SOC 2 / ISAE 3402 collected for Tier-1 vendors
Demonstrate that the organization systematically collects, reviews, and maintains current independent assurance reports from all critical third-party vendors to validate their control environment.
Description
What this control does
This control requires the organization to obtain and maintain current SOC 2 Type II or ISAE 3402 assurance reports from all Tier-1 (critical or high-impact) third-party vendors who process, store, or transmit organizational data. Tier-1 vendors are typically those handling sensitive customer data, providing core business services, or having significant access to internal systems. The reports must be reviewed for scope adequacy, exception analysis, and alignment with the organization's risk tolerance, and renewed annually before expiration.
Control objective
What auditing this proves
Demonstrate that the organization systematically collects, reviews, and maintains current independent assurance reports from all critical third-party vendors to validate their control environment.
Associated risks
Risks this control addresses
- Undetected control deficiencies at critical vendors leading to data breaches or service disruptions affecting the organization's operations
- Compliance violations due to reliance on vendors whose control environments do not meet regulatory or contractual obligations
- Inadequate vendor security posture enabling lateral attack vectors from compromised third-party systems into organizational infrastructure
- Financial and reputational damage from vendor-related security incidents that could have been identified through independent assurance reporting
- Operational failures when vendors experience availability or integrity issues not covered by adequate internal controls
- Legal liability arising from failure to exercise reasonable due diligence in vendor risk management practices
- Supply chain compromise through vendors with insufficient change management, access controls, or monitoring capabilities
Testing procedure
How an auditor verifies this control
- Obtain the organization's current vendor inventory and Tier-1 vendor classification criteria documentation
- Verify the Tier-1 vendor list includes all vendors meeting the classification criteria (e.g., processing sensitive data, revenue criticality, system access level)
- Request all SOC 2 Type II or ISAE 3402 reports collected from Tier-1 vendors within the past 12 months
- For a representative sample of 5-10 Tier-1 vendors, verify that assurance reports have been obtained, are dated within the last 12 months, and have not expired
- Review documentation showing that qualified personnel (security, risk, or compliance team) performed a formal review of each report, including scope assessment and exception analysis
- Examine evidence that identified exceptions or gaps in vendor reports triggered documented risk acceptance, remediation requests, or compensating controls
- Interview the vendor risk management owner to confirm the process for tracking report expiration dates and initiating renewal requests
- Test one instance where a vendor failed to provide a report or had material exceptions, and verify that escalation or alternative assurance activities were documented
Where this control is tested