Due Diligence and Ongoing Monitoring

 View Only

  • 1.  SOC Reports: When Vendors Do Not Have One

    This message was posted by a user wishing to remain anonymous
    Posted 23 days ago
    This message was posted by a user wishing to remain anonymous

    What is acceptable documentation in leu of a SOC report when a vendor does not have a SOC, such as a privately owned business?



    -------------------------------------------


  • 2.  RE: SOC Reports: When Vendors Do Not Have One

    Posted 23 days ago
    We generally include the following in our document requests:
    "If you prefer not to disclose some of the requested documentation, please provide a written explanation so that we may provide it to our regulators."

     



  • 3.  RE: SOC Reports: When Vendors Do Not Have One

    Posted 19 days ago
    Hi,
    This should be addressed using a risk-based approach. The initial request for a SOC 2 report is typically driven by the inherent risk posed by the vendor, based on scoping factors such as data access, system access, regulatory impact, and the criticality of the service provided.
    If a vendor confirms that they do not have a SOC 2 report, the next steps should be determined by the organisation's risk appetite and whether the risk can be accepted, mitigated, or requires escalation.
    Where a SOC 2 report is not available, alternative assurance can be sought. This may include other recognised security certifications or documentation such as ISO/IEC 27001, Cyber Essentials or Cyber Essentials Plus, or equivalent frameworks. In addition, the organisation may request a vendor attestation or security questionnaire confirming that appropriate security controls are in place.



    Original Message


  • 4.  RE: SOC Reports: When Vendors Do Not Have One

    Posted 19 days ago

    That usually comes to a Third Party Risk Assessment in place. Regularly impose a TPRA to your third parties should help here. 

    -------------------------------------------

    Original Message