What is a self-assessment questionnaire?
A self-assessment questionnaire (SAQ) is an important step towards auditing success when aiming for compliance of a varying degree based on results from an SAQ assessment. The goal of the questionnaires is to prepare your organization for what the audit will entail and to make sure you are set up for success. They revolve around five attributes known as the Trust Services Criteria (TSC) as it relates to information security: Security (common criteria), Availability, Confidentiality, Processing Integrity, and Privacy.
Compliance survey questionnaires are meant to evaluate the compliance program as a whole and give your company an idea of employees’ experience with it.
The SAQ performed by the organization should be relevant and aligned to the framework on which the organization will be audited .i.e. it will not be beneficial to focus on a PCI framework if you plan to undergo a SOC 2 assessment.
Below are two examples of SAQs.
PCI SAQ Assessment:
A PCI self-assessment questionnaire is necessary for a company to process credit or debit cards. It assures that a company is compliant with Payment Card Industry (PCI) standards that prove the company is capable of processing such payments. An important part of being PCI compliant is being compliant with PCI Data Security Standards (DSS). There are different PCI compliance self-assessments and questionnaires depending on how a business conducts its transactions. For example, questionnaire A is for “Card not Present” e-commerce-like businesses that may conduct trading over the phone and outsource their customer data to a third party. They are not permitted to digitally store any customer data on their own systems or else they will face penalties and fines from the PCI.
SOC 2 SAQ Assessment:
To prepare your company for a self-assessment, you should start by defining the scope of your audit, whether your company needs a Type I or Type II report, or which of the TSCs you need to focus on. When choosing which TSCs to focus on, you should take into consideration which ones your customers expect to see you comply with. If your company decides that you need a SOC 2 report quickly and urgently, it may seem viable to get a Type I report that will be faster (as the audit period is a point in time and does not cover a period of time) and cheaper than a Type II. However, many companies disregard Type I reports and are in favor of Type II (as it provides assurance of effective controls implemented over a longer period of time), and so it would be worth the bigger investment of time and money in the long run (and in the big picture of the organization). Once the scope is determined, you should take the relevant TSCs, draft up the control list that is relevant based on the criteria, and then begin the assessment process. This would entail working through the controls, one by one, to understand what the control requires (in terms of process and implementation) and comparing that to what your organization has in place currently (to identify if you have a sufficient process and control to address the requirement, or if it is a gap that requires remediation as part of the readiness phase for the audit.)