Contact Us

Services

Suite of Services

Schellman began as a SOC audit firm 20+ years ago. While we still issue more than 2,000 SOC reports each year, our clients’ trust has propelled our expansion. Today, we offer nearly 60 types of audits and assessments.

Download a PDF of All Services

Learning Center

Our Technology

About Us

About Us

Schellman is the only Top 50 CPA firm focused exclusively on IT Compliance and Cybersecurity, and we’re the #1 service provider for FedRAMP Assessments.Our industry-leading NPS scores, client retention, and employee retention (low-to-no team churn = less audit fatigue) mean our clients experience greater continuity and quality.We also understand how distracting unplanned work can be, so we focus on client-centric KPIs to help keep your business moving uninterrupted.

Download the Story of '24

ISO Certificate Directory

Services

Services

View All Services

SOC & Attestations

SOC & Attestations

SOC 1 / SSAE 18 Examination

SOC 2 Examination

SOC 3 Examination

SOC for Supply Chain

SOC for Cybersecurity

SOC Essentials for Early-Stage Companies

C5 Attestation

CSA STAR Programs

Payment Card Assessments

Payment Card Assessments

PCI DSS Validation

PCI SSF

PCI P2PE Validation

PCI PIN Assessments

PCI 3DS Compliance

ISO Certifications

ISO Certifications

ISO 27001

ISO 42001

ISO 27701

ISO 9001

ISO 22301

ISO-20000-1

ISO 14001

ISO 45001

ISO 50001

Privacy Assessments

Privacy Assessments

Global CBPR & PRP Certification

GDPR Assessment

International Privacy Assessments

US State Privacy Assessments

Microsoft SSPA/DPR Assessment

Privacy Program Assessment

FERPA Assessment

EU Cloud Code of Conduct

Federal Assessments

Federal Assessments

FedRAMP®

CMMC / NIST SP 800-171

FISMA/NIST

ITAR

CJIS

IRAP

FTC Consent Decrees

DoD IL6

Healthcare Assessments

Healthcare Assessments

HITRUST Certification

HIPAA Compliance

HIPAA Express

EPCS-DEA Audits

Health Data Host (HDS) Certification

Penetration Testing

Penetration Testing

Application

Network

Mobile

Red Teaming

Social Engineering

Cloud

Physical

Hardware and IoT

Advanced Series

AI Red Teaming

Cybersecurity Assessments

Cybersecurity Assessments

Cloud Configuration Assessments

Ransomware Assessments

NIST Cybersecurity Framework Assessments

Schellman Software Security Assessment (S³A)

TISAX®

SWIFT Customer Security Programme

Internal Audit Co-Sourcing

Crypto and Digital Trust

Crypto and Digital Trust

Schellman Training

Schellman Training

Sustainability Services

Sustainability Services

AI Services

Learning Center

Our Technology

About Us

About Us

Leadership Team

Leadership Team

Corporate Social Responsibility

Corporate Social Responsibility

Careers

Strategic Partnerships

Strategic Partnerships

ISO Certificate Directory

Privacy Assessments

Microsoft’s Supplier Security and Privacy Assurance (SSPA)

Microsoft’s SSPA program requires vendors that process Microsoft personal and/or confidential information to comply with Microsoft’s Data Protection Requirements (DPR) on an annual basis.

Contact a Specialist Understanding the Cost of MSDPR

Why MS DPR?

If your organization is a current or aspiring Microsoft vendor, you’re probably familiar with the Microsoft Supplier Security and Privacy Assurance (SSPA) program (previously called the Vendor Privacy Assurance Program). You might be wondering what this requirement means for your business and what to expect during a Microsoft Data Protection Requirements (MS DPR) assessment.

Completing the Attestation Process

Completing the Attestation Process

Before the attestation, check the Data Protection Requirements (DPR) and make any necessary changes to meet the criteria. Your auditor will ask for some evidence to show that you’ve met these requirements, so be sure to keep some documentation of your work and controls. When the assessment is complete, you’ll be given a letter of attestation which you can submit to Microsoft. If you choose Schellman as an assessor, your auditor can point out areas for improvement and help you identify weaknesses in your current practice to avoid jeopardizing your Microsoft contract. If your organization is subject to other types of IT audits, discuss the option of combining the Microsoft DPR attestation with other audits or assessments to determine if there is an overlap in testing efforts or documentation to ease the burden of multiple audits.

Completing the Attestation Process

Considering a Readiness Assessment

Considering a Readiness Assessment

If you’re anticipating a requirement to provide a letter of attestation for the Microsoft DPR but aren’t yet prepared, Schellman can help you identify control gaps where your organization doesn’t meet the criteria with a readiness assessment. You’ll have an opportunity to identify potential issues before committing to a formal attestation. When you’ve remediated the gaps, your auditor can return to complete the formal attestation. A readiness assessment could also be a benefit if you’re currently bidding on a Microsoft contract and want to show your competitive, proactive approach to privacy compliance.

Wherever you are in compliance with the Microsoft Supplier Security and Privacy Assurance Program requirements, Schellman can help. Speak with an SSPA specialist about your organization’s Microsoft Supplier needs today.

Considering a Readiness Assessment

How much will your MS DPR assessment cost?

In this video, Debbie Zaller explains the cost for an MS DPR assessment as well as the two primary factors that could influence the price:

The first factor is the requirements that are mandated by Microsoft.
The other factor is the scope of services that are provided to Microsoft.

What to expect for your MS DPR Assessment

We begin each project with your end goals in mind and a thorough understanding of all key project activities. Effective communication and timely coordination throughout the engagement are central to our methodology with all clients.

Planning and Kickoff

The first phase of any engagement is planning. This ensures that we’re aligned on the who, what, where, when, why, before we kick off any actual testing.

Proper planning is imperative to the success of the project and Schellman has standard frameworks and processes that clearly outline the “how” and help us accelerate the work for the collective team. Once we’ve aligned on planning and finalized any outstanding items, we’re ready to kick-off the engagement in earnest.

This upfront work helps minimize the likelihood of any last-minute changes to the project or team and gives you a reliable plan prior to the testing and on-site visit (if applicable).

Testing and Gathering

Testing and gathering are core components of any compliance engagement. Based on our aligned agreement during the planning and kickoff phase, we’ll gather the evidence required to meet the objectives.

Schellman has a “no surprise” policy and has daily contact with the stakeholders during the testing and gathering activities. What’s more, Schellman documents everything in real time and even starts to draft the final deliverable as findings become evident. This allows us to provide you with the draft report as efficiently as possible at the conclusion of this phase.

Reporting

The final phase of the engagement is reporting. But again, we focus our entire assessment process on the timely delivery of a final report that’s clear, concise, and accurate.

We consider the entire process and customize our final reports for each Client. You can expect your final report within 30 days of the conclusion of the Testing and Gathering phase.

SSPA (MS DPR) Specialist

Chris Lippert

Chris is a Director and Privacy Technical Lead at Schellman based out of Atlanta, GA. With more than five years of experience in information assurance, Chris has a concentration in privacy-related engagements.

Meet Chris Contact Us

Featured Learning Center Content

Client Success Stories

Learn More

Client Success Stories

Learn More

Client Success Stories

Learn More

Whitepaper

Learn More

Article

Learn More

Article

Learn More

On-Demand Webinar

Learn More

On-Demand Webinar

Learn More

Talk to a Practice Leader

Contact a Specialist