Cybersecurity & Data Protection Assessment Standards (CDPAS)
The Cybersecurity & Data Protection Assessment Standards (CDPAS) is a cohesive, consistent set of standards to govern cybersecurity and data protection related Third Party Assessment, Attestation and Certification Services (3PAAC Services). The CDPAS provides performance standards to normalize 3PAAC Services. By following the CDPAS methodology, cybersecurity and data privacy practitioners can improve the currently disjointed approach used to perform assessments of cybersecurity and/or data privacy controls.
The SCF took on an ambitious project to “build a better mousetrap” to fix the common complaints associated with audits/assessments. The release of the CDPAS empowers organizations to develop cybersecurity and data protection assessment strategies tailored to their specific mission and business needs, threats and operational environments.
The CDPAS is not “one-size-fits-all.” Instead, the guidance throughout this document should be adopted and tailored to the unique size, resources and risk circumstances of each organization. It can be modified, or augmented, with specific requirements. By following this methodology, cybersecurity and data privacy practitioners can improve the currently disjointed approach used to perform assessments of cybersecurity and/or data privacy controls.
CDPAS Standards
The following are the names of each CDPAS standard. The associate standard, justification and guidance can be found in the CDPAS document:
1. Professional Duty of Care
1.1. Ethical Conduct
1.2. Independence
1.3. Subject Matter Competency
1.4. Conflict of Interest (COI) Avoidance
2. Secure Practices
2.1. Security & Privacy By Design
2.2. Statement of Work (SOW)
2.3. Assessment-Specific Data Protection Impact Assessment (DPIA)
2.4. Intellectual Property (IP) Protections
2.5. Protection of Assessment Information
2.6. Use of Assessment Information
2.7. Disposal of Assessment Information
3. Due Diligence
3.1. Adherence To Data Protection CDPAS Requirements
3.2. Assessment Boundary Demarcation
3.3. Graphical Representation of Assessment Boundary
3.4. Stakeholder Identification
3.5. Control Reciprocity
3.6. Control Inheritance
3.7. Defined Cybersecurity and/or Data Privacy Controls
3.8. Defined Risk Tolerance
3.9. Defined Maturity Level
3.10. Defined Materiality Threshold
3.11. Material Risk Designation
3.12. Material Threat Designation
3.13. Material Incident Designation
3.14. Internal Assessment
4. Due Diligence – Assessors & 3PAOs
4.1. Formalized Assessment Plan
4.2. Defined Assessment Boundaries
4.3. Validate Control Applicability
4.4. Defined Evidence Request List (ERL)
4.5. Explicit Authorization For Testing
4.6. First-Party Declarations (1PD) - Control Inheritance
4.7. Third-Party Attestations (3PA) - Control Inheritance & Reciprocity
4.8. Stakeholder Validation
5. Due Care - OSAs
5.1. Proactive Governance
5.2. Non-Conformity Oversight
5.3. Annual Affirmation
6. Due Care – Assessors & 3PAOs
6.1. Assessment Methods
6.2. Assessment Rigor
6.3. Assessing Based On Control CDPAS Applicability
6.4. Assessment Objectives (AOs)
6.5. Control Designation
6.6. Objectivity Through Reasonable Interpretation
6.7. Adequate Sampling
6.8. Assessment Tools & Automation
7. Quality Control
7.1. Assessment Findings
7.2. Objective Peer Review
8. Conformity Designation
8.1. Report On Conformity (ROC)
8.2. Assessment Finding Challenges
9. Maintaining Conformity
9.1. Plan of Action & Milestones (POA&M)
9.2. Changes Affecting The Assessment Boundary
9.3. Reassessments Due To Material Change