How to Conduct a Vendor Security Review for SOC 2

Why SOC 2 Requires Vendor Reviews

SOC 2 CC9.2 states that the entity identifies and assesses risks arising from business relationships and selects vendors and business partners who can meet the entity's security commitments. This means you need a programme for selecting, reviewing, and monitoring the security posture of vendors who have access to your systems or customer data.

Auditors will test CC9.2 by asking for your vendor inventory, your most recent review records for Tier 1 vendors, and evidence that you have contracts with security clauses or vendor-provided SOC 2 reports. Missing vendor review evidence is a common SOC 2 finding.

Vendor Risk Tiering

Not all vendors require the same level of scrutiny. Tier your vendors by risk: Tier 1 — vendors with direct access to production systems or customer data (AWS, Okta, GitHub, Stripe, Salesforce, Zendesk). Tier 2 — vendors with access to internal systems but not customer data (Jira, Slack, Google Workspace, Notion). Tier 3 — vendors with no system access.

Tier 1 vendors require: annual review, SOC 2 report (or equivalent), data processing agreement, and security clauses in the master services agreement. Tier 2 vendors require: biennial review, security questionnaire or public-facing security documentation.

The Review Process

Step 1: Request the vendor's SOC 2 report (Type II preferred). For vendors who do not have SOC 2, request ISO 27001 certificate, CAIQ, or their security whitepaper. Note: AWS, GitHub, Stripe, and Okta all have publicly accessible SOC 2 Type II reports — download them from their trust centre pages.

Step 2: Review the report. Focus on: the observation period (is it current?), any notable exceptions, the scope of services covered, and the criteria included.

Step 3: Document your conclusions. Write a brief review summary: vendor name, service provided, risk tier, SOC 2 report period, exceptions noted, and whether the vendor is approved for continued use.

Evidence to Collect

For each Tier 1 vendor, collect and store: current SOC 2 report (dated within 12 months), executed data processing agreement (if the vendor processes personal data on your behalf), security-specific contract clauses, and your internal review summary.

For AWS specifically: download the AWS SOC 2 Type II report from the AWS Artifact console. This is authoritative, current (updated quarterly), and free.

Create an annual calendar reminder for Tier 1 vendor reviews — typically scheduled 1–2 months before their SOC 2 report period ends.

When to Use Questionnaires

Security questionnaires (typically the SIG Lite or CAIQ) are useful for Tier 1 vendors who do not have a SOC 2 report. They ask vendors to attest to specific security practices across domains: access control, encryption, incident response, business continuity, and others.

Limitations: questionnaires are self-reported attestations without independent verification. A SOC 2 report from a CPA firm is significantly more credible. Use questionnaires as a supplement or fallback, not a replacement for independent audit reports.

Documentation and Tracking

Maintain a vendor register with: vendor name, service provided, risk tier, data processed (if any), contract/DPA status, last review date, next review date, and review outcome.

Store vendor review evidence in your compliance tool alongside the register. The combination of the register (showing you have a programme) and the evidence files (showing you actually conducted reviews) satisfies CC9.2 completely.

Review your vendor register quarterly: add new vendors before they are onboarded, flag vendors whose SOC 2 reports are expiring, and remove vendors you have offboarded.