A SOC 2 attestation is a report from an independent auditor, which states his or her opinion of a company’s internal security and financial controls. SOC 2 doesn’t start with a detailed list of requirements that must be met and how to meet them. Instead, it covers criteria that a company can select from to demonstrate that they have appropriate controls in place to mitigate applicable risks.
What difference does that distinction make? If you’re evaluating a vendor’s security posture based on a SOC 2 report, the takeaway is this: a company can make SOC 2 about compliance with criteria rather than establishing and maintaining information security.
“If all you do is request SOC 2 reports from vendors and file them away, you’re not really managing vendor risk—you’re just creating a false sense of security.”
This is not to say that a SOC 2 report isn’t valid assurance of a vendor’s security posture. However, the report isn’t the end of your due diligence as an outsourcer.
For example, a vendor’s SOC 2 report might state that their IT team reviews user access once per year. But how does that actually look? Especially in a larger organization, how can an IT team know exactly what Jody in Finance needs from an access perspective?
This is a hypothetical example of complying with a criterion in a “check the box” way. If security rather than compliance were the focus, that control might be designed differently. For example, the user access review could be handled by department managers (or someone else who knows what access each user really needs) in coordination with IT.
But either approach could come up clean in a SOC 2 report, because in either case the vendor “did” the control. This doesn’t mean that SOC 2 is weak; it just underscores that a business can be compliant and not truly secure. (By comparison, we rarely see businesses that are verifiably secure but not in compliance with applicable regulations or frameworks.)
Is a control actually effective at mitigating the risk that a vendor presents to your business? That’s a question you can only answer by carefully reading and analyzing the SOC 2 report.
If you just accept a SOC 2 report at face value without scrutinizing it, it’s easy to misinterpret that as a blanket proof of security—causing you to overlook significant security gaps that could leave your business exposed.
When you review a SOC 2 report, take time to:
- Enumerate all the controls that you want all vendors at a given risk level (High, Medium, Low, for instance) to have in place, in order to mitigate the risks you’re most concerned about.
- Verify that a vendor’s SOC 2 demonstrates all those controls are in place and effective.
- Identify key concerns and potential risks.
- Follow up with the vendor to ensure your concerns are addressed.
If you’re able to do all that, you’re well on your way to an effective Third-Party Risk Management (TPRM) program.
If all you do is request SOC 2 reports from vendors and file them away, you’re not really managing vendor risk—you’re just creating a false sense of security.
Looking for expert help with establishing a TPRM program, or taking your current program to the next level? Maybe you’re unsure about where to start or how to move forward, as the work/cost involved can seem overwhelming.?
If so, contact us. We can help you prioritize next steps, implement effective processes and demonstrably reduce vendor risk.