# SOC 2 Vendor Management

> Establish third-party and subservice organization oversight for SOC 2 audit readiness. Risk-tiered assessment framework with vendor register, SOC report review validation, CSOCs validation, and tiered security requirements per CC9.2. Covers vendor risk scoring, SOC report currency checks, and bridge letter tracking.



Tags: Compliance, Security, SOC 2, Audit, AICPA, Vendor Management, GRC


## Example Prompts

- Build a vendor management program for our SOC 2 engagement
- Score and tier our vendors by risk level for SOC 2
- Review our critical vendors' SOC reports for currency and exceptions
- Create tiered security requirements for vendor contracts

URL: https://rakenne.app/skills/soc2-vendor-management/index.md

Try this skill: https://rakenne.app/a/?skill=soc2-vendor-management



## Overview

Establish third-party and subservice organization oversight for SOC 2 audit readiness. Risk-tiered assessment framework with vendor register, SOC report review validation, CSOCs validation, and tiered security requirements per CC9.2. Covers vendor risk scoring, SOC report currency checks, and bridge letter tracking.

SOC 2 auditors specifically test vendor oversight per CC9.2 ("The entity assesses and manages risks associated with vendors and business partners"). For Type II engagements, auditors expect evidence of ongoing vendor monitoring — not just initial assessment. This skill builds a comprehensive vendor management program that extends beyond the subservice organizations in the system description to include all third parties with data access or service criticality.

## Getting Started

Add your source materials to the project workspace — organization profile, vendor contracts, and any existing SOC reports from your vendors — then activate the *SOC 2 Vendor Management* skill. The agent identifies all relevant vendors, scores them by risk, validates SOC report coverage for critical vendors, and produces a tiered requirements framework.

## Example Conversation

Below is an example of how a typical vendor management session unfolds. The agent extends the vendor list beyond subservice organizations, scores each vendor for risk, and validates SOC report coverage.

> **You:** Build the vendor management program. We have AWS, Okta, GitHub, Datadog, Stripe, and SendGrid in our organization profile, but we also use PagerDuty for incident management and Notion for internal docs.
>
> **Agent:** I've loaded the organization profile and built a comprehensive vendor list of 8 third parties. Let me score each one for risk.
>
> *[Runs vendor_risk_scorer]* Tier classification:
>
> | Vendor | Data Access | Criticality | Tier |
> |---|---|---|---|
> | AWS | Customer data, PII | Critical path | **Critical** |
> | Okta | Authentication data | Critical path | **Critical** |
> | GitHub | Source code | High (IP) | **High** |
> | Stripe | Payment data | High (PCI) | **High** |
> | Datadog | System logs | Medium | **Medium** |
> | SendGrid | Email addresses | Medium | **Medium** |
> | PagerDuty | Incident data | Medium | **Medium** |
> | Notion | Internal docs only | Low | **Low** |
>
> Flags:
> - AWS has **concentration risk** — single cloud provider for all infrastructure
> - Stripe processes payment data — verify PCI DSS compliance in addition to SOC 2
>
> Now let me validate SOC reports for Critical and High vendors.
>
> **You:** AWS, Okta, GitHub, and Stripe all have current SOC 2 Type II reports. Datadog's report expires next month.
>
> **Agent:** *[Runs soc_report_review_checker]* Results:
>
> - **AWS**: SOC 2 Type II current, unqualified opinion, CSOCs validated ✓
> - **Okta**: SOC 2 Type II current, unqualified opinion, CSOCs validated ✓
> - **GitHub**: SOC 2 Type II current, unqualified opinion ✓
> - **Stripe**: SOC 2 Type II current + PCI DSS Level 1, unqualified ✓
> - **Datadog**: WARNING — SOC 2 report expires in 28 days. Flag for renewal tracking. No bridge letter on file.
> - SendGrid, PagerDuty, Notion: Not required for Medium/Low tier (security questionnaire sufficient)
>
> All Critical/High vendors have current, unqualified SOC 2 reports. CSOCs from the system description are validated against vendor controls.
>
> I've produced the Vendor Risk Assessment Framework, Vendor Register, and Vendor Security Requirements. Dashboard updated: 2 Critical / 2 High / 3 Medium / 1 Low vendors, 4 vendors with current SOC reports, 100% assessment completion.

## Sample Output Excerpt

Below is a representative excerpt from the vendor register and security requirements, showing the tiered approach auditors expect.

