EI3PA - Experian Independent 3rd Party Assessment Certification

More information


ControlCase provides organizations desiring compliance with the Experian Independent 3rd Party Assessment (EI3PA) with the Report on Compliance (RoC) and EI3PA Certification.

Our certification methodology consists of the following steps:

Gap Analysis:

ControlCase will perform a gap analysis and perform the required testing to be able to inform the client of the controls that need remediation to achieve EI3PA compliance. The assessment will include a review of environment containing the Experian data (including vulnerability and penetration testing) and supporting technical documentation. The assessment process may include interviews with company personnel to determine what EI3PA requirements are in place and where remediation is required.

The first phase of the project will involve reviewing and validating the current environment containing the Experian data, policies and procedures against the EI3PA requirements. The methodology for validation will include:

  • Review of current environment security features;
  • Mapping touch points to the corporate network;
  • Examining access points and network components for security shortcomings from a EI3PA perspective;
  • Verification that current documented controls meet the specific EI3PA requirements;
  • Scans and penetration tests to validate that the client has attained an appropriate level of security.

For this phase, ControlCase consultants will require the following documentation from the client,

  • Current network diagrams of the appropriate environments with respect to Experian data;
  • Firewall/router configuration details;
  • Data retention and disposal procedures;
  • Policy and Procedures for physical security;
  • Encryption Key Management Policy;
  • Incident Response Policy;
  • Password Policy;
  • Change Control Policy;
  • Build/Patch Policy;
  • Internal Security Testing Procedures.

Remediation plan and support:

ControlCase will keep a track of all remediation efforts and provide monthly status report to the client for the remediation steps. During this time, client is expected to implement necessary controls and inform ControlCase continuously of all remediation measures.


ControlCase will, as required for the project, deploy a EI3PA audit team of qualified personnel to carry out an on-site security assessment. After going through internal quality procedures the client will be issued the appropriate certification.