Due Diligence and Ongoing Monitoring

We are looking at adding a CRM system for very basic contact management.  We are looking at a smaller firm and they are not SOC2 compliant but their infrastructure is AWS, which is SOC2.   Would you be concerned about this or are the main risks just with the infrastructure and therefore it doesn't matter for the CRM vendor itself to be SOC2?  I'm trying to decide if that should be a deal breaker given the CRM will have PII.  Thanks!

The AWS SOC2 is not sufficient because the report will not cover the controls at the vendor.  AWS's SOC2 will identify complementary user controls, that is controls that must exist at the user to have a complete view of the control structure.  In this case, the user is your vendor.  If you cannot find a way to determine if the vendor's controls have adequate design and are operating effectively, you may consider assessing risk at the maximum, that is, unmitigated inherent risk.  Doing business with this vendor will depend on your organization's risk appetite.