For the purposes of Paragraph OM-2.5.1(c)1 above, licensees as part of their assessments may use the following:

a) Independent third-party certifications on the outsourcing service provider's security and other controls;
b) Third-party or internal audit reports of the outsourcing service provider; and
c) Pooled audits organized by the outsourcing service provider, jointly with its other clients.
Added: January 2020