(270) 506-5140 CONTACT US

Vendor SOC for Cybersecurity: Do You Need to Request One?

Oct 29, 2019 by Lisa-Mae Hill, CTPRP

With increased scrutiny and regulations surrounding cybersecurity, it's a topic that is “talk of the industry.” Developed by the American Institute of Certified Public Accountants (AICPA), the SOC for cybersecurity is designed to assist organizations by providing an extra assurance that the cybersecurity program under review meets expectations and is operating effectively.  

When Do You Request a SOC for Cybersecurity?

There are a couple of times you may want to request a SOC for Cybersecurity report.

First, this may seem like an obvious reason, but you can request one if you want to evaluate the effectiveness or maturity of a vendor’s cybersecurity risk program.

Second, you may want to request the report if information technology is a critical component to the creation or delivery of the vendor’s product or service.

Do You Need to Request a SOC for Cybersecurity?

In short, the answer is no. You do not need to request a SOC for cybersecurity. And, even if you do request one, you may find the report is unavailable as it’s a voluntary audit. Not every vendor will have one as organizations aren’t mandated to do so.

What Are My Options?

With that said, if a SOC for cybersecurity is a necessity in order for you to feel comfortable doing business with a vendor, then I recommend you write it into your vendor contract as a service level agreement (SLA).

By doing so you’re setting expectations upfront and guaranteeing the vendor will provide one for as long as you engage in business together.

Although you do not need to request a SOC for cybersecurity, keep in mind that the report helps verify a vendor’s cybersecurity posture and efforts are effectively reducing cybersecurity risk. Given how important cybersecurity soundness is, it may not be a bad idea to make the request. However, that said, the SOC for cybersecurity audit has not taken off as a “must have” since it’s availability in 2017, so don’t expect many of your vendors to have the report yet.

Get a better understanding of your vendor SOC for cybersecurity reports. Download the Infographic.

vendor soc for cybersecurity

Lisa-Mae Hill, CTPRP

Written by Lisa-Mae Hill, CTPRP

Lisa-Mae is an experienced cybersecurity analyst with experience in both the private and public sectors. She has held the role of Subject Matter Expert and Information System Security Officer for a government based contractor and has extensive experience in Certification & Accreditation, CIS Critical Control Implementation and Auditing, Security Assessments and cybersecurity Policy. She has a Bachelor’s degree in Information Technology Management from State University of New York Delhi paired with many hours of additional cybersecurity and industry related training. She is also a Certified Third Party Risk Professional (CTPRP).

Follow Lisa-Mae Hill, CTPRP

Subscribe to the Venminder Blog