCA framework to conduct the periodic internal audits required by Clause 9.2 of the ISO 27001 standard. The benefit of this approach is that by conducting the internal audit using the widely-accepted SCA framework mapped against the ISO controls, you’ll have a detailed report of your security controls that you can then share with your customers and business partners. Having this detailed report can help address the needs of stakeholders that require more visibility into your organization’s controls than an ISO 27001 certification alone can provide.
To find out more about how our SCA services can help you prove to customers, partners and vendors that your business manages sensitive data securely, contact Pivot Point Security.
For more information:
Standardized Control Assessment — Why the AUP Became the SCA
Shared Assessments — They’re Not Just Vendor Risk Management

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Iso27001

Sca

Sharedassessments

Written by Pivot Point Security

22 Followers

1 Following

We are a trusted source of simple, practical, and actionable information security guidance.

No responses yet

Write a response

What are your thoughts?

Also publish to my profile

Recommended from Medium

Predict

Will Lockett

This Is How Tesla Will Die

The vultures are circling the tech giant.

5d ago

5.5K

134

The 5 paid subscriptions I actually use in 2025 as a Staff Software Engineer

Level Up Coding

Jacob Bennett

The 5 paid subscriptions I actually use in 2025 as a Staff Software Engineer

Tools I use that are cheaper than Netflix

Jan 7

10.6K

260

Lists

Staff picks

826 stories1649 saves

Stories to Help You Level-Up at Work

19 stories948 saves

Self-Improvement 101

20 stories3355 saves

Productivity 101

20 stories2818 saves

Jeff Bezos Says the 1-Hour Rule Makes Him Smarter. New Neuroscience Says He’s Right

Jessica Stillman

Jeff Bezos Says the 1-Hour Rule Makes Him Smarter. New Neuroscience Says He’s Right

Jeff Bezos’s morning routine has long included the one-hour rule. New neuroscience says yours probably should too.

Oct 30, 2024

25K

731

I Pretended to Be a Man on a Dating Site — And I Hate What I Discovered

Ginger

I Pretended to Be a Man on a Dating Site — And I Hate What I Discovered

As a 23-year-old woman fascinated by human behavior (and, let’s be honest, sometimes just bored and curious), I decided to conduct a…

Mar 2

11.7K

358

Procedure for Detecting Malicious Activity Using System Administration Tools (Living off the Land)

Elias Nathan Hueck

Procedure for Detecting Malicious Activity Using System Administration Tools (Living off the Land)

In modern security environments, attackers increasingly employ tactics to evade traditional detection systems. One common strategy is the…

Nov 7, 2024

InfoSec Write-ups

loyalonlytoday

Finding the origin IP part 2

Learn a few techniques to find the origin IP

Mar 6

See more recommendations

Help
Status
About
Careers
Press
Blog
Privacy
Terms
Text to speech
Teams