7 Steps to Take After Receiving a Vendor SOC Report

Hi – my name is John with Venminder.

In this 90-second podcast, you’re going to learn steps to take after receiving a vendor SOC report.

We have a team of qualified IT professionals, such as CISSPs, who analyze vendor SOC reports for our clients daily.

SOC reports are important to review as they can help identify the controls your vendor has in place to secure your data and whether those controls are adequate or faulty.

Here are 7 steps to take after you receive the SOC report:

• Step 1 is to begin analyzing the report. Don’t just check-the-box and file it away. Start with reviewing the reporting period to verify it’s current.
  
  
• Next, review the organization and administration section for a more detailed overview regarding your vendor.
  
  
• The third step is to review the products and services listed. Does the report you’re reviewing cover the product or services that you’re using?
  
  
• The fourth step is to understand the information system section. Within this area, you’ll find more about the vendor’s servers, networks and computer systems.
  
  
• Fifth, look at the data center information. Confirm that the vendor is sufficiently protecting information with proper access controls, monitoring and environmental protections.
  
  
• Sixth, do a deep dive review of the control objectives and activities. They’ll be tested by an audit firm and the findings should relay if controls are effective or not.
  
  
• Finally, review the Complimentary User Entity Controls and verify that your organization has implemented them.

Once you’re finished with your vendor SOC review, a qualified subject matter expert should finalize the findings and draft an analysis to be shared with senior management and the board.

Thanks for tuning in; catch you next time!