Will the Idea of a Trust Services Self Assessment Questionnaire Fly?

In the Payment Card Industry (PCI), there is something called a Self Assessment Questionnaire (SAQ).  The SAQ is a very useful tool for small businesses who need to provide their customers and credit card transaction processors a basic level of comfort that they are compliant with the requirements set forth in the PCI Data Security Standards (PCI-DSS).  The SAQ includes a form that is signed by management called an Attestation of Compliance (AOC).

Granted, those who understand risk assurance know that an AOC from management is really, no assurance at all, but for some, it is enough to satisfy their need to transfer risk back to management.  Should a breach occur and credit card information be stolen, the recipients of an AOC can say, "Well, you told us you were compliant with PCI-DSS."

This is where I got to thinking...wouldn't it be great if the Trust Services Principles & Criteria (TSPC) had a similar mechanism!  

Here's a situation where a TSPC SAQ and AOC would be perfect.  I received an inquiry recently from a small business owner who had received a contract award for $50,000, and was looking for a quote on a SOC 2 report to satisfy the client's request.  When I told him what the report was likely to cost, he concluded that it was not economically feasible to go forward with even a Type 1 SOC 2 report.

What this company needs is an entry level assurance mechanism sanctioned by the AICPA and CICA that they can use to satisfy their customer's requirement for management assurance.  If the customer needs to see backup evidence, the small business can provide it.

There is one problem though.  The TSPC are a list of principles and criteria (or control objectives as I know them from my Sarbanes Oxley days), and it's not as easy as checking "In Place", or "Not in Place", like the PCI SAQ is.  Management has to spell out the specific controls (or control activities as I know them), that they have implemented in response to the TSPC.

The problem can be solved by listing the Illustrative Controls from the TSPC with a check box next to it as well as a check box that says "Other."  If management chooses, "Other", they can write in a custom control, or reference a control number from CoBIT 5, NIST 800-53, ISO 27001, or the CSA's Cloud Control Matrix (CCM).  If other standards are referenced in response to a TSPC criteria, the other standard can be attached so the detail can be viewed by the customer.

The responsibility for determination about the suitability of the control design can be placed squarely on management and the user organization in the fine print so that it is understood that the AICPA and CICA do not have any liability whatsoever.

I realize that there are many complications and issues that will undoubtedly be raised, but lets see if this idea will fly!  If not, we can say we tried, but if it does, we might change the risk assurance industry together.


  1. Every deliberate risk is connected with the possibility to success. I made virtual data rooms comparison in order to understand which is more risky. The result was - none of them. The risks depend on the type and value of secured information.