Organizations trust third-party vendors to manage large volumes of sensitive customer data, with outsourcing increasing across all industries, including the highly-regulated healthcare sector and financial services. However, service providers don’t necessarily implement the same strict data security standards that these organizations do.
Cyber attacks targeting third parties are increasing, according to Gartner. Further, IBM Security and Ponemon Institute’s 2022 Cost of a Data Breach Report found third-party breach costs have increased from US$4.33 million to US$ 4.55 million.
The first step in preventing third-party data breaches is to perform a vendor risk assessment before onboarding. SOC 2 certification is an early indicator of whether a vendor will likely meet an organization’s security requirements or not.
Achieving compliance with the internationally recognized standard ensures that an organization has implemented effective information security measures for protecting sensitive and personal data and preventing data breaches. Aside from internal measures, organizations must also comply with specific Third-Party Risk Management requirements to achieve SOC 2 compliance.
This article details the third-party requirements of SOC 2 and how the UpGuard platform can help you implement and maintain each control as part of an effective vendor risk management program.
If you’re already familiar with SOC 2, skip ahead to its third-party risk requirements.
What is SOC 2?
System and Organization Control (SOC) 2 is an auditing standard for managing sensitive data, developed by The American Institute of Certified Public Accountants (AICPA) Assurance Services Executive Committee (ASEC). Its requirements are designed specifically for cloud-based service organizations, such as SaaS providers, software developers, and other technology services, to demonstrate they have adequate data protection controls to safeguard customer data.
SOC 2 reporting varies between service organizations, depending on the internal practices and security controls they choose to implement to achieve compliance with the trust service principles.
There are two types of SOC reports:
- Type I: The Type 1 report describes a vendor's system and organization controls and whether they suit relevant criteria.
- Type II: The Type 2 report details the operating effectiveness of the systems outlined in the Type I report.
Once issued, SOC 2 audit reports usually cover a 12-month period of time.
Learn more about the scope of SOC 2 >
What are the SOC 2 Compliance Requirements?
Organizations must undergo an external SOC 2 audit process to achieve certification. Auditors assess compliance based on a service organization’s ability to satisfy AICPA's Trust Services Criteria (TSC).
The five TSCs are as follows:
- Security: The protection of system resources from unauthorized access. Such measures could include network security, intrusion detection, and other security tools that protect against cyber threats, such as software vulnerabilities, data leaks, ransomware, and other types of malware. This principle aims to prevent data breaches and other serious cyber attacks.
- Availability: The accessibility of systems, products, or services, either contracted or listed in the service level agreement (SLA). The scope of Availablity does not cover functionality and usability, instead focusing on security-related criteria that can affect availability.
- Processing integrity: Addresses whether a system achieves its purpose in a complete, valid, accurate, timely, and authorized manner.
- Confidentiality: Addresses whether sensitive data is restricted to specific people or organizations. Whereas the Privacy principle is only applicable to personal information, Confidentiality extends to various types of sensitive data, such as trade secrets and intellectual property.
- Privacy: Addresses the collection, use, retention, disclosure, and disposal of personally identifiable information (PII) and its alignment with the organization's privacy notice and criteria set out in AICPA's Generally Accepted Privacy Principles (GAPP). Organizations must protect PII from both intentional and unintentional exposure.
Find out how to prepare for a SOC audit >
Important: A SOC 2 report investment is only worthwhile if you know the next steps to take after completing a SOC 2 audit.
What are the SOC 2 Third-Party Requirements?
The UpGuard platform can help you comply with the following third-party requirements of SOC 2’s Trust Services Criteria (TSC).
CC2.3 The entity communicates with external parties regarding matters affecting the functioning of internal control.
- Communicates Objectives Related to Confidentiality and Changes to Objectives
- Communicates Objectives Related to Privacy and Changes to Objectives
How UpGuard Helps
With UpGuard Vendor Risk, organizations can assess, monitor, and manage their vendors' security posture throughout the lifecycle, with continuous monitoring, instant security ratings, and integrated remediation workflows. Built-in reporting allows security teams to communicate these insights clearly to all key stakeholders.
CC3.2 The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
- Analyzes Threats and Vulnerabilities From Vendors, Business Partners, and Other Parties
How UpGuard Helps
UpGuard Vendor Risk continuously monitors vendors during the vendor management process for threats and vulnerabilities across six categories: website risks, email security, network security, phishing & malware, reputation risk, and brand protection. Identified risks are automatically categorized and assigned a criticality rating, enabling faster remediation.
CC3.4 The entity identifies and assesses changes that could significantly impact the system of internal control.
