Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


Why a Vendor SOC Report Is Not Enough and How to Fill the Gaps

4 min read
Featured Image

Service Organization Controls (SOC) reports are a key document in third-party risk management for assessing your vendor’s information security controls and identifying any potential risks. SOC reports can provide critical insights that give you a picture of your vendor’s security measures and capabilities and what you can expect from your vendor during the relationship.

However, while incredibly useful, SOC reports can’t cover every base, so it’s important to understand exactly how SOC reports assess your vendor’s risk posture and where gaps need to be addressed. When assessing your vendor, you need to utilize all the tools at your disposable to receive a complete picture of your vendor’s risk posture, and SOC reports simply cannot assess your vendor from every angle or give you a full picture of a vendor’s cybersecurity and business continuity posture.

What Vendor SOC Reports Can Assess

When we talk about SOC reports, it’s important to note that there are several types of SOC reports, each serving separate functions and assessing different controls. The two main reports that you’ll come across are the SOC 1 and SOC 2 reports. You’ll also start seeing more SOC for Cybersecurity reports. Let’s discuss further:

  • A SOC 1 report assesses a vendor’s financial reporting controls and should be used when evaluating your non-information system-based vendors.
  • A SOC 2 report assesses the vendor’s controls in relation to the 5 Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. It should be requested when you’re evaluating whether the vendor’s controls can protect your sensitive data.
  • A SOC for Cybersecurity provides a more detailed insight into the organization’s cybersecurity risk management program.

Each report can be broken down further into Type I and Type II. Type I reports assess control performance in a singular point in time, while Type II reports assess controls over a selected period of time. If you have a choice between the two, you should request a Type II report to better identify any vulnerabilities or changes more effectively to performance levels.

The different types of SOC reports offer variety to meet your needs when it comes to assessing a vendor’s controls. However, even as new SOC reports emerge, it’s important to understand that SOC reports still leave gaps in the due diligence process, which you will need to address with other audits.

Alternatively, your vendor may provide a bridge letter, also known as a gap letter, which can be used to give assurances into the vendor’s controls while waiting for an updated SOC report. While bridge letters can assure your organization that the vendor’s controls are working properly, they may not always suffice. Most importantly, however, a bridge letter can’t replace a SOC report and your organization should review the updated SOC report as soon as possible.

What Vendor SOC Reports Can’t Tell You

Just because your vendor provides a SOC report doesn’t mean that you are free from risk. As a tool, SOC reports can help identify any issues or vulnerabilities in the vendor’s controls, but it isn’t enough and you can’t fall into a false sense of security just because a SOC report highlights positive performance.

In some cases, a report may fail to cover every aspect of the Trust Services Criteria, or the vendor may leave out a group of controls. A SOC report isn’t a catch-all and cannot offer a full picture of the vendor’s cybersecurity and business continuity resilience.

vendor soc reports

Addressing Any Gaps Left After a Vendor SOC Report Review

So, what can you do? What alternatives can you use to address the gaps of the SOC reports and still fully assess the vendor’s controls for risks? Here are a few documents you can request to assess your vendor:

  • Copies of the vendor’s full cybersecurity, business continuity, and disaster recovery plans as well as their response plans including incident, pandemic, and crisis. These will provide a clear picture of how the vendor will deal with any incidents and what you can expect.
  • A specific vendor risk assessment questionnaire. You can request that your vendor fills out a questionnaire with specific questions that provides information into the controls that affect your organization and that may have been missed in the SOC report.
  • Additional audits and certifications. Does your vendor have proper certifications and licensing to show that their controls meet regulatory standards? You can use audit results to verify the vendor’s controls and compliance.
  • Testing results. For example, penetration testing results can highlight the vendor’s performance and how well the controls functioned in simulated testing, which can provide key insights.

Ultimately, you need to ensure that you have enough information to understand how your vendor manages their information security practices. This should include their controls for protecting data, implementing privacy protections, and ensuring solid availability. While a SOC report contains some of this information, its depth is limited. For that reason, it’s essential to dig deeper into your vendor’s full policies, procedures, and testing to gain a better view of how your vendors operate.

SOC reports are useful tools for assessing your vendor’s controls, but they may not always provide the full picture of your vendor’s risk posture. For that reason, it’s important to understand both the strengths of SOC reports, as well as the gaps that will need to be addressed through supplemental documentation and audits, so that your organization can work to identify and mitigate any potential risks and defend against incidents.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo