The Shared Assessments Program Tools

The Shared Assessments Program promotes voluntary control standards for security, privacy and business continuity for outsourcers and service providers through two tools:

The Standardized Information Gathering Questionnaire (the "SIG")
The Agreed Upon Procedures (the "AUP")

The AUP and SIG documents are aligned with existing standards including ISO 27002:2005, PCI DSS, NIST, and COBIT, as well as current FFIEC Guidance. Together, the AUP and SIG provide comprehensive control standards in a repeatable format, introducing unprecedented efficiencies into the service provider evaluation process.

To promote adoption of the Shared Assessments standards, the AUP and SIG are available for free download.

Standardized Information Gathering Questionnaire

The Standardized Information Gathering Questionnaire (the "SIG") addresses the control areas covered in ISO 27002:2005 as well as those of other global privacy frameworks and legal requirements.

The SIG may be used by an outsourcer to gain documentation from a service provider on its controls, establish a profile for each control area, and obtain verifiable information for each.

As a standalone document, outsourcers use the SIG to assist in evaluating service provider controls.

Agreed Upon Procedures

Service providers use the Agreed Upon Procedures (the "AUP") to examine their procedural controls for security, privacy and business continuity based on the location and/or services they provide to their clients.

Once an AUP assessment is completed, the service provider may share its AUP report with an unlimited number of client organizations. This streamlined, repeatable process reduces — and in some cases even eliminates — the need for costly on-site assessments, without sacrificing rigor.

The AUP was developed by Shared Assessments Program members and is updated at least once annually.

Download Current Version Now