- Assesses Changes in Vendor and Business Partner Relationships
How UpGuard Helps
UpGuard Vendor Risk allows organizations to track their vendors’ security postures over time, instantly alerting users of any changes in a vendor’s security score. UpGuard users can tier vendors based on the inherent risk they pose to an organization and manually adjust these tiers to suit changes in business relationships.
The UpGuard platform displays tiered vendors in an exportable Vendor Risk Matrix, allowing security teams to visually convey the business impact of their organization’s vendor portfolio risk to executive management.
CC9.2 The entity assesses and manages risks associated with vendors and business partners.
- Establishes Requirements for Vendor and Business Partner Engagements
How UpGuard Helps
UpGuard Vendor Risk centralizes the entire risk management process, including a pre-built questionnaire library of recognized compliance standards, such as PCI DSS and ISO 27001.
The Shared Profile feature allows organizations to share their security posture proactively by uploading completed security questionnaires, certifications, SLAs, and other related documentation, with current and prospective customers.
CC9.2 The entity assesses and manages risks associated with vendors and business partners.
- Assesses Vendor and Business Partner Risks
- Assesses Vendor and Business Partner Performance
How UpGuard Helps
UpGuard Vendor Risk continuously monitors vendors to identify emerging threats and vulnerabilities in real-time. Built-in executive reporting allows security teams to communicate the ongoing management of third-party cybersecurity risks with key stakeholders.
Security and risk teams can leverage the pre-built questionnaire library of recognized compliance standards, such as PCI DSS and ISO 27001, and the Custom Questionnaire Builder, to monitor and assess third-party compliance throughout the vendor lifecycle.
CC9.2 The entity assesses and manages risks associated with vendors and business partners.
- Implements Procedures for Addressing Issues Identified During Vendor and Business Partner Assessments
How UpGuard Helps
UpGuard Vendor Risk is a fully integrated vendor risk management platform. Organizations can identify vendor risks and request remediation centrally in the UpGuard platform, with a built-in messenger to streamline communication.
CC9.2 The entity assesses and manages risks associated with vendors and business partners.
- Implements Procedures for Terminating Vendor and Business Partner Relationships
How UpGuard Helps
UpGuard Vendor Risk centralizes vendor due diligence workflows, from onboarding to offboarding. Organizations can ensure terminated vendors are following offboarding procedures, such as procurement, compliance, and regulatory requirements, by leveraging the in-platform Custom Questionnaire Builder to create and send offboarding questionnaires.
CC9.2 The entity assesses and manages risks associated with vendors and business partners.
- Obtains Confidentiality Commitments from Vendors and Business Partners
- Obtains Privacy Commitments from Vendors and Business Partners
How UpGuard Helps
With UpGuard Vendor Risk, organizations can securely share confidentiality and privacy agreements with current and prospective customers within the platform with the Shared Profile feature. Organizations can add NDA protection to their Shared Profile to ensure potential customers agree to privacy and confidentiality terms before viewing internal documents.
CC9.2 The entity assesses and manages risks associated with vendors and business partners.
- Assesses Compliance With Confidentiality Commitments of Vendors and Business Partners
- Assesses Compliance with Privacy Commitments of Vendors and Business Partners
How UpGuard Helps
The UpGuard Custom Questionnaire Builder allows organizations to create and send custom questionnaire templates to assess vendors on specific internal and external compliance requirements, including confidentiality and privacy requirements.
Risk and compliance teams can send pre-built questionnaires for relevant data privacy laws, such as the GDPR, PCI DSS, and CCPA, to identify third-party compliance gaps.
P6.4 The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity’s objectives related to privacy. The entity assesses those parties’ compliance on a periodic and as-needed basis and takes corrective action, if necessary.
- Discloses Personal Information Only to Appropriate Third Parties
How UpGuard Helps
The UpGuard platform alerts organizations when a vendor’s security score drops below an acceptable level for the organization’s risk appetite. Security teams can prioritize risk remediation based on the severity of identified risks and the vendor’s level of criticality using the Vendor Tiering feature.
P6.4 The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity’s objectives related to privacy. The entity assesses those parties’ compliance on a periodic and as-needed basis and takes corrective action, if necessary.
- Remediates Misuse of Personal Information by a Third Party
UpGuard Vendor Risk allows security teams to manage and monitor the vendor remediation process through fully automated workflows – from sending remediation requests to recording task completion.
P6.5 The entity obtains commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorized disclosures of personal information. Such notifications are reported to appropriate personnel and acted on in accordance with established incident-response procedures to meet the entity’s objectives related to privacy.
UpGuard Vendor Risk allows organizations to manage their vendors centrally within the platform. The UpGuard platform identifies third-party threats and vulnerabilities which could facilitate a data breach, allowing security teams to request remediation immediately.
