Are sub-service organisations (cloud providers, processors) reviewed (SOC reports / audits) and risks documented?
Demonstrate that the organization systematically reviews independent audit reports for all sub-service organizations handling sensitive data or critical functions, and formally documents identified risks with corresponding mitigation strategies.
Description
What this control does
This control ensures that the organization actively reviews the security posture and operational practices of third-party service providers, particularly cloud infrastructure providers, SaaS vendors, and data processors that handle or process organizational data. Organizations must obtain and evaluate independent audit reports (such as SOC 2 Type II, ISO 27001 certifications, or FedRAMP authorizations) to verify these sub-service organizations maintain adequate controls aligned with the organization's security requirements. Risks stemming from the sub-service organizations' environments, control deficiencies, or scope limitations must be formally documented, assessed, and mitigated through compensating controls or contractual provisions.
Control objective
What auditing this proves
Demonstrate that the organization systematically reviews independent audit reports for all sub-service organizations handling sensitive data or critical functions, and formally documents identified risks with corresponding mitigation strategies.
Associated risks
Risks this control addresses
- Unauthorized access to organizational data through compromised sub-service organization infrastructure lacking adequate access controls
- Data loss or unavailability caused by inadequate backup or disaster recovery capabilities at the sub-service organization
- Compliance violations resulting from sub-service organizations failing to meet regulatory requirements applicable to organizational data
- Supply chain attacks exploiting unmonitored security weaknesses in sub-service organization environments
- Insufficient incident response capabilities at sub-service organizations leading to delayed breach notification and containment
- Data exfiltration through inadequate network segmentation or encryption practices at sub-service organization facilities
- Cascading service failures due to undisclosed dependencies or single points of failure within sub-service organization architectures
Testing procedure
How an auditor verifies this control
- Obtain the organization's complete inventory of sub-service organizations that process, store, or transmit organizational data, including cloud providers, SaaS vendors, and third-party processors.
- Request copies of the most recent SOC 2 Type II reports, ISO 27001 certificates, or equivalent independent audit reports for each identified sub-service organization.
- Verify that audit reports are current (typically within the last 12 months) and cover the specific services and data types used by the organization.
- Review the audit report scope sections to confirm that systems and processes relevant to organizational data are included in the assessed boundary.
- Examine documented risk assessments or risk registers that identify specific control deficiencies, scope limitations, or exceptions noted in sub-service organization audit reports.
- Select a sample of identified risks and trace them to documented mitigation strategies, compensating controls, or formal risk acceptance decisions with management approval.
- Interview personnel responsible for vendor management to confirm the frequency of review cycles and escalation procedures when audit reports are unavailable or contain significant deficiencies.
- Verify that contracts or service level agreements with sub-service organizations include provisions requiring timely provision of audit reports and notification of material control changes.