Determining which vendors are considered “Key” vendors is a critical step in preparing for your audit. Your key vendors are going to be vendors which you have implemented additional monitoring on throughout the vendor management lifecycle. The most common method for implementing this monitoring is to review each key vendor’s compliance reports, which can be SOC 2 Type 2 reports or other independent audit reports/certifications as appropriate. But to make this determination around whether a given vendor is considered a “Key” vendor or not, you will want to ask yourself the following questions:
Does this vendor receive, access, transmit, or store customer data?
Does this vendor have responsibility for managing or securing your infrastructure or source code?
Does this vendor provide cloud services that impact the security or availability of the system being audited?
Would it significantly impact the availability of the services you are providing if this vendor’s services were unavailable?
If you answered yes to any of these questions, then your vendor will be considered a key vendor for your SOC 2 report. Within the Drata Platform’s “Vendors” tab, you are going to want to list “Yes” in the “Vendor is Critical” field of the vendor’s entry. Even though the vendor is now listed as critical, this does not mean that the vendor needs to necessarily be listed as “HIGH” in the “Customer Security Impact Level” field. A vendor may still be critical without being a high risk to security, such as vendors who affect the availability of the system being audited.
After identifying all of your key vendors, you will need to implement appropriate monitoring procedures to ensure that your vendors have implemented appropriate security measures to protect their systems and any data that you have entrusted to that vendor. As mentioned above, this monitoring usually takes the form of reviewing the SOC 2 Type 2 reports of those vendors on an annual basis.
What to do if your Vendor Does not have a SOC 2 Type 2 Report
While a SOC 2 Type 2 report is the preferred report for vendor monitoring in this context, due to the depth of the report which will include the specific controls implemented and the results of the auditor’s testing for control design AND operating effectiveness, not all vendors will have a SOC 2 Type 2 report available.
If your vendor is newer, they might only have a SOC 2 Type 1 report available, or no SOC 2 report available at all. For vendors who only have a SOC 2 Type 1 report available, we suggest reviewing the vendor’s SOC 2 Type 1 report, which will only cover testing the design of security controls, and asking the vendor if they’re working towards a SOC 2 Type 2 report. If the vendor is working towards a SOC 2 Type 2 report, that shows that they are taking the security of their system seriously and are confident that their controls will operate effectively during the report period. If the vendor says that they are not working towards a SOC 2 Type 2 report, you will need to ask them for the reason behind not working towards a SOC 2 Type 2 report. In either case, you will have to make a business decision around whether the information within the SOC 2 Type 1 report is sufficient for your needs and if it is not, determine what other information you can request from the vendor to gain comfort over the vendor’s control environment.
If your vendor does not have any type of SOC 2 report, but has other independent audit reports available, these can be used instead of a SOC 2 Type 2 report, if the scope of the audit is appropriate for your needs. As an example, if your vendor has an ISO 27001 certification, you will need to ask your vendor about the scope of their Information Security Management System (ISMS). Other certifications which might be appropriate for your needs could be CSA STAR Level 2, FedRAMP authorization, HITRUST levels 2 and 3, or other audits/certifications depending on the vendor’s specific service.
If your vendor does not have any independent audit reports/certifications available, you will have to decide if you can gain comfort over the security of your vendor through a security questionnaire. If you feel that a vendor security questionnaire is appropriate for your needs you can use the standard questionnaire provided as part of Drata, from an outside provider, or you can develop your own security questionnaire. One caveat to security questionnaires is that they are self-assessments. Vendors can respond to security questionnaires however they want, without an independent third-party validating their responses. For this reason, they may not be appropriate for all circumstances.
The final point we want to call attention to is what to do if your vendor only provides a SOC 3 report. A SOC 3 report is a SOC report which is meant to be distributed publicly and because of this, contains a reduced amount of information. To receive a SOC 3 report, an organization must undergo a SOC 2 Type 2 audit and receive a SOC 2 Type 2 report. Some vendors only provide SOC 3 reports to their free tier users. In the event that your vendor will only provide a SOC 3 report, you are not required to move to a higher tier of service just to receive the SOC 2 Type 2 report. If your vendor is only willing to provide a SOC 2 Type 2 report to customers in a certain usage tier, you may use the SOC 3 report for your monitoring procedures.