Controls are your cybersecurity & data privacy program ---- A control is the power to influence or direct behaviors and the course of events.

SCF CAP - SCF Third Party Assessment Organizations (3PAOs)

Within the SCF CAP, the role of the Third-Party Assessment Organization (3PAO) is to:

  • Hire and train its personnel that are:
    • Technically competent; and
    • Capable of performing quality 3PAAC services;
  • Manage the assignment of SCF Assessor roles:
    • Formally documented roles & responsibilities; and
    • Designating assigned personnel as a SCF Assessor within the SCF Connect tool;
  • Operate an internal process management system to align with the following:
    • ISO 9001:2015 - Quality management systems — Requirements; and/or
    • ISO/IEC 17020:2012 - Conformity assessment — Requirements for the operation of various types of bodies performing inspection;
  • Market its 3PAO services to Organizations Seeking Assessment (OSA); and
  • Develop and implement contract management practices for engaging in 3PAAC services with OSA.

SCF 3PAO Code of Conduct (2023.1)

SCF 3PAOs have an influential and privileged role in representing the SCF CAP. These organizations must be able to account for the decisions and behaviors exhibited. Therefore, the focus of the SCF CAP’s Code of Conduct on ethics and professional conduct is twofold:

  1. Establish clear, precise, ethical and professional guidelines for the assessment team; and
  2. Provide minimum standards by which to judge the conduct of SCF 3PAOs.

3PAOs Assessors must abide by the following conduct requirements:

  1. Treat all information gained about any OSA confidentially and sensitively.
  2. Ensure personnel assigned to the role of SCF Assessor are:
    • Qualified and competent for the role; and
    • Capable of fulfilling the role’s responsibilities.
  3. Preface any public statements by clearly indicating on whose behalf they are made.
  4. Inform the OSC of any business connections, interests, or affiliations which might influence SCF Assessor judgment or which could be perceived to influence SCF Assessor objectivity.
  5. Not accept gifts or hospitality for any reason or purpose, nor show favor or disfavor to anyone.
  6. Not disclose any details of assessment findings to unauthorized parties, neither during nor after the assessment process.
  7. Not disclose information concerning the confidential business affairs or technical processes of the SCF-AB, SCF Council, or OSA without proper consent.
  8. Not accept compensation from more than one party for the same service without the consent of all parties.
  9. Ensure peer opinions are respected and conduct governed to demonstrate honesty and openness within a 3PAO’s assessment team.
  10. React openly, professionally and swiftly in the event of non-ethical behavior.
  11. Upon terminating employment, contract, or other business relationship with a SCF Assessor, the 3PAO must:
    • Ensure the SCF Assessor deletes material concerning SCF assessments from non-3PAO assets; and
    • Attest to the 3PAO that all SCF assessment information is deleted from the SCF Assessor’s possession.