Back to Blog
Controls 6 min read

CC9: Risk Mitigation and Vendor Management in SOC 2

SOC 2 CC9 covers risk mitigation and vendor/business partner management. Learn the CC9.1–CC9.2 requirements, vendor risk assessment process, and evidence to collect.

Key Takeaways
  • CC9.1 requires documented risk mitigation activities including cyber insurance.
  • CC9.2 requires vendor and business partner risk assessments before onboarding and periodically thereafter.
  • Vendor risk assessment must cover security, data handling, and business continuity.
  • Contracts with key vendors must include security requirements and data processing terms.
  • SOC 2 reports or security questionnaire responses from vendors serve as assessment evidence.

In this guide

  1. What Is CC9?
  2. CC9.1: Risk Mitigation Activities
  3. CC9.2: Vendor Risk Management
  4. Vendor Tiering and Assessment Frequency
  5. Security Requirements in Vendor Contracts
  6. CC9 Evidence Checklist

What Is CC9?

CC9 is the final common criterion in the SOC 2 Trust Services Criteria. It addresses risk mitigation (CC9.1) and vendor and business partner management (CC9.2). Both sub-criteria connect back to the risk assessment in CC3 — risks that were identified must be mitigated, and risks introduced through third parties must be managed.

Vendor risk is increasingly relevant for SaaS companies that rely on dozens of third-party services — cloud infrastructure, payment processors, analytics tools, communication platforms. Each vendor is a potential point of failure or breach, and CC9.2 requires you to assess and manage those risks.

CC9.1: Risk Mitigation Activities

CC9.1 requires the entity to identify, select, and develop risk mitigation activities for risks arising from potential business disruptions and the use of vendors. The primary mitigation activities are controls (covered in CC5), business continuity planning, and risk transfer through insurance.

Cyber insurance is explicitly mentioned in the AICPA supplemental guidance for CC9.1. Your cyber insurance policy — carrier, coverage limits, what incidents are covered — should be documented in your risk register as a risk transfer mechanism for high-impact cyber risks.

Business continuity planning (BCP) and disaster recovery planning (DRP) also fall under CC9.1. Your BCP should define how the organization continues to operate during a major disruption (key person dependency, cloud region outage, office inaccessible). Document the plan, review it annually, and conduct a tabletop exercise.

CC9.2: Vendor Risk Management

CC9.2 requires assessing the risks associated with using vendors and business partners and implementing risk mitigation activities. The assessment should happen before onboarding a new vendor and periodically (typically annually) for existing vendors.

Your vendor risk management process should: (1) Maintain a vendor inventory. (2) Categorize vendors by risk tier (critical, high, medium, low) based on access to data and systems. (3) Assess each vendor using a standard set of criteria. (4) Document the assessment results and approval.

For critical vendors (those with access to production data or infrastructure), request their SOC 2 Type II report, penetration test executive summary, and most recent vulnerability scan results. Review these before onboarding and annually. For lower-tier vendors, a completed security questionnaire (or completion of a shared questionnaire via platforms like OneTrust or SecurityScorecard) may be sufficient.

Vendor Tiering and Assessment Frequency

Tier 1 (Critical): Vendors with access to production data or with the ability to affect system availability. Examples: AWS, Stripe, Twilio, Okta, your customer support platform. Require annual SOC 2 report review, DPA, and security addendum in contract. Assessment frequency: annual.

Tier 2 (High): Vendors with access to employee data or internal systems. Examples: HR platform, payroll processor, video conferencing. Require DPA and security questionnaire. Assessment frequency: annual.

Tier 3 (Medium/Low): Vendors with no access to personal data or production systems. Examples: design tools, task management, marketing platforms. Lightweight assessment — review their privacy policy and terms of service. Assessment frequency: upon major changes or every 2 years.

Security Requirements in Vendor Contracts

For Tier 1 and Tier 2 vendors, your contracts should include: a Data Processing Agreement (DPA) specifying how they process your data, requirements to notify you of security incidents within a defined timeframe (72 hours), right-to-audit clause or requirement to maintain third-party security certifications, and data deletion requirements upon contract termination.

Auditors will request 2-5 vendor contracts and look for these provisions. Having a standard vendor security addendum template that you attach to all Tier 1 contracts makes this process efficient and consistent.

CC9 Evidence Checklist

(1) Cyber insurance policy summary (carrier, coverage period, coverage limits). (2) Vendor inventory with tier classification. (3) Vendor risk assessment records — SOC 2 reports received, questionnaires completed — for Tier 1 vendors during audit period. (4) Sample vendor contracts showing DPA and security provisions. (5) Business continuity plan with last review date. (6) BCP/DRP tabletop exercise record.

Frequently Asked Questions

Does AWS need a vendor risk assessment for CC9.2?
Yes, but it is straightforward. AWS is a Tier 1 vendor. Your vendor risk assessment for AWS is: review AWS's SOC 2 Type II report (available via AWS Artifact), confirm your use of services is within the report scope, and document the shared responsibility model. The AWS DPA is accepted when you sign the AWS Customer Agreement.
How many vendors do we need to include in our vendor inventory?
All vendors that have access to your systems, data, or could significantly impact your operations. A typical SaaS company has 20-50 relevant vendors. Start with the ones that process customer data or have production access — these are the ones auditors will focus on.
What if a vendor refuses to provide their SOC 2 report?
Request an alternative: their ISO 27001 certificate, a completed CAIQ (Cloud Security Alliance questionnaire), or a completed custom security questionnaire. Document that you requested a SOC 2 report and they provided an alternative. If the vendor provides no security evidence at all, that is a risk to document and escalate.
Does CC9 require business continuity testing, or just planning?
CC9.1 requires both. The AICPA points of focus include "considers alternatives to identified business disruptions" and "deploys recovery activities." Auditors look for a documented BCP and evidence it was tested — typically a tabletop exercise or actual recovery test. An untested BCP is a design gap.
Can we use a vendor risk management platform like SecurityScorecard for CC9.2?
Yes. SecurityScorecard, BitSight, and OneTrust Vendorpedia all provide continuous vendor risk scoring and questionnaire management. They generate exportable reports that serve as CC9.2 evidence. The key is that assessments are reviewed and approved by a named individual, not just auto-generated.

Automate your compliance today

AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.

Start for free

Related Articles

Controls

CC3: SOC 2 Risk Assessment Controls Explained

Controls

CC6: Logical and Physical Access Controls for SOC 2

SOC 2

What Is SOC 2? The Complete Guide for Software Companies