Sub-service organisations evidenced
Demonstrate that the organization has documented all sub-service organizations, obtained current security assurance evidence for each, and validated that their controls meet organizational security requirements.
Description
What this control does
This control requires that organizations maintain and validate evidence of security controls and assurance activities for all sub-service organizations (subprocessors, cloud providers, managed service providers, and other third parties) that process, store, or transmit organizational data. The organization must obtain and review independent audit reports (SOC 2, ISO 27001 certificates, or equivalent), security documentation, and attestations from each sub-service provider. This ensures that the security posture of the entire service delivery chain is documented, assessed, and meets organizational standards, particularly critical for compliance frameworks like SOC 2 where the service organization's boundaries must be clearly defined.
Control objective
What auditing this proves
Demonstrate that the organization has documented all sub-service organizations, obtained current security assurance evidence for each, and validated that their controls meet organizational security requirements.
Associated risks
Risks this control addresses
- Unauthorized data access or breach occurring at a sub-service provider without organizational visibility or accountability
- Compliance violations due to undocumented sub-service organizations not meeting regulatory requirements (GDPR, HIPAA, PCI-DSS)
- Service disruption cascading from sub-service provider security incidents that were not assessed or monitored
- Contractual liability exposure when sub-service providers lack adequate security controls or indemnification provisions
- Audit scope limitations or qualified opinions when auditors cannot verify controls at undocumented sub-service organizations
- Data residency or sovereignty violations when sub-service providers use undisclosed infrastructure locations
- Inadequate incident response coordination due to unknown or unverified sub-service provider security capabilities
Testing procedure
How an auditor verifies this control
- Obtain the current sub-service organization register or inventory listing all third parties that process, store, or transmit organizational or customer data
- For each listed sub-service organization, request and collect the most recent security assurance documentation (SOC 2 Type II reports, ISO 27001 certificates, FedRAMP authorization, or equivalent attestations)
- Verify that all collected audit reports and certificates are current, covering the audit period under review, and have not expired
- Select a sample of critical sub-service organizations (those handling sensitive data or providing essential services) and review their audit reports for relevant control objectives and any identified exceptions or qualifications
- Cross-reference the sub-service organization inventory against vendor contracts, data processing agreements, and system architecture diagrams to identify any undocumented sub-service providers
- Interview system owners and procurement personnel to confirm that onboarding procedures require security assurance evidence before sub-service organizations are authorized to process organizational data
- Review evidence of organizational analysis or acceptance of any control exceptions, gaps, or qualified opinions identified in sub-service provider audit reports
- Verify that the organization has documented processes for monitoring sub-service organization security posture changes, contract renewals, and periodic re-assessment of assurance evidence
Where this control is tested