Vendor Risk Management Under SOC 2: The Evidence Your Auditor Wants to See

Why CC9.2 Gets Skipped Until the Last Minute

CC9.2 is part of the Risk Mitigation category in SOC 2's Common Criteria. It requires that organizations identify, assess, and manage risks that arise from the use of third-party vendors with access to company data or systems. Despite being a clearly defined requirement, it is one of the most frequently underprepared areas in first-time SOC 2 engagements.

The reason is structural: most early-stage SaaS companies prioritize the technical controls during SOC 2 prep — IAM configuration, encryption settings, access reviews, vulnerability scanning. These controls feel concrete and are easy to demonstrate with screenshots and exports. Vendor risk management feels more like a paperwork exercise, and it keeps getting pushed to "we'll handle that next week" until the week before audit fieldwork.

Auditors know this. CC9.2 is a standard sampling target precisely because it is routinely thin. Coming into fieldwork with a vendor list and no assessment records is a predictable finding.

What CC9.2 Actually Requires

CC9.2 states that the entity selects, develops, and performs ongoing evaluations to ascertain whether the operating of components in an outsourcing arrangement meets the entity's objectives. In plain language, this means you need to: know which vendors have access to your data or systems, assess their security practices, document that assessment, and repeat the assessment on a regular schedule.

The assessment does not need to be exhaustive. Reviewing the vendor's current SOC 2 Type II report, downloading their ISO 27001 certificate, or completing a vendor security questionnaire all qualify as assessments. The key requirements are: the assessment was performed, it was documented, and it was performed during or relevant to the audit period.

The "ongoing" part matters as much as the initial assessment. A vendor assessment from three years ago is not sufficient evidence for a current audit. Auditors look for evidence that assessments were updated within the last 12 months, or that you have a defined schedule for reviews and evidence that you followed it.

Building Your Vendor Inventory

The starting point for CC9.2 is a complete vendor inventory. This sounds straightforward but is often incomplete in practice. "Vendors with access to our data or systems" includes more than the obvious infrastructure providers.

Categories to include:

• Infrastructure and cloud: AWS, GCP, Azure, and any managed services from these providers that store or process customer data
• Identity and access management: Okta, Google Workspace (for SSO), any SAML 2.0 identity providers
• Monitoring and observability: Datadog, PagerDuty, Sentry, New Relic — these often have access to application logs that may contain sensitive data
• Code and deployment: GitHub, CircleCI, Vercel, or other deployment platforms that have production access
• Customer support and communication: Intercom, Zendesk, HubSpot — these typically store customer data directly
• Payment processing: Stripe, Recurly — in-scope for PCI, but also relevant to SOC 2 confidentiality criteria
• HR and onboarding: Gusto, Rippling, or similar platforms that process employee data

Sub-processors — vendors used by your vendors — are increasingly relevant to enterprise customers, particularly those subject to GDPR. Your vendor inventory should note which of your vendors use sub-processors that touch your data, and whether those sub-processors are disclosed.

Tiering Your Vendor Risk

Not all vendors require the same depth of assessment. A useful tiering approach categorizes vendors by the combination of data sensitivity and access level:

Tier 1 (critical): Vendors that store, process, or transmit customer data, or that have production access to your infrastructure. AWS, your identity provider, your CRM, and your monitoring platform typically fall here. These vendors require annual reassessment and documentation of their SOC 2 or ISO 27001 status.

Tier 2 (significant): Vendors with access to internal systems or data, but not directly to production customer data. HR platforms, internal communication tools, and corporate identity management fall here. These require biennial reassessment with a security questionnaire.

Tier 3 (low risk): Vendors with no access to data or systems — productivity tools, project management software, marketing platforms. These can be assessed at onboarding and reviewed less frequently.

Documenting your tiering criteria and applying them consistently is itself evidence for CC9.2. An auditor reviewing your vendor inventory should be able to see why each vendor was assigned its tier and verify that the appropriate assessment depth was applied.

What Counts as an Assessment

The minimum viable assessment for a Tier 1 vendor is reviewing their current SOC 2 Type II report (or ISO 27001 certificate) and noting the review date and the covered scope. This review should be documented — a brief note in your vendor tracker saying "reviewed AWS SOC 2 Type II report, November 2024, covers compute and storage infrastructure" is sufficient.

For vendors without a SOC 2 or ISO 27001 certification, you need to complete a security questionnaire. Industry-standard questionnaires include the SIG (Standardized Information Gathering), VSAQ (Google's Vendor Security Assessment Questionnaire), and CAIQ (Cloud Security Alliance's Consensus Assessments Initiative Questionnaire). The questionnaire does not need to be exhaustive — a focused 30-50 question assessment covering data handling, access controls, encryption, and incident response is appropriate for most Tier 1 vendors without certifications.

For new vendors being onboarded, the assessment should be completed before production access is granted. CC9.2 specifies that the evaluation should inform the decision to use the vendor, not just document it after the fact.

Evidence Your Auditor Wants to See

The evidence bundle for CC9.2 typically includes four components:

1. Vendor inventory with tier assignments: A list of all in-scope vendors with data access type, risk tier, and the last assessment date. A spreadsheet or platform record is both acceptable. The key is that it is current — reflecting vendors onboarded within the audit period.

2. Assessment documentation per vendor: For each Tier 1 vendor, a record of the assessment: either a downloaded SOC 2 report (with the date of download noted), a certificate, or a completed questionnaire. These should be organized by vendor and linked to your vendor inventory.

3. Vendor contracts with security clauses: CC9.2 also covers contractual risk management. Auditors review vendor contracts for data processing agreements (DPAs), confidentiality provisions, and security obligations. For vendors handling customer data under GDPR, a signed DPA is a contractual requirement — and the absence of one is a finding.

4. Review cadence evidence: Documentation showing that your vendor assessment schedule was followed during the audit period. This could be calendar reminders for scheduled reviews, task records in a project management tool, or an automated task queue in a compliance platform.

Maintaining Vendor Risk Year-Round

The most common failure mode for CC9.2 is that assessments are completed once at the start of a compliance program and then not updated. When the next audit arrives, the assessments are a year or two old, vendors may have changed ownership or certification status, and new vendors onboarded after the initial assessment have no documentation at all.

A sustainable vendor risk program requires three recurring processes: annual re-assessment of Tier 1 vendors, a review trigger for new vendor onboardings (assessment before access is granted), and a process for reviewing vendor security events — significant breaches or certification lapses at vendors in your inventory.

CompliRun automates the scheduling component: when a vendor assessment is entered, the platform creates a task for the next scheduled review based on the vendor's tier. When the review date approaches, the responsible team member receives a notification with the vendor record pre-populated. The completed review is logged with a timestamp, creating a continuous record rather than an annual scramble.

The ISO 27001 Parallel: Annex A.5.19 to A.5.22

ISO 27001:2022 dedicates four Annex A controls to supplier security, from A.5.19 (information security in supplier relationships) through A.5.22 (monitoring and review of supplier services). The requirements overlap substantially with SOC 2 CC9.2 but with more emphasis on contractual requirements and ongoing service monitoring