So if you are a vendor or a supplier wanting to work with Microsoft, you may have been referred to their SSPA program, or software security and privacy assurance program, for more details on how to work with Microsoft in this video, we'll talk about whether it's an annual assessment.
Hi my name is Debbie Zeller. I am the chief operating officer at Schellman. Schellman is one of Microsoft's preferred assessors under their SSPA program. We have performed almost 100 assessments and perform them almost weekly. Microsoft requires a process in order to get to the point that you need an independent assessment:
- It first starts with completing a profile on their portal.
- Once the profile is complete, it will outline the applicable requirements within the self-assessment.
- The supplier would need to complete the self-assessment and then
- Microsoft would review that self-assessment to determine if an independent assessment is required.
An independent assessment is required from one of the preferred assessors that are listed on Microsoft's website.
Microsoft will require the independent assessment to be completed within a certain time frame, and that's usually about 90 days. So from the time the supplier contacts one of the preferred assessors, the full assessment can actually take anywhere from one month to two months. So it's very important to start that process early to make sure that the preferred assessor is chosen, contracted with, and you can actually complete the assessment within that 90 day period. Microsoft does allow a one time extension to that 90 day period, but that is only if your organization has contracted with a preferred assessor.
So now that you've completed an independent assessment, you might be wondering, do I have to do this every year? And the answer is yes. The spa program does require an annual assessment to be completed every year, and we always give our clients tips on looking at the Microsoft portal frequently because they do change their requirements. And when they change the requirements, they may require you to complete another assessment so it could be annual or more frequent than annual.
For more information, go to our website and complete the contact us form. One of our privacy professionals will reach out to you to provide more details on this process.
About the AuthorMore Content by Debbie Zaller