It’s not just something we do. It’s all we do.

Today’s evolving business practices and ever-shifting regulatory environment have made a trusted service auditor not just practical, but essential. At TMO Consulting, our Third Party Attestation practice is dedicated to providing high quality business attestation services to our clients. We provide fair and balanced assessments, as well as the support and advice you need to make sure your organization is best positioned to demonstrate adequate controls and safeguards.

After gaining a deep understanding of our clients’ organizations, we deliver specifically tailored attestation services, efficiently and cost-effectively. And with the strength of TMO Consulting’s extensive global network, we bring together a team of professionals best suited to meet our clients’ unique needs. Our full services include:

Domestic Attestation Services

  • SOC for Cybersecurity
  • SOC 1, SOC 2, and SOC 3
  • SOC 2 Plus (i.e., HITRUST, HIPAA)
  • WebTrust for Certification Authorities
  • Other Attestation Services

International Attestation Services

  • ISAE 3402
  • GS007 or ASAE 3402 in Australia
  • AAF 01/06 in United Kingdom
  • ASAE 3402 in New Zealand
  • ISAE 3000 and 3402 in Europe

More than mere compliance.

In the business world, things move fast. Web-browser requirements and mandates, information security and repudiation requirements are rapidly changing, becoming stricter – and more complex. To stay compliant, organizations are turning to more public-key infrastructure (PKI) and crypto-technologies to meet the newest regulations. They also need to provide its customers, users, and other stakeholders assurance in its meeting its obligations.

At TMO Consulting, our experienced professionals work closely with our clients, providing recommendations and best practices based on their unique organization. From gaining an understanding of our clients’ environment, controls, and policies to WebTrust audits and auditing controls against established criteria, we provide quality, value-added services at every step of the WebTrust process.

For years, TMO Consulting has been a key thought leader in the area of WebTrust for CAs (Certification Authorities). Our practice leader serves as Chairman of WebTrust/PKI Assurance Taskforce, which is responsible for the creation and ongoing maintenance of and other PKI related services. TMO Consulting is heavily involved in setting related standards, as well as participating in task forces across all sub pages. We understand attestation standards and the procedures that companies must follow to comply, offering our clients a unique perspective on WebTrust/PKI issues.

Compliance on a global scale.

As a certified ISO 27001 Assessor, TMO Consulting can help organizations as they strive to maintain ISO compliance in a complex, interconnected global marketplace. Widely recognized outside the U.S., ISO is a global standard for companies with international clients, particularly for organizations managing intellectual property, financial information and collecting or storing sensitive data.

Our professionals assist through each stage of the audit workflow. TMO Consulting’s ISO 27001 certification services include:

  • Initial documentation and forms
  • Submitting the audit plan
  • Conducting the initial certification audit
  • Completion of the audit report
  • Certification decision
  • Maintaining certification

Choosing an experienced and trusted ISO Assessor is key to meeting the 27001 information security standard. Our team provides a strong foundation to help organizations develop a comprehensive and defensible compliance program.

Securing trust in business partnerships.

Strong privacy and security practices are the foundation of trust. Applicable to all suppliers who handle Microsoft personal or confidential data on the company’s behalf, Microsoft’s Supplier Security and Privacy Assurance (SSPA) initiative is designed to standardize and strengthen the handling of sensitive information on a global scale.

As a Microsoft Preferred Assessor, TMO Consulting can help current and prospective Microsoft vendors meet SSPA program requirements as they seek to initiate or renew contracts. Having collaborated with the Microsoft SSPA team on the latest program updates, our team of professionals are equipped—and trusted by Microsoft—to counsel clients throughout each stage of the compliance process.

Leveraging TMO Consulting’s full suite of cybersecurity and data privacy services, we can help you understand the evolving SSPA program, educate and coach on security and privacy gaps, and maximize the engagement to support ongoing data protection efforts—beyond SSPA.

TMO Consulting’s Proven Process for SSPA Independent Assessments:

  1. Microsoft requests SSPA Data Protection Requirements (DPR) self-attestation from Supplier
  2. Supplier completes and submits self-attestation to Microsoft
  3. Microsoft reviews Supplier’s self-attestation and requires an Independent Assessment
  4. TMO Consulting works with Supplier to determine scoping, pricing and timing of Independent Assessment
  5. TMO Consulting provides Supplier with an artifact and inquiry request list to prepare for the Independent Assessment
  6. TMO Consulting schedules Independent Assessment inquiry and artifact inspection dates
  7. TMO Consulting performs Independent Assessment inquiries and artifact inspections (can typically be performed remotely)
  8. TMO Consulting provides a list of identified compliance gaps for Supplier’s remediation (as-needed)
  9. TMO Consulting completes Independent Assessment artifact inspections
  10. TMO Consulting provides client with Independent Assessment letter
  11. Supplier provides Independent Assessment letter to Microsoft
  12. TMO Consulting is available throughout the year for ongoing support and questions regarding SSPA compliance

Assessment, Certification, and Management Services.

The U.S. federal government requires contractors to safeguard its data – in accordance with regulations and standards that are already in place. However, guidance around the applicability, implementation, and compliance for these requirements has been inconsistent (at best!). Many contractors continue to operate with non-compliant and vulnerable information systems.

To address these cybersecurity risks, the DoD has introduced the CMMC framework. Beginning in 2020, all contractors and subcontractors must be certified by a Certified 3rd Party Assessment Organization (C3PAO).

TMO Consulting works with government contractors of all sizes, across the country, and in a wide range of industries. Our dedicated team can help clients achieve their CMMC goals in a variety of ways, including:

  • Planning: identification of Federal Contract Information and Controlled Unclassified Information within your environment; determination of specific certification needs.
  • Readiness: determination of target certification level and identification of deficiencies; may also include a review of supply chain management.
  • Remediation: ensuring processes are conducted and documented in a manner to provide supporting evidence during certification assessment.
  • Certification: conducting verification procedures necessary for achieving desired CMMC certification level, which must be conducted by an independent and accredited C3PAO.
  • Ongoing Program Management: supporting cybersecurity governance and oversight, including continuous monitoring of operating effectiveness, threats, and the regulatory environment.

As of March 2020, the accreditation process has not yet been defined, and no C3PAOs exist. TMO Consulting plans to become a C3PAO, and we are continuously monitoring program developments and updates as they are made available by the Accreditation Body.