The Mergers, Acquisitions & Divestitures Security Standards (MADSS) provides a standardized approach to MA&D cybersecurity and data privacy due diligence. Based on the CDPAS assessment framework, MADSS normalizes MA&D-related Third-Party Internal Control Assessment (3PICA) Services built on the Common Controls Framework™.
The SCF took on an ambitious project to “build a better mousetrap” to fix common complaints associated with MA&D due diligence. The MADSS provides a cohesive, consistent set of standards for evaluating cybersecurity and data protection controls as part of MA&D activities.
The MADSS is not one-size-fits-all. Instead, the guidance should be adopted and tailored to the unique size, resources and risk circumstances of each organization. It can be modified, or augmented, with specific requirements. By following this methodology, cybersecurity and data privacy practitioners can improve the currently disjointed approach used to perform assessments of cybersecurity and/or data privacy controls.
The MADSS is based on the SCF’s Cybersecurity & Data Protection Assessment Standards (CDPAS). Per NIST, a standard is “a document, established by consensus and approved by a recognized body, which provides for common and repeated use, rules, guidelines or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context.”
Assessment vs. Audit
The MADSS focuses on third-party assessments, not audits. An assessment evaluates whether controls are implemented correctly, operating as intended, and producing the desired outcome. An audit independently examines records and activities to ensure compliance with established controls and procedures. These terms are not interchangeable.
The intended audience encompasses the “assessment ecosystem,” including all parties involved in MA&D cybersecurity due diligence activities.
The organization (seller/target company) seeking to be acquired by another entity. EBAs must demonstrate proactive governance and maintain evidence of their cybersecurity and data privacy posture for assessment.
The organization (buyer/acquirer/suitor) seeking to acquire another entity. AEs define risk tolerances, maturity levels, and materiality thresholds that form the assessment criteria.
A company or individual that performs MA&D-related cybersecurity and/or data protection control assessment services. TPAs must demonstrate subject matter competency, independence, and ethical conduct.
Independent third-party organizations providing services, technologies, facilities and/or people, including consultants, Cloud Service Providers (CSPs), Managed Service Providers (MSPs), and MSSPs.
From an MA&D perspective, the goal of threat identification and risk analysis is to determine whether criteria fall within acceptable or unacceptable risk parameters. Understanding the relationship between risk appetite, risk tolerance, and risk thresholds is vital.
The types and amount of risk, on a broad level, an organization is willing to accept in its pursuit of value. Defined at the corporate level where strategic actions and decisions are made. Can be organization-wide or compartmentalized.
The level of risk an entity is willing to assume in order to achieve a desired result. Put into practice at the Line of Business (LOB) level where operational actions and decisions are made, defined by the established risk appetite.
Values used to establish concrete decision points and operational control limits to trigger management action and response escalation. Used at the department/team level to assess operational risk within tolerance.
Risks vs. Threats
A risk exists due to a control absence or deficiency. A threat affects the ability of a control to exist or operate properly. Both tie into cybersecurity and data protection controls, but understanding the differences is critical for MA&D due diligence.
The MADSS defines eight standard categories covering the complete lifecycle of MA&D cybersecurity due diligence, from professional duty of care through conformity designation.
Below, you can view each standard and their corresponding substandards in more detail.
The MADSS uses the People, Processes, Technologies, Data and Facilities (PPTDF) framework to categorize control applicability across the assessment boundary.
Human resources, roles, responsibilities, training, awareness, and personnel security controls applicable to the assessment boundary.
Administrative and operational procedures, policies, standards, and governance activities that define how controls are managed and executed.
Technical controls including systems, applications, services, and infrastructure components within the assessment boundary.
Data classification, handling, protection, privacy, retention, and disposal controls for information within scope of the assessment.
Physical security controls for buildings, offices, data centers, and other physical locations within the assessment boundary.
The MADSS recognizes three levels of rigor to assess a control, each with increasing depth and coverage to provide corresponding levels of assurance.
Minimum assurance. Determines whether applicable controls are implemented and free of obvious errors. Provides a baseline level of understanding of administrative, technical and physical measures.
Moderate assurance. Determines whether controls are implemented, free of obvious/apparent errors, and provides increased grounds for confidence that controls are implemented correctly and operating as intended.
High assurance. Provides further increased confidence that controls are implemented correctly, operating as intended on an ongoing and consistent basis, and supports continuous improvement in effectiveness.
Assessment Methods: Examine, Interview & Test
Assessors independently verify conformity using three methods: Examine (checking/inspecting/reviewing assessment objects), Interview (conducting discussions to facilitate understanding), and Test (exercising assessment objects under specified conditions to compare actual with expected behavior).
Cybersecurity posture directly impacts MA&D valuation. The MADSS appendices address how security practices can affect deal value, both positively and negatively.
Material control deficiencies or material weaknesses
Undisclosed material incidents or breaches
Non-compliance with regulatory obligations
Absence of governance documentation
No defined risk tolerance or maturity targets
Demonstrated maturity at L2+ across material controls
Third-party assessment evidence and attestations
Documented risk management and treatment plans
Proactive governance and compliance programs
Post-Close Integration Security Plan (PCISP) readiness
The MADSS is designed to operate within a continuous PDCA improvement cycle, enabling organizations to systematically improve their MA&D due diligence practices over time.
Define the MA&D assessment scope and boundaries. Identify stakeholders, agree upon the control set, define risk tolerances and maturity levels, and establish the assessment plan with the Evidence Request List (ERL).
Conduct the MA&D assessment using the three methods (Examine, Interview, Test). Evaluate controls against PPTDF applicability. Document findings, control designations, and gather evidence through the Virtual Data Room (VDR).
Perform objective peer review of assessment findings. Validate conformity designations. Calculate projected remediation costs. Compare findings against defined materiality thresholds and risk tolerances.
Issue the Report on Conformity (ROC). Address finding challenges. Develop the Post-Close Integration Security Plan (PCISP). Incorporate lessons learned into future MA&D due diligence processes.
The MADSS is built on the CDPAS assessment framework and integrates with SCR-CMM maturity levels, creating a comprehensive ecosystem for MA&D cybersecurity due diligence.
MA&D-specific assessment standards providing performance standards for cybersecurity and data protection-related 3PICA Services in mergers, acquisitions and divestitures. 8 Standards, 50+ Sub-Standards, 3PICA Services.
The general-purpose cybersecurity & data protection assessment standards that MADSS is built upon. CDPAS provides the foundational assessment methodology.
Provides the L0–L5 maturity scoring system used within MADSS to define and evaluate maturity level expectations for MA&D due diligence.
%20(white).png)
.png)