Why a Vendor SOC Report Is Not Enough and How to Fill the Gaps

Service Organization Controls (SOC) reports are a key document in third-party risk management for assessing your vendor’s information security controls and identifying any potential risks. SOC reports can provide critical insights that give you a picture of your vendor’s security measures and capabilities and what you can expect from your vendor during the relationship.

However, while incredibly useful, SOC reports can’t cover every base, so it’s important to understand exactly how SOC reports assess your vendor’s risk posture and where gaps need to be addressed. When assessing your vendor, you need to utilize all the tools at your disposable to receive a complete picture of your vendor’s risk posture, and SOC reports simply cannot assess your vendor from every angle or give you a full picture of a vendor’s cybersecurity and business continuity posture.

What Vendor SOC Reports Can Assess

When we talk about SOC reports, it’s important to note that there are several types of SOC reports, each serving separate functions and assessing different controls. The two main reports that you’ll come across are the SOC 1 and SOC 2 reports. You’ll also start seeing more SOC for Cybersecurity reports. Let’s discuss further:

• A SOC 1 report assesses a vendor’s financial reporting controls and should be used when evaluating your non-information system-based vendors.
• A SOC 2 report assesses the vendor’s controls in relation to the 5 Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. It should be requested when you’re evaluating whether the vendor’s controls can protect your sensitive data.
• A SOC for Cybersecurity provides a more detailed insight into the organization’s cybersecurity risk management program.

Each report can be broken down further into Type I and Type II. Type I reports assess control performance in a singular point in time, while Type II reports assess controls over a selected period of time. If you have a choice between the two, you should request a Type II report to better identify any vulnerabilities or changes more effectively to performance levels.

The different types of SOC reports offer variety to meet your needs when it comes to assessing a vendor’s controls. However, even as new SOC reports emerge, it’s important to understand that SOC reports still leave gaps in the due diligence process, which you will need to address with other audits.

Alternatively, your vendor may provide a bridge letter, also known as a gap letter, which can be used to give assurances into the vendor’s controls while waiting for an updated SOC report. While bridge letters can assure your organization that the vendor’s controls are working properly, they may not always suffice. Most importantly, however, a bridge letter can’t replace a SOC report and your organization should review the updated SOC report as soon as possible.

What Vendor SOC Reports Can’t Tell You

Just because your vendor provides a SOC report doesn’t mean that you are free from risk. As a tool, SOC reports can help identify any issues or vulnerabilities in the vendor’s controls, but it isn’t enough and you can’t fall into a false sense of security just because a SOC report highlights positive performance.

In some cases, a report may fail to cover every aspect of the Trust Services Criteria, or the vendor may leave out a group of controls. A SOC report isn’t a catch-all and cannot offer a full picture of the vendor’s cybersecurity and business continuity resilience.

Addressing Any Gaps Left After a Vendor SOC Report Review

So, what can you do? What alternatives can you use to address the gaps of the SOC reports and still fully assess the vendor’s controls for risks? Here are a few documents you can request to assess your vendor:

• Copies of the vendor’s full cybersecurity, business continuity, and disaster recovery plans as well as their response plans including incident, pandemic, and crisis. These will provide a clear picture of how the vendor will deal with any incidents and what you can expect.
• A specific vendor risk assessment questionnaire. You can request that your vendor fills out a questionnaire with specific questions that provides information into the controls that affect your organization and that may have been missed in the SOC report.
• Additional audits and certifications. Does your vendor have proper certifications and licensing to show that their controls meet regulatory standards? You can use audit results to verify the vendor’s controls and compliance.
• Testing results. For example, penetration testing results can highlight the vendor’s performance and how well the controls functioned in simulated testing, which can provide key insights.

Ultimately, you need to ensure that you have enough information to understand how your vendor manages their information security practices. This should include their controls for protecting data, implementing privacy protections, and ensuring solid availability. While a SOC report contains some of this information, its depth is limited. For that reason, it’s essential to dig deeper into your vendor’s full policies, procedures, and testing to gain a better view of how your vendors operate.

SOC reports are useful tools for assessing your vendor’s controls, but they may not always provide the full picture of your vendor’s risk posture. For that reason, it’s important to understand both the strengths of SOC reports, as well as the gaps that will need to be addressed through supplemental documentation and audits, so that your organization can work to identify and mitigate any potential risks and defend against incidents.