Overview
Assess vendor security posture by validating SIG (Standardized Information Gathering) questionnaire responses against supporting evidence and auditing SOC 2 Type I/II reports for coverage gaps. Produces structured Third-Party Risk Assessment reports aligned with NIST SP 800-161 (Supply Chain Risk Management) and GDPR Article 28 (processor due diligence).
Automated tools flag unsupported vendor claims (answers without matching evidence), expired SOC 2 reports or bridge letters, and control gaps between the audit period and today. The output is a risk-rated vendor report suitable for procurement approval, DPA negotiation, or annual vendor review cycles.
When to use this skill
Use this skill when you are:
- Onboarding a new vendor that will process sensitive data or access critical systems — running the initial security due diligence before contract signature.
- Conducting annual vendor reviews to confirm that existing suppliers maintain their security posture over time and that certifications have not lapsed.
- Auditing a vendor’s SOC 2 report to identify which controls are in scope, whether the bridge letter covers the gap to today, and whether any exceptions were noted by the auditor.
- Validating SIG questionnaire responses by cross-referencing vendor answers against the evidence documents they provided (policies, pentest reports, certifications).
- Performing GDPR Article 28 due diligence on a data processor before signing a Data Processing Agreement, confirming that technical and organizational measures are in place.
- Responding to a security incident involving a third party and needing a rapid assessment of their contractual security commitments versus actual controls.
Typical users include information security teams, vendor risk managers, procurement officers, data protection officers (DPOs), and GRC analysts at organizations with regulated supply chains.
Getting Started
Add the vendor’s completed SIG questionnaire, SOC 2 report (and bridge letter if applicable), and any supporting evidence documents to the project workspace, then activate the Third-Party Risk Assessment (TPRA) skill. Tell the agent the vendor name, the data they will process or access, and the applicable regulatory framework (GDPR, HIPAA, SOC 2, NIST). The agent will structure the assessment and run automated validation tools.
Example conversation
You: We need to assess CloudPayments Ltd before signing a contract. They handle payment card data. They sent a completed SIG Lite questionnaire and a SOC 2 Type II report from 14 months ago.
Agent: Starting TPRA for CloudPayments Ltd. Scope: payment card data processing. I’ll validate the SIG Lite responses against their evidence, then audit the SOC 2 report. Note that the SOC 2 is 14 months old — I’ll check for a bridge letter to cover the gap to today. Running
validate_sig_responsesfirst…Agent: SIG validation complete. 3 issues found: (1) Section H (Access Control) — claims MFA is enforced for all admin access, but the uploaded access control policy references single-factor authentication. Claim unsupported. (2) Section P (Privacy) — references a “GDPR DPA template v3” not included in the evidence package. (3) Section T (Threat Management) — pentest report is dated 18 months ago; SIG answer states “annual penetration testing.”
You: Can you audit the SOC 2 report now?
Agent: SOC 2 audit complete. Report period: Jan–Dec of last year. No bridge letter found — there is a 14-month gap to today. Key findings: CC6.1 (logical access) had one exception noted — a terminated employee account was active for 11 days post-offboarding. All other controls received unqualified opinions. Overall risk rating: Medium-High. I recommend requesting a current bridge letter and clarification on the MFA claim before signing.
Output excerpt
Example vendor risk summary:
============================================================
Third-Party Risk Assessment Report
Vendor: CloudPayments Ltd | Scope: Payment Card Data Processing
Framework: NIST SP 800-161 | GDPR Art. 28
============================================================
SIG Questionnaire Validation
FAIL — Section H (Access Control): MFA claim unsupported.
Policy document references single-factor authentication.
FAIL — Section T (Threat Management): Pentest report is 18 months
old. SIG states annual testing — evidence gap.
WARN — Section P (Privacy): GDPR DPA template not provided.
SOC 2 Type II Audit
Report Period: Jan 1 – Dec 31 (prior year)
Bridge Letter: NOT PROVIDED — 14-month gap to assessment date.
Exception: CC6.1 — Terminated employee account active 11 days
post-offboarding (management response: process updated).
Overall Risk Rating: MEDIUM-HIGH
Required Actions Before Contract Signature:
1. Obtain current bridge letter (or updated SOC 2).
2. Clarify MFA policy — provide updated access control policy.
3. Provide pentest report dated within 12 months.
4. Include GDPR DPA template in evidence package.
============================================================