COO | IT Risk & Assurance | TPISA

Aviva TPISA Pre-assessment Call Template

1. General introduction: Thank you for joining the meeting today. My name is [your name], I am
from Accenture, and I am conducting this assessment on behalf of Aviva [You can also ask the
supplier to introduce themselves and their team]. I just wanted to confirm that we've
received your questionnaire response and the supporting documentation (if not received*,
please ask them to share to the TPISA inbox (tpisa@aviva.com) prior to the assessment
start date and include your email address as well). I'll make sure to review these documents
prior to the assessment.
*If you have not received a completed questionnaire within one week of the assessment start
date, please escalate to the SMO team as soon as possible.

2. Understand supplier background: Are you familiar with TPISA process? Can you please give
me an overview of the service you provide to Aviva?

3. For remote assessments only - Remote assessment process: This assessment will be
conducted remotely via Microsoft Teams (unless you require a different video conferencing
solution). This will typically be over three* days and it's currently planned for the [Assessment
dates] (confirm the dates with Supplier). Each day will be broken down into 2 sessions with
times allocated for breaks and lunch. We should be able to complete the assessment in two**
days and the last day is used for contingency time. This is to review any further evidence or for
any additional follow ups.
*Three days for Tier 1 / Tier 1 Critical and two days for Tier 2 suppliers
**Two days for Tier 1 / Tier 1 Critical and one day for Tier 2 suppliers

4. For onsite assessments only - Onsite assessment process: This assessment will be
conducted onsite at [Supplier Office Location] (confirm office location with Supplier). This
will typically be over three* days and it's currently planned for the [Assessment dates]
(confirm the dates with Supplier). Each day will be broken down into 2 sessions with times
allocated for breaks and lunch. We should be able to complete the assessment in two** days
and the last day is used for contingency time. This is to review any further evidence or for any
additional follow ups.
*Three days for Tier 1 / Tier 1 Critical and two days for Tier 2 suppliers
**Two days for Tier 1 / Tier 1 Critical and one day for Tier 2 suppliers

5. The objective of the assessment is for Aviva to understand the maturity of your security
controls through supporting evidence based on the following criteria, we're looking for three
things in particular:
a. Firstly - how has the security control been implemented within your organisation. This
we understand from your responses to the questionnaire controls.
b. Design Adequacy (DA): This involves showing the existence of a company-wide policy
or procedure that captures the requirements listed in the control and is shown to be
followed by the business. For example, for joiners/movers/leavers, we would like to
see a JML/Access Management policy, which states that when an employee leaves the
organisation their access to business systems is revoked from their termination date.
Note: We're looking for version-controlled documents with formal sign off dated
within the last 12 months.
c. Design Effectiveness (DE): This is to assess whether the policy/procedure is being
effectively implemented within the business. Back to the JML example, to evidence DE

V2.0, 07/03/2022
 COO | IT Risk & Assurance | TPISA

we would need to see an IT ticket requesting an employee access to be revoked by

their termination date, or an email template from HR requesting the employee to
return all their company assets prior to their termination date, e.g., ID badge, laptop,
mobile phone, etc.
Note: We understand that this information can be confidential, so we're happy to
accept redacted copies of the documents, if they still showcase the policy/procedure
being implemented within the business.

6. Please confirm with the supplier if that all makes sense and ask if they have any questions
before proceeding further.

7. Within two days of the final assessment day, I will be sharing with you an Excel spreadsheet
containing the list of pending evidence. This identifies the security controls where more
information is required to fully achieve design adequacy (DA) and design effectiveness (DE).
You'll have 5 business days from receipt of that email to provide the requested pending
evidence. If we don't receive the evidence or if it doesn't match the required criteria explained
before, we will have to list this as a finding or an observation.

8. The final assessment report will be provided to you by your Aviva Supplier Owner (ASO) – [ASO
Name]. Based on the criticality of the findings, the ASO may arrange a meeting to discuss a
remediation plan, which would then be tracked by Aviva.

9. During this assessment, all domains will be in scope except for [Data Privacy, Aviva Fourth
Parties, PCI DSS, System Development]
a. For your reference only: Use the TPISA assessment confirmation email to understand
what domains are not in scope.
b. Important: If the supplier is not happy with proposed scope and suggests changes,
please capture their rationale, and email the ASO and Market Lead (ML) to confirm and
approve this change. Only the ASO and ML have the authority to make decisions
regarding domain scoping.
c. Even if the ASO/ML are on the call and they have verbally confirmed the scope
change(s), please capture this officially within the pre-assessment call minutes.

10. Confirm the assessment agenda: Are there any time zone differences? Do you have a
particular structure in mind, or are you happy for me to share an indicative agenda for review
later today? Are you happy for me to send out the meeting invitations or do you wish to
organise them?

11. Use this section only if a Supplier directly requests an NDA - Confirm Non-Disclosure
Agreement (NDA) requirements: This assessment will be conducted by Accenture UK on
behalf of Aviva and there is a confidentiality agreement/NDA in place between Accenture and
Aviva; however, for further assurance do you still require a confidentiality agreement/NDA
required between [Supplier name] and Accenture UK?
a. If yes, request the supplier to share an editable copy of the confidentiality
agreement/NDA to the TPISA mailbox (tpisa@aviva.com).
b. Please inform the supplier that this confidentiality agreement/NDA will have to be
reviewed by the Accenture Legal team and that it may not be possible to get this
signed prior to the assessment start date and ask them if they have any concerns with
that.

V2.0, 07/03/2022
 COO | IT Risk & Assurance | TPISA

c. If the supplier requires a signed NDA before proceeding with the assessment, please
let the SMO team know as soon as possible.
d. Please make sure to capture any NDA requirements within the pre-assessment call
minutes.

12. Close the pre-assessment call: Does anyone have any questions before we close today? If not,
thank you everyone for joining the call (and if the ASO/ML is on the call, please give them an
opportunity to add anything prior to closing). I will be sharing meeting minutes and an
indicative agenda for your review later today.

13. For your reference only - Senior Data Privacy Manager (SDPM) requirement: For all the
suppliers in the UKGI market (as of now), you will need to invite the SDPM for the Data Privacy
domain (if applicable). Please check the initial TPISA email requesting you to conduct this
assessment for the SDPM contact details and remember to include them in the assessment
invitation for the day that covers Data Privacy. If you are unable to find the details, please reply
to the TPISA email to request the SDPM email address.

V2.0, 07/03/2022