Incident Response Policies with client notification protocols, Disaster Recovery/Business Continuity/Pandemic Plans, Disaster Recovery/Business Continuity Testing Results as this is not always discussed in the SOC report. I am finding it harder to collect these documents as the vendor does not want to share them and are confidential. Thoughts on how to get around this?
I'm going to give you a different perception than most, but this works well when you are not the big dog in the relationship. Retain a minimum amount of another organizations confidential information; especially if you have a SSAE SOC2 that includes the review. If you do not have requirements for an independent attestation in agreements, it should added. Contractual Right to Audit has to be explicit to access sensitive corporate information. Additionally, you limit the risk of a data leak/breach if your organization or third party provider that store this data. Example:
Michelle R Vitali CISSP, CRISC, CDPSE, CTPRPVice President | RCA Professional