Though very helpful in representing the efficacy of a service provider’s third-party risk management program, SOC reports aren’t always available. Some service providers either don’t have the budget for a SOC report or are unwilling to undergo the laborious process of an SSAE-18 audit.
While a lack of a SOC report should raise alarm bells during the due diligence process, it shouldn’t necessarily result in the disqualification of a prospective vendor. Other options for reviewing a service provider's Vendor Risk Management efforts without a SOC report are available. In this post, we outline three different alternatives for assessing the efficacy of third-party security controls when a SOC report isn’t available.
3 Alternatives to SOC Reports for Evaluating Third-Party Security Controls in 2023
Any alternative to a SOC report should provide insight into the operating effectiveness of a service provider’s internal controls. This requirement disqualifies reports that are part of a larger cybersecurity strategy, such as attestations of regulatory compliance. Each option in this list offers a unique perspective for assessing your vendor’s control environment within a Third-Party Risk Management program.
1. Risk Assessments and Questionnaires
Risk assessment and security questionnaires effectively extract meaningful information about an organization’s information security program. These assessments can be specific to vendor management efforts and the control objectives of a service organization.
In Vendor Risk Management, the terms risk assessment and security questionnaires are commonly used interchangeably.
Since a System and Organization Controls 2 (SOC 2) report evaluates a service provider’s customer data security in the cloud; any alternative risk assessment must map to a security framework with similar sensitive data security standards.
Examples of security questionnaires that evaluate the data security standards for third-party vendors include.
An ISO 27001 assessment is a great alternativein lieu of a SOC 2 report.
In Europe, vendors don't usually provide SOC reports but provide proof of ISO 27001 certification. Should ISO 27001 certification be provided instead of a SOC 2 report, follow-up security questionnaires may still be required to fill any remaining security control knowledge gaps.
When opting for a risk assessment over a SOC report, it’s essential to ensure your assessment efforts address the complete scope of analysis covered in each type of SOC report - SOC 1, SOC 2, and SOC 3.
- Effectiveness of identifying and addressing security risks to sensitive data.
- The likelihood of staff falling victim to phishing attacks leading to data breaches.
- Security control strategies that are in place for mitigating data security risks.
- Communication protocols for ensuring data security solutions and data systems are regularly patched.
With some creativity, an alternative evaluation solution covering this breadth of a cybersecurity program can be established. The solution isn’t neat, but it should successfully compensate for the lack of a SOC report. It comprises two primary components - security ratings and risk assessment amalgamation.
Security ratings quantify a vendor’s security posture against a set of attack vectors. Security rating solutions, such as UpGuard’s, assess vendors against 70+ attack vector criteria, including domain hijacking, email spoofing, and even phishing - a security risk prioritized in SOC reports.
UpGuard’s mechanism for calculating security ratings.
Risk Assessment Amalgamation
The second component of this SOC report alternative is more complex. It involves mapping components of various risk assessments to each evaluation category of a SOC report to produce a new custom assessment.
A list of assessments containing some degree of overlap with SOC reporting that can be used for such purposes are listed below:
- CIS Critical Security Controls - The CIS Controls for effective cyber defense evaluating resilience against common cyber attacks. This assessment could uncover vulnerabilities facilitating data breaches.
- Consensus Assessments Initiative Questionnaire (CAIQ) - This assessment, developed by the Cloud Security Alliance (CSA), evaluates information security best practices of data centers. The CAIQ could help you assess the data security control strategy of third-party vendors without type 2 reports.
- NIST 800-171 - NIST 800-171 outlines cybersecurity standards across 14 control families, some of which could provide insights into a vendor’s data security control strategy and communication protocols. The security controls of particular interest for this use case include access control, risk assessment, security assessment, incident response, and configuration management control families.
Learn more about NIST 800-171 controls >
This Frankenstein method of producing a new assessment by piecing together the relevant components of others is most efficiently achieved with a customizable security questionnaire solution.
For illustrative purposes, we will use the UpGuard platform as an example.
With UpGuard’s intuitive custom questionnaire builder, you can quickly modify existing questionnaire mapping to frameworks such as NIST 800-171, NIST CSF, ISO 27001, and others to create a new custom questionnaire meeting your unique assessment requirements.
Important: When requesting a SOC 2 report from a vendor, receiving a SOC 2 report for just their data center is not an acceptable compromise. You must also understand how the vendor handles your customer data and their strategy for protecting it from compromise.
2. Agreed Upon Procedures Report
An Agreed Upon Procedures (AUP) report is a custom assessment that only evaluates security controls that are relevant in each third-party relationship. Because AUP reports are less time-consuming and more cost-effective, sometimes they’re requested in place of SOC Reports.
An example scenario of when an AUP report would be used is when querying the security controls related to data storage and processing of a software development client. In this case, you would engage a third-party auditor to conduct a customized assessment for these security controls. The auditor would then cover agreed-upon procedures, evaluate the effectiveness and compliance of these controls, and produce their findings in a final audit report.
With an AUP Report, you can assess the efficacy of a specified set of security controls when the full scope of coverage offered by a SOC report is unavailable or necessary.
An AUP report can be created with UpGuard’s custom questionnaire builder, which allows completely bespoke questionnaires to be built from the ground up, starting from a blank canvas.
3. Perform Proper Vendor Due Diligence
Vendor Due Diligence (VDD) involves a comprehensive evaluation of a prospective vendor’s cybersecurity practices to determine whether they’d be an asset or a liability if onboarded. When performed strategically, VDD will uncover the same security control risks presented in SOC Type I and Type II reports.
Vendor Due Diligence reveals the following SOC-related information about the cybersecurity efforts of outsourcing parties:
- Company structure - This information could include details about the vendor’s data center.
- Data Access - The information will reveal the vendor’s required degree of access to your sensitive customer data. This information is vital for tiering vendors based on their level of security risks, an essential practice for efficient remediation management.
Download the free guide on risk remediation planning >
- Third-Party Risk Management (TPRM) - This information will outline the vendor’s TPRM security control strategy.
Learn more about TPRM >
- Fourth-Party Risk Management (FPRM) - Many VDD efforts disregard this. FPRM is essential to assess as it reveals the vendor’s likelihood of suffering a third-party breach, which could have detrimental downstream effects on your customer data.
Learn more about FPRM >
- Incident Response Plan - A vendor’s Incident Response Plan reveals valuable information mapping to SOC reporting, including details about data breach communication protocols and measures for mitigating active cyber threats.