Related Posts
Subscribe via Email
Subscribe to our blog to get insights sent directly to your inbox.
Statement on Standards for Attestation Engagements (SSAE) audits are conducted by third-party auditors and are used to document and evaluate internal controls. The SOC reports produced by an SSAE audit can be reviewed as part of vendor security risk assessments. Different types of SOC reports cover different controls and scopes. The most helpful for vendor assessments is the SOC 2 Type II because it covers more of the security and IT related controls over a period of time instead of at a point in time.
Some organizations depend solely on reviewing their vendors’ yearly SOC reports for their vendor security risk assessment process. This isn’t an effective approach because SOC reports often don’t cover all the relevant security controls that you should assess your vendors for.
When using an SSAE audit report to assess your vendor’s security posture, two sections in the SOC report typically contain the most relevant security information.
The “Description of the System” section includes a summary of the services or a specific system. This section often contains helpful information when reviewing the organization’s security practices and operations.
The “Test Cases and Results” section describes the different test cases that the auditor used to assess whether the organization met the test criteria.
A SOC 2 Type II report often includes information about the following security controls:
SOC reports aren’t always consistent in the security controls they cover. The company under audit has input about which control groups they’re assessed on. There are groups of controls that are often not in scope for SOC reports and may need to be monitored by your company using a different method.
Some of the security controls that are generally not addressed in SOC reports include:
In addition to reviewing SOC reports, other methods can be used to assess the controls that are missing in a SOC report, including:
To streamline your vendor assessment process, it’s helpful to create a list of documentation that you need to request from your vendors on a yearly basis. You should also create a list of the relevant security controls that need to be assessed so that you can determine if reviewing your vendor’s SOC report is adequate or if additional assessment methods are needed. In most cases, a SOC report by itself does not provide enough information for a complete assessment.
Brianna Blanchard is the Senior Manager of Information Assurance and Advisory Services at NuHarbor Security where she leads a team of professionals. She has over 15 years of experience working in cybersecurity and information technology. Before joining NuHarbor Security, Brianna worked for government organizations helping them build their security compliance and governance programs from the ground up. Brianna currently is involved in co-leading the Women in Cybersecurity Council at Champlain College, with the goal of making cybersecurity more inclusive and Champlain College the best place for women in cyber.
Subscribe to our blog to get insights sent directly to your inbox.