Third Party Risk Assessment – Shared Assessment Methodology and the challenges during Assessment

The vendor risk assessment is considered important in this world considering the increase of cybersecurity threats. Vendor Risk Management (VRM) is the process in order to ensure that their vendors does not create any loss to the business in any form (like financial loss, reputation loss, data loss etc.). This article will throw some light on challenges faced while conducting assessment using Shared Assessment Methodology and their phases along with references to ISO 27001:2013.

What is Shared Assessment Methodology?

  1. This is considered one of the trusted source for any third party risk assurance.
  2. This methodology creates efficiency and costs savings to effectively manage the vendor risk management lifecycle.
  3. This methodology follows “Trust, But Verify” approach which is globally adopted by many industries.
  4. Currently, 2017 version is used to assess vendors.
  5. Assessment is basically conducted on 16 domains considering the criticality of services provided by a vendor. Whereas 2017 version covers 17 domains which exhaustively focuses on all areas.
  6. This methodology is also in line with ISO 27001:2013 standard.

Trust, But Verify Approach

  1. Trust – This phase is called as “Standard Information Gathering phase (SIG)”. This basically ensures that vendors have provided correct and accurate details when Assessment questionnaire is responded along with evidence documents.
  2. But Verify – This phase is called as “Agreed Upon Procedures (AUP)”. This basically allows the assessor to verify all the evidence documents shared by the vendor at an attribute level to ensure the document adheres to the required guideline.
The above approach will help the assessor to come to a conclusion whether the vendor completely adheres to the information security management system.

References to ISO 27001:2013 standard and Shared Assessment Methodology with regards to Supplier Relationship Management


Challenges faced while conducting assessment using Shared Assessment Methodology

  1. Conducting risk assessment on supplier will conclude that whether they are compliant or non-compliant to the standards based on ISMS.
  2. Suppliers range from high risk to low-risk service providers.
  3. Trust, But Verify approach was used for all Medium and High-Risk vendors.
  4. The assessor was having difficulty during AUP phase since the entire review had to be conducted again as a part of “Verify” Approach which was already completed during “Trust” phase.
  5. When the vendor risk assessor performs the third party vendor risk assessment remotely, in certain cases, the vendors were reluctant to share their policy documents as an evidence and the assessor need to ensure that documents are verified through any other medium such as video conference or facility visits (this may not be feasible all time, considering assessments done remotely).
  6. There were few scenarios that vendor's at enterprise level have documents related to information security policies and procedures and not at the service level.
  7. Enterprise level documents maintained by vendor most of the times will not have the current version and not reviewed periodically.
  8. Assessor had to spend a long time with vendor's to make them understand the assessment process, especially their knowledge on information security and make them aware of current threats. Mostly Low-Risk vendor's fall in this category.


Vendor Risk Assessment is a process to identify the gaps in the existing process at the document level and operational level and ensure that vendor provides remediation plan for all the non-compliance items and bring in controls to reduce the risk as part of the information security management system. The challenges mentioned above delay our completion of risk assessment.
Authored By- Anitha Raju
TCS Cyber Security Practice


Rate this article: 
No votes yet
Article category: