SOC 2 Academy: Managing Vendor Risk

by Sarah Harvey / March 15th, 2019

Common Criteria 9.2

When a service organization undergoes a SOC 2 audit, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 9.2 says, “The entity assesses and manages risks associated with vendors and business partners.” How can organizations be sure that they’re complying with this criterion? Let’s take a look at key ways organizations can manage vendor risk.

Managing Vendor Risk for SOC 2 Compliance

It’s rare in today’s society that organizations operate without utilizing third-party vendors to carry out some sort of their business function. From payroll processors to electricians, managing vendor risk is paramount to ensuring that a service organization is secure. Think of it like this: what would be the impact if a third-party vendor was impacted by a natural disaster and couldn’t fulfill a critical function of an organization’s business? What if a third-party vendor hosted all of an organization’s sensitive data and was later breached? It’s happened before, and it will happen again. This is why during a SOC 2 audit, an auditor will validate that organizations comply with common criteria 9.2 by using the following points of focus as a guide to ensure that organizations are managing vendor risk.

  • Does the entity establish requirements for vendor and business partner engagements?
  • Does the entity assess vendor and business partner risks?
  • Does the entity assign responsibility and accountability for managing vendors and business partners?
  • Does the entity establish communication protocols for vendors and business partners?
  • Does the entity establish exception handling procedures from vendors and business partners?
  • Does the entity assess vendor and business partner performance?
  • Does the entity implement procedures for addressing issues identified during vendor and business partner assessments?
  • Does the entity implement procedures for terminating vendor and business partner relationships?

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

Common criteria 9.2 for the 2017 SOC 2 Trust Services Criteria has to do with assessing and managing risks with vendors and business partners. This world has completely changed in the last three years in relation to the third-parties we do business with. Gone are the days where we simply have a written agreement with our client or we have an NDA signed, and that’s really the extent of our knowledge of what the vendor does or how they operate. So many compliance standards, like SOC 2, have changed to specifically address how organizations should deal with risk from third-party vendors or business partners. What are the things that could happen on their side that could impact us? We need to take ownership of those risks, because they’re our risks. If the third-party has some type of threat that’s realized in their environment, it’s going to impact you, so you need to account for it. You can’t abdicate responsibility and leave the responsibility solely in the third-party vendor’s hands. Moving beyond the written agreements with clients involves truly understanding what the third-party vendor does for you and what are the risks that the relationship poses? Once you understand what they do and how they could impact your organization, you can design a way to manage that risk. For example, you might request a specific report from third-parties before engaging with them, you might want to be notified if the organization experiences turnover, or you might even decide to do site visits to verify the controls they have in place or send an auditor to assess their controls. You’re really trying to think more specifically; you don’t want to apply one way of managing vendors for all vendors because every environment is different. You really need to get to a place where you can do an assessment of what they’re doing for you and how they’re doing it, so then the controls that you’ve put into place are relevant to the information that you’re asking them to provide to you.