---

### Vendor Register (excerpt)

| ID | Vendor | Services | Tier | SOC 2 Report | Report Expiry | Next Review | Status |
|:---:|:---|:---|:---:|:---|:---|:---|:---|
| VENDOR-001 | AWS | Cloud infrastructure | Critical | Type II (unqualified) | 2026-03-15 | 2025-10-01 | Active |
| VENDOR-002 | Okta | Identity & access mgmt | Critical | Type II (unqualified) | 2026-01-20 | 2025-10-01 | Active |
| VENDOR-003 | GitHub | Source control, CI/CD | High | Type II (unqualified) | 2026-05-10 | 2026-01-01 | Active |
| VENDOR-004 | Stripe | Payment processing | High | Type II + PCI DSS L1 | 2026-04-22 | 2026-01-01 | Active |
| VENDOR-005 | Datadog | Monitoring, logging | Medium | Type II (expiring) | 2025-08-15 | 2025-08-01 | Needs renewal |

### Tiered Security Requirements (excerpt)

**Critical Tier (VENDOR-001, VENDOR-002):**
- Annual SOC 2 Type II report with unqualified opinion (mandatory)
- Right-to-audit clause in contract
- Security incident notification within 24 hours
- Data residency guarantees documented
- Subprocessor change notification with 30-day advance notice
- Annual security assessment review by DataVault security team
- Business continuity / disaster recovery plan evidence
- Cyber insurance minimum $5M coverage

**High Tier (VENDOR-003, VENDOR-004):**
- SOC 2 Type II or ISO 27001 certification (mandatory)
- Security incident notification within 48 hours
- Right-to-audit clause in contract
- Annual security questionnaire completion
- Data processing agreement (DPA) in place

<!-- /excerpt -->

## Built-in Validation

The skill includes two validation tools that check vendor risk scoring and SOC report coverage. The agent runs both after building the vendor register and iterates until all Critical/High vendors have adequate assurance.

### What the validators check

**Vendor Risk Scorer:**

| Check Category | What It Validates | Severity |
|---|---|---|
| Risk tier assignment | Each vendor scored by data access level, service criticality, certifications | Assigns Critical/High/Medium/Low |
| PII access without certification | Vendors with PII access but no SOC 2, ISO 27001, or equivalent | WARNING per vendor |
| Concentration risk | Single-vendor dependency for critical functions | WARNING |
| Assessment history | Vendors without any security assessment on record | WARNING |

**SOC Report Review Checker:**

| Check Category | What It Validates | Severity |
|---|---|---|
| Report obtained | Each Critical/High vendor has a SOC 2 report or alternative assurance | ERROR if missing |
| Report currency | Reports are less than 12 months old | WARNING if expired or expiring |
| Exceptions documented | Any qualified findings have documented impact assessment | WARNING if undocumented |
| CSOCs validated | CSOCs from system description match vendor controls in the report | WARNING if mismatched |
| Bridge letters | Coverage gaps between report periods have bridge letters | WARNING if missing |
| Alternative assurance | Vendors without SOC 2 have ISO 27001 or direct assessment | INFO |

### Example validation output

```
========================================================================
SOC 2 Vendor Management — Risk Scoring
========================================================================

Vendors analyzed: 8

  VENDOR-001 (AWS): Critical — PII access + critical path
  VENDOR-002 (Okta): Critical — authentication data + critical path
  VENDOR-003 (GitHub): High — source code access (IP)
  VENDOR-004 (Stripe): High — payment data processing
  VENDOR-005 (Datadog): Medium — system logs, no PII
  VENDOR-006 (SendGrid): Medium — email addresses
  VENDOR-007 (PagerDuty): Medium — incident data
  VENDOR-008 (Notion): Low — internal docs only

Flags:
  [WARNING] VENDOR-001 (AWS): Concentration risk — single cloud
    provider for all infrastructure and data storage.

Result: 8 vendors scored (2 Critical, 2 High, 3 Medium, 1 Low)
========================================================================
```

```
========================================================================
SOC 2 Vendor Management — SOC Report Review
========================================================================

Critical/High vendors (4):
  [PASS] VENDOR-001 (AWS): SOC 2 Type II, unqualified, current
  [PASS] VENDOR-002 (Okta): SOC 2 Type II, unqualified, current
  [PASS] VENDOR-003 (GitHub): SOC 2 Type II, unqualified, current
  [PASS] VENDOR-004 (Stripe): SOC 2 Type II + PCI DSS, current

Medium vendors with SOC report:
  [WARNING] VENDOR-005 (Datadog): Report expires in 28 days. No
    bridge letter on file. Flag for renewal tracking.

Result: PASS (all Critical/High vendors have current assurance)
========================================================================
```

The agent runs both validators automatically and iterates until all Critical/High vendors have adequate assurance documentation for audit readiness.



---

Back to [Skill Library](https://rakenne.app/skills/index.md)