Alternatives to Vendor SOC Reports: What to Review to Manage Risk

Most of us know by now how useful it is to review a vendor’s SOC report when doing third-party due diligence. But what if your vendor doesn't have a SOC report? If a vendor doesn’t have a SOC report, that may be considered a red flag, however, in some cases, the vendor can’t provide a SOC report because they’re costly to obtain or the vendor is newly established.

Reviewing a vendor’s system and control environment is essential, so TPRM teams must be creative and find SOC alternatives to verify the vendor’s controls. In this blog, we’ll cover common SOC alternatives that can provide relevant information about a vendor’s control environment. We’ll also provide some tips for the review process and describe what types of documentation aren’t suitable to use as a vendor SOC replacement.

SOC Alternatives to Request From Vendors    

When considering vendor SOC alternatives, it’s important to understand the context of your review. For many organizations requesting a SOC 2, they’re trying to understand the vendor’s control environment as it relates to one or more of the 5 Trust Services Criteria (security, availability, processing integrity, confidentiality, and privacy). 

Here are some suggestions on vendor SOC alternatives based on the criteria:  

• Security – This ensures the vendor’s system is protected from unauthorized access.
  
  • SOC alternatives: Security policies and procedures, encryption practices, internal or external audit reports, compliance certifications, proof of employee security awareness and training, incident detection and response plans, security testing results, and data breach notification procedures.
• Availability – This verifies that the vendor’s system is operating as it should, allowing authorized users to access the system and information when needed.
  
  • SOC alternatives: Business continuity/disaster recovery plans, uptime reports, recovery time objective (RTO) and recovery point objective (RPO), evidence of monitoring tools, service level agreements (SLAs), documentation for backup systems, and redundancy and failover systems.
• Processing integrity – This confirms the system’s ability to correctly manage data using methods that are accurate, valid, complete, timely, and authorized.
  
  • SOC alternatives: Data policies that address governance, quality, security, lifecycle management, audit, and compliance.
• Confidentiality – This validates that the vendor’s system is protecting confidential information.
  
  • SOC alternatives: Evidence of regulatory compliance, non-disclosure agreements, and policies that address access control, confidentiality, and data protection and security.
• Privacy – This ensures the vendor’s system collects, uses, retains, discloses, and disposes of information in compliance with its privacy commitments.
  
  • SOC alternatives: Privacy policies, compliance certifications, evidence of employee data privacy training, and audit reports.

Many of these vendor SOC alternatives address very specific topics, and it may be helpful to supplement them with additional documents that are broader in scope. 

These documents can also be considered for vendor SOC alternatives: 

1. ISO/IEC 27001: 2022 certification report – The International Organization for Standardization (ISO) provides a standard framework for information security management systems. Vendors that obtain third-party certification or audit reports related to this standard have proven that their system contains certain processes and procedures to manage risk effectively. You should always review the entire report, NOT just the certificate. 
2. Custom questionnaire – Your organization may choose to use its own customized questionnaire as an alternative to a vendor SOC report. This questionnaire should be tailored to the vendor’s risks and provide answers to what your organization needs to know to safely move forward with the relationship. Be sure to ask for supplemental documentation that can validate the vendor’s answers. 
3. NIST CSF questionnaires – The National Institute of Standards and Technology (NIST) sets many guidelines and best practices in its Cybersecurity Framework (CSF). The framework outlines five core functions: identify, protect, detect, respond, and recover. NIST questionnaires completed by a vendor can be helpful for evaluating its cybersecurity practices related to those functions. 
4. SIG or SIG Lite – The Standard Information Gathering (SIG) questionnaire offers information into the vendor’s control environment through a comprehensive set of yes/no questions that cover several risk domains such as privacy, information security, operational resilience, and data governance.
5. Consensus Assessment Initiative Questionnaire (CAIQ) – Cloud service providers may use this document to show evidence of their security controls. The CAIQ from the Cloud Security Alliance contains a series of yes/no questions that can help you determine which security controls exist in infrastructure as a service (IaaS), platform as a service (PaaS), and a software as a service (SaaS) environment. 
6. HITRUST certification – This is specific to the healthcare industry and validates that a healthcare organization has met the requirements outlined in the HITRUST Cybersecurity Framework (CSF). Vendors that obtain this certification are compliant with HIPAA and have a strong security posture. You should always review the entire report, NOT just the certificate.

Note: The documents listed here are commonly accepted vendor SOC alternatives, but your organization should always consider other factors that may be unique to the vendor relationship, such as the vendor’s product or service and the vendor’s inherent risk. 

How to Approach Reviewing Vendor SOC Report Alternatives     

There’s not a single document or report that can fully replace a vendor’s SOC report. Ultimately, your organization will have to determine what’s acceptable as an alternative, or if the lack of a SOC report means your organization should move on from the vendor relationship. As you’re determining which documents to review as vendor SOC alternatives, ask the following questions:

• What’s the vendor’s inherent risk rating? Critical and high-risk vendors should always be required to submit more documentation during due diligence. You generally won’t be reviewing just one alternative to a SOC report, as you’ll likely need several different documents. Working with a qualified subject matter expert (SME) can help determine whether the SOC alternatives are adequate for the vendor’s inherent risk and criticality. 
• Does the vendor have sufficient evidence? Look at the overall due diligence process with this particular vendor. Consider what they do have, and if it’s appropriate for the vendor size and service they’re offering. Not all vendors have the same level of documentation, nor should they be expected to, so it’s important to ensure you have appropriate expectations. That said, the vendor should have an appropriate amount of documentation for their size and the services they offer. 
  
  Some smaller vendors may have very little documentation, but they may have the ability to provide or complete a vendor risk assessment questionnaire. These questions can be tailored to obtain the information your organization needs from the vendor. 
• Are there significant gaps in the vendor's evidence? SOC reports contain very specific and detailed information, so it’s understandable that any alternatives may leave some information gaps. For instance, some alternative documentation like the vendor’s policies and procedures may not contain an independent audit that is standard in SOC reports. This essentially means that the vendor’s control environment hasn’t been verified by an external party. In these situations, your organization will need to determine how to address these gaps. For some organizations, this may involve seeking formal risk acceptance from senior management and the board and implementing contract language to ensure the vendor mitigates the risk.

Alternative Vendor SOC Documentation to Avoid 

Another area to be aware of is what not to take. Although these documents aren’t inherently unusable, they don’t provide enough information to validate the vendor’s control environment:

• PCI-DSS AoC – Some vendors may want to provide a PCI-DSS Attestation of Compliance (AoC) or another attestation of a standard as evidence. These are great as part of a larger package, but generally should not be used on their own because they don’t usually provide narratives or control testing that really provides insight into their actual control environment.
• Subservice SOC reports – Other documents that should not necessarily be accepted on their own are subservice SOC reports. Many vendors, especially smaller organizations, outsource key parts of their control environment to subservice organizations. You absolutely want to know this, and you definitely want to review those fourth-party SOC reports as part of your due diligence, but not in lieu of documentation from your direct vendor.   

Ultimately, when a vendor discloses that they don’t have a SOC report to review, it’s not the end of the world. The most important next step is evaluating what a reasonable expectation is of them. Based on their size, the service they provide, and the risk they pose to your organization, there are other avenues to explore with your vendor to get the evidence you need to ensure a secure and viable relationship!