Overview
Establish third-party and subservice organization oversight for SOC 2 audit readiness. Risk-tiered assessment framework with vendor register, SOC report review validation, CSOCs validation, and tiered security requirements per CC9.2. Covers vendor risk scoring, SOC report currency checks, and bridge letter tracking.
SOC 2 auditors specifically test vendor oversight per CC9.2 (“The entity assesses and manages risks associated with vendors and business partners”). For Type II engagements, auditors expect evidence of ongoing vendor monitoring — not just initial assessment. This skill builds a comprehensive vendor management program that extends beyond the subservice organizations in the system description to include all third parties with data access or service criticality.
Getting Started
Add your source materials to the project workspace — organization profile, vendor contracts, and any existing SOC reports from your vendors — then activate the SOC 2 Vendor Management skill. The agent identifies all relevant vendors, scores them by risk, validates SOC report coverage for critical vendors, and produces a tiered requirements framework.
Example Conversation
Below is an example of how a typical vendor management session unfolds. The agent extends the vendor list beyond subservice organizations, scores each vendor for risk, and validates SOC report coverage.
You: Build the vendor management program. We have AWS, Okta, GitHub, Datadog, Stripe, and SendGrid in our organization profile, but we also use PagerDuty for incident management and Notion for internal docs.
Agent: I’ve loaded the organization profile and built a comprehensive vendor list of 8 third parties. Let me score each one for risk.
[Runs vendor_risk_scorer] Tier classification:
Vendor Data Access Criticality Tier AWS Customer data, PII Critical path Critical Okta Authentication data Critical path Critical GitHub Source code High (IP) High Stripe Payment data High (PCI) High Datadog System logs Medium Medium SendGrid Email addresses Medium Medium PagerDuty Incident data Medium Medium Notion Internal docs only Low Low Flags:
- AWS has concentration risk — single cloud provider for all infrastructure
- Stripe processes payment data — verify PCI DSS compliance in addition to SOC 2
Now let me validate SOC reports for Critical and High vendors.
You: AWS, Okta, GitHub, and Stripe all have current SOC 2 Type II reports. Datadog’s report expires next month.
Agent: [Runs soc_report_review_checker] Results:
- AWS: SOC 2 Type II current, unqualified opinion, CSOCs validated ✓
- Okta: SOC 2 Type II current, unqualified opinion, CSOCs validated ✓
- GitHub: SOC 2 Type II current, unqualified opinion ✓
- Stripe: SOC 2 Type II current + PCI DSS Level 1, unqualified ✓
- Datadog: WARNING — SOC 2 report expires in 28 days. Flag for renewal tracking. No bridge letter on file.
- SendGrid, PagerDuty, Notion: Not required for Medium/Low tier (security questionnaire sufficient)
All Critical/High vendors have current, unqualified SOC 2 reports. CSOCs from the system description are validated against vendor controls.
I’ve produced the Vendor Risk Assessment Framework, Vendor Register, and Vendor Security Requirements. Dashboard updated: 2 Critical / 2 High / 3 Medium / 1 Low vendors, 4 vendors with current SOC reports, 100% assessment completion.
Sample Output Excerpt
Below is a representative excerpt from the vendor register and security requirements, showing the tiered approach auditors expect.
