SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

Privacy Assessments

Microsoft’s Supplier Security and Privacy Assurance (SSPA)

Microsoft’s SSPA program requires vendors that process Microsoft personal and/or confidential information to comply with Microsoft’s Data Protection Requirements (DPR) on an annual basis.

Contact a Specialist Understanding the Cost of MSDPR

Why MS DPR?

If your organization is a current or aspiring Microsoft vendor, you’re probably familiar with the Microsoft Supplier Security and Privacy Assurance (SSPA) program (previously called the Vendor Privacy Assurance Program). You might be wondering what this requirement means for your business and what to expect during a Microsoft Data Protection Requirements (MS DPR) assessment.

Completing the Attestation Process

Completing the Attestation Process

Before the attestation, check the Data Protection Requirements (DPR) and make any necessary changes to meet the criteria. Your auditor will ask for some evidence to show that you’ve met these requirements, so be sure to keep some documentation of your work and controls. When the assessment is complete, you’ll be given a letter of attestation which you can submit to Microsoft. If you choose Schellman as an assessor, your auditor can point out areas for improvement and help you identify weaknesses in your current practice to avoid jeopardizing your Microsoft contract. If your organization is subject to other types of IT audits, discuss the option of combining the Microsoft DPR attestation with other audits or assessments to determine if there is an overlap in testing efforts or documentation to ease the burden of multiple audits.

Completing the Attestation Process
Considering a Readiness Assessment

Considering a Readiness Assessment

If you’re anticipating a requirement to provide a letter of attestation for the Microsoft DPR but aren’t yet prepared, Schellman can help you identify control gaps where your organization doesn’t meet the criteria with a readiness assessment. You’ll have an opportunity to identify potential issues before committing to a formal attestation. When you’ve remediated the gaps, your auditor can return to complete the formal attestation. A readiness assessment could also be a benefit if you’re currently bidding on a Microsoft contract and want to show your competitive, proactive approach to privacy compliance.

Wherever you are in compliance with the Microsoft Supplier Security and Privacy Assurance Program requirements, Schellman can help. Speak with an SSPA specialist about your organization’s Microsoft Supplier needs today.

Considering a Readiness Assessment

How much will your MS DPR assessment cost?

In this video, Debbie Zaller explains the cost for an MS DPR assessment as well as the two primary factors that could influence the price:

  1. The first factor is the requirements that are mandated by Microsoft.
  2. The other factor is the scope of services that are provided to Microsoft.

What to expect for your MS DPR Assessment

We begin each project with your end goals in mind and a thorough understanding of all key project activities. Effective communication and timely coordination throughout the engagement are central to our methodology with all clients.

Image

Planning and Kickoff

The first phase of any engagement is planning. This ensures that we’re aligned on the who, what, where, when, why, before we kick off any actual testing.

Proper planning is imperative to the success of the project and Schellman has standard frameworks and processes that clearly outline the “how” and help us accelerate the work for the collective team. Once we’ve aligned on planning and finalized any outstanding items, we’re ready to kick-off the engagement in earnest.

This upfront work helps minimize the likelihood of any last-minute changes to the project or team and gives you a reliable plan prior to the testing and on-site visit (if applicable).

Image

Testing and Gathering

Testing and gathering are core components of any compliance engagement. Based on our aligned agreement during the planning and kickoff phase, we’ll gather the evidence required to meet the objectives.

Schellman has a “no surprise” policy and has daily contact with the stakeholders during the testing and gathering activities. What’s more, Schellman documents everything in real time and even starts to draft the final deliverable as findings become evident. This allows us to provide you with the draft report as efficiently as possible at the conclusion of this phase.

Image

Reporting

The final phase of the engagement is reporting. But again, we focus our entire assessment process on the timely delivery of a final report that’s clear, concise, and accurate.

We consider the entire process and customize our final reports for each Client. You can expect your final report within 30 days of the conclusion of the Testing and Gathering phase.

SSPA (MS DPR) Specialist

Chris Lippert

Chris is a Director and Privacy Technical Lead at Schellman based out of Atlanta, GA. With more than five years of experience in information assurance, Chris has a concentration in privacy-related engagements.

Meet Chris Contact Us

Don't see a service you're interested in? 

Talk to a Practice Leader