How do you base the frequency of reviews for your vendors' SOCs? If you rated a vendor as medium, and the frequency of your due diligence monitoring of documentation is every other year, would that include the SOC, even if produced annually?
What if that vendor had transaction information, but based on your assessment, they are still only a medium risk vendor?
Is there a best practice to reference?
Typically, we only review the SOC reports if the vendor is up for a review that year. Operationally Critical vendors are reviewed every year. Very High and High risk vendors are reviewed annually. Medium Risk vendors are reviewed every two years. Low and Very Low risk vendors are reviewed every three years.
There are a few vendors that we review SOC reports for each year, regardless of the risk or criticality. HRIS vendor is the big one. The reason we do not rate them as Critical or High risk is because we do not utilize them to move payroll funds. We also have contingency processes in place should they have an outage that hits during a time that is not ideal.
BEN FURLONG, SSCP, CEH
CHIEF INFORMATION SECURITY OFFICER
Like us on Facebook
Original Message:Sent: 10/30/2023 12:52:00 PMFrom: Kimberly SambuchiSubject: Frequency of SOC Reviews
We review SOC 1 reports for suppliers that process financial transactions or provide Tier 1 applications that impact our financial reporting. We review SOC 2 reports for suppliers that have access to our confidential information in their environment, as well as for suppliers that are classified as business critical.