Files

Assessment firms use the AUP to perform objective and consistent service provider evaluations.  Service providers use AUP reports to provide consistent information to a range of clients and reduce or eliminate the need for on-site audits.  Service providers may also use the AUP to perform self-assessments on their procedural controls for security, privacy and business continuity.

Outsourcers use the SIG as a default questionnaire to streamline vendor assessments.  For vendors, the SIG provides a repeatable response to proprietary questionnaires from clients.

Use the SIG Level I Questions for new service providers and other appropriate relationships (typically low to moderate risk) as indicated by your risk model.

Use the SIG Level II Questions for appropriate service provider relationships according to your risk model (typically medium to high risk).

Use the SIG Business Continuity Questions to assess the adequacy of a vendor's recovery capabilities.

Use the SIG Privacy questionnaire for service providers where you need to understand the service provider's adherence to certain privacy frameworks and controls.  Note: this privacy questionnaire does not cover Information Security.  This information if needed should be obtained from the full SIG.

For developers and administrators of applications that support an XML version of SIG 5.0, this version of the SIG facilitates automation and concurrency among question responders.  Outsourcers may use the XML SIG to import service provider responses directly into their global risk and compliance systems. 

This document contains three critical questions that clients should ask their service providers prior to evaluating their controls for information security, business continuity, and privacy