Vendor Register (excerpt)
| ID | Vendor | Services | Tier | SOC 2 Report | Report Expiry | Next Review | Status |
|---|---|---|---|---|---|---|---|
| VENDOR-001 | AWS | Cloud infrastructure | Critical | Type II (unqualified) | 2026-03-15 | 2025-10-01 | Active |
| VENDOR-002 | Okta | Identity & access mgmt | Critical | Type II (unqualified) | 2026-01-20 | 2025-10-01 | Active |
| VENDOR-003 | GitHub | Source control, CI/CD | High | Type II (unqualified) | 2026-05-10 | 2026-01-01 | Active |
| VENDOR-004 | Stripe | Payment processing | High | Type II + PCI DSS L1 | 2026-04-22 | 2026-01-01 | Active |
| VENDOR-005 | Datadog | Monitoring, logging | Medium | Type II (expiring) | 2025-08-15 | 2025-08-01 | Needs renewal |
Tiered Security Requirements (excerpt)
Critical Tier (VENDOR-001, VENDOR-002):
- Annual SOC 2 Type II report with unqualified opinion (mandatory)
- Right-to-audit clause in contract
- Security incident notification within 24 hours
- Data residency guarantees documented
- Subprocessor change notification with 30-day advance notice
- Annual security assessment review by DataVault security team
- Business continuity / disaster recovery plan evidence
- Cyber insurance minimum $5M coverage
High Tier (VENDOR-003, VENDOR-004):
- SOC 2 Type II or ISO 27001 certification (mandatory)
- Security incident notification within 48 hours
- Right-to-audit clause in contract
- Annual security questionnaire completion
- Data processing agreement (DPA) in place
Built-in Validation
The skill includes two validation tools that check vendor risk scoring and SOC report coverage. The agent runs both after building the vendor register and iterates until all Critical/High vendors have adequate assurance.
What the validators check
Vendor Risk Scorer:
| Check Category | What It Validates | Severity |
|---|---|---|
| Risk tier assignment | Each vendor scored by data access level, service criticality, certifications | Assigns Critical/High/Medium/Low |
| PII access without certification | Vendors with PII access but no SOC 2, ISO 27001, or equivalent | WARNING per vendor |
| Concentration risk | Single-vendor dependency for critical functions | WARNING |
| Assessment history | Vendors without any security assessment on record | WARNING |
SOC Report Review Checker:
| Check Category | What It Validates | Severity |
|---|---|---|
| Report obtained | Each Critical/High vendor has a SOC 2 report or alternative assurance | ERROR if missing |
| Report currency | Reports are less than 12 months old | WARNING if expired or expiring |
| Exceptions documented | Any qualified findings have documented impact assessment | WARNING if undocumented |
| CSOCs validated | CSOCs from system description match vendor controls in the report | WARNING if mismatched |
| Bridge letters | Coverage gaps between report periods have bridge letters | WARNING if missing |
| Alternative assurance | Vendors without SOC 2 have ISO 27001 or direct assessment | INFO |
Example validation output
========================================================================
SOC 2 Vendor Management — Risk Scoring
========================================================================
Vendors analyzed: 8
VENDOR-001 (AWS): Critical — PII access + critical path
VENDOR-002 (Okta): Critical — authentication data + critical path
VENDOR-003 (GitHub): High — source code access (IP)
VENDOR-004 (Stripe): High — payment data processing
VENDOR-005 (Datadog): Medium — system logs, no PII
VENDOR-006 (SendGrid): Medium — email addresses
VENDOR-007 (PagerDuty): Medium — incident data
VENDOR-008 (Notion): Low — internal docs only
Flags:
[WARNING] VENDOR-001 (AWS): Concentration risk — single cloud
provider for all infrastructure and data storage.
Result: 8 vendors scored (2 Critical, 2 High, 3 Medium, 1 Low)
========================================================================
========================================================================
SOC 2 Vendor Management — SOC Report Review
========================================================================
Critical/High vendors (4):
[PASS] VENDOR-001 (AWS): SOC 2 Type II, unqualified, current
[PASS] VENDOR-002 (Okta): SOC 2 Type II, unqualified, current
[PASS] VENDOR-003 (GitHub): SOC 2 Type II, unqualified, current
[PASS] VENDOR-004 (Stripe): SOC 2 Type II + PCI DSS, current
Medium vendors with SOC report:
[WARNING] VENDOR-005 (Datadog): Report expires in 28 days. No
bridge letter on file. Flag for renewal tracking.
Result: PASS (all Critical/High vendors have current assurance)
========================================================================
The agent runs both validators automatically and iterates until all Critical/High vendors have adequate assurance documentation for audit readiness.