Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

What Is a Vendor SOC 2+ Report?

4 min read
Featured Image

Organizations from across all industries turn to third-party vendors to outsource a wide range of products and services. With that, it’s important to ensure that your organization is performing the right types of audits and assessments to evaluate your vendors. Reviewing vendor SOC reports is essential and will help with assessing various aspects of the vendors information security controls.


In some cases, a SOC 1 or SOC 2 report may be enough to properly assess your vendor. However, other times, you may want to consider utilizing a SOC 2+ report. Also called Enhanced SOC 2 Reports, SOC 2+ reports should be considered by organizations that are highly regulated or adhere to higher security standards.

What Is a SOC 2+ Report?

As the name may suggest, a SOC 2+ report expands upon the basic model of a SOC 2 report. It was created by the American Institute of Certified Public Accountants (AICPA) who collaborated with the Cloud Security Alliance (CSA) and HITRUST. Where a SOC 2 report covers the Trust Services Criteria (security, availability, processing integrity, confidentiality, and privacy), the SOC 2+ report covers the Trust Services Criteria in addition to other industry and compliance models.

This means that the SOC 2+ report is a more extensive version of the basic SOC 2 framework. Just as a SOC 2 report assesses the vendor’s controls, the SOC 2+ report also evaluates whether the controls follow specific compliance requirements. For example, healthcare organizations may want to consider requesting a SOC 2+ report that assesses for HIPAA compliance when dealing with a data storage provider to ensure that the vendor can protect patient information within HIPAA’s requirements.

The flexible and extensive nature of a SOC 2+ report has become more appealing for many organizations, especially for those in industries with an increased risk of compliance violations, such as the healthcare and financial services industries. And, as legislators continue to update regulations to preserve customer privacy and integrity, it has become more difficult for many organizations to ensure compliance across their vendors. Although still rarely seen, in some cases, SOC 2+ reports, may be the answer for both vendors and their customers to create a comprehensive documentation of their controls’ proficiency and provide the peace of mind that their controls comply with regulatory frameworks.

vendor soc reports

3 Benefits of a SOC 2+ Reports

While many organizations may feel that a SOC 2 report is sufficient, it’s important to understand the benefits of a SOC 2+ report as an extension of the basic SOC 2 framework. When determining if a SOC 2+ report is right for you, you should consider benefits such as:

  1. SOC 2+ reports increase efficiency. By compiling information into a singular document, as opposed to running separate audits to check for the vendor’s compliance in addition to a SOC report, a SOC 2+ report takes several tests into account, which can lead to decreased efforts and cost for the involved stakeholders.
  2. It still evaluates controls for Trust Services Criteria. Just as with the basic SOC 2 framework, SOC 2+ reports still assess factors such as the security of the vendor’s physical locations, their privacy policies, and their availability. All aspects of the report should be handled with the same care and eye for detail, meaning that the Trust Services Criteria will be evaluated in the SOC 2+ report just as much as compliance.
  3. Flexibility to match your needs. SOC 2+ reports can assess a wide range of compliance regulations and aren’t contained to only one industry. A SOC 2+ report could assess for HIPAA, HITRUST, COSO, NIST, and many more frameworks. These additional controls are tested to the same standard that the TSC are tested, providing confidence in assurance.
    For vendors, as well, SOC 2+ reports offer the ease reporting a range of proficiencies and instilling confidence in their services by showcasing their compliance to their customers.

Overall, SOC 2+ reports build on the critical aspects of a SOC 2 report to both ensure that your vendor’s controls align with the Trust Services Criteria while also assessing for regulatory compliance. This can improve efficiency for both vendors and their customers which will save valuable time and recourses moving forward.

When it comes to assessing your vendors, you need to ensure that the proper controls are in place to protect your organization and that you can identify any risks before issues arise. Though it’s not necessarily a red flag if a vendor doesn’t have a SOC 2 +, these are growing in popularity in the industries most impacted by the challenge of compliance and updated regulations. For many industries, it’s time to start looking for these types of reviews and having conversations with your vendors about whether they will be pursuing more focused audits like the SOC 2+ to determine whether their controls adequately satisfy your industry’s regulatory requirements.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo