Vendor Risk Assessment

SOC 2 Vendor Oversight

How to build a vendor management program that satisfies SOC 2 auditors.

The 5 Core Requirements

Vendor Inventory

Maintain a complete list of all third-party service providers that could impact the security, availability, or confidentiality of your system.

Risk Assessment (Triage)

A formal process to categorize vendors based on the risk they pose. Not all vendors require the same level of scrutiny.

Due Diligence (Evidence)

Reviewing SOC 2 reports, ISO certifications, or security questionnaires before onboarding a new vendor.

Contractual Protections

Ensuring security requirements, breach notification timelines, and "right to audit" clauses are in your vendor contracts.

Ongoing Monitoring

Reviewing vendor performance and security posture at least annually (or more frequently for high-risk vendors).

Auditor Perspective

"Auditors aren't looking for a perfect vendor list—they're looking for a consistent process. If you have 50 vendors, they will sample 3-5 and ask to see the risk score, the evidence review, and the signed contract for each."

Use the Vendor Tiering Tool to standardize your process

Common Audit "Findings" to Avoid

✗"Evidence of review not retained" (e.g., reviewed the SOC 2 but didn't document the findings).
✗"Expired SOC 2 reports" (e.g., the last review was 18 months ago).
✗"Missing Complementary User Entity Controls (CUECs)" (e.g., you didn't implement the controls the vendor expects you to).

Frequently Asked Questions

Does SOC 2 require a full audit of every vendor?

No. You must perform "due diligence" proportional to the risk. For a low-risk vendor, a simple questionnaire might suffice. For a critical subprocessor, you likely need to review their latest SOC 2 Type II report.

What if a vendor doesn’t have a SOC 2 report?

You must use alternative "compensating" evidence, such as a detailed security questionnaire, an ISO 27001 certificate, or a penetration test summary.

Premium Resource