7 Steps to Take After Receiving a Vendor SOC Report
You received your vendor's SOC report, now what?
One of the most important steps in the vendor due diligence process is reviewing your vendor’s SOC report. Once you receive a SOC report from your vendor, there are certain steps you can take to make the process more efficient. Listen to this week’s podcast to find out seven steps to take once you receive a vendor SOC report.
Hi – my name is John with Venminder.
In this 90-second podcast, you’re going to learn steps to take after receiving a vendor SOC report.
We have a team of qualified IT professionals, such as CISSPs, who analyze vendor SOC reports for our clients daily.
SOC reports are important to review as they can help identify the controls your vendor has in place to secure your data and whether those controls are adequate or faulty.
Here are 7 steps to take after you receive the SOC report:
- Step 1 is to begin analyzing the report. Don’t just check-the-box and file it away. Start with reviewing the reporting period to verify it’s current.
- Next, review the organization and administration section for a more detailed overview regarding your vendor.
- The third step is to review the products and services listed. Does the report you’re reviewing cover the product or services that you’re using?
- The fourth step is to understand the information system section. Within this area, you’ll find more about the vendor’s servers, networks and computer systems.
- Fifth, look at the data center information. Confirm that the vendor is sufficiently protecting information with proper access controls, monitoring and environmental protections.
- Sixth, do a deep dive review of the control objectives and activities. They’ll be tested by an audit firm and the findings should relay if controls are effective or not.
- Finally, review the Complimentary User Entity Controls and verify that your organization has implemented them.
Once you’re finished with your vendor SOC review, a qualified subject matter expert should finalize the findings and draft an analysis to be shared with senior management and the board.
Thanks for tuning in; catch you next time!
Subscribe to our Third Party Thursday Newsletter
Receive weekly third-party risk management news, resources and more to your inbox.