How to ace your external Microsoft SSPA assessment


How to ace your external Microsoft SSPA assessment

SSPA assessment key to success

Have you been asked to independently verify your SSPA compliance? Are you a small, agile company that does not really have a lot of documented processes and procedures?

If you are, please read on, we have some useful advice for you.

Our assessors (myself included) have a long history of auditing to standards and Statutes; ISO 9000, Investors in People, GDPR, SSPA etc. We get that you may not always have the evidence to support your claim of compliance even when you have taken appropriate actions.

But here is the problem; we need sight of those documents, those log files, those training records if we are going to issue the required letter of attestation.

So, how do you ‘ace’ your assessment? Think like me! Here is what an SSPA assessor must do (I have picked out the important bits in bold type).

Examine the design of a company’s controls over Microsoft Personal Data and/or Microsoft Confidential Data as defined in and in connection with the applicable sections and requirements of the Microsoft Supplier Data Protection Requirements (DPR), to provide reasonable assurance that the controls were designed in conformity with the DPR and that the design of these controls complies with the DPR’. Supplier Security & Privacy Assurance Program Guide, version 6.

So, you see the assessor provides Microsoft with ‘reasonable assurance’ by observing compliance and conformity with the DPRs applicable to your Supplier Profile.

Stating ‘one is compliant’ is not equivalent to ‘demonstrating one is compliant’. The task is therefore to furnish documentary evidence such that the assessor can provide reasonable assurance to Microsoft.

Are you thinking what is the difference between conform and comply? Confusing, but try this, conform is to act in accordance with general principles and expectations of SSPA, comply is to yield to its specific requirements.

So, what are the specific pieces of evidence we must have sight of? We have gone through all fifty-six data DPRs and identified where a document to support compliance is explicitly ‘called out’.

Having all these ready BEFORE your audit is the way to ‘ace’ your assessment. Do not forget to gather evidence to support any additional assurance requirements. See the bullets below.

  • PCI DSS certificate
  • ISO 27001 certificate
  • ISO 27701 certificate
  • SOC 2 with security certificate
  • Successful ‘penetration test’ (no older than 12 months) report, with key findings and proposed actions

Download our evidence requirement checklist and get a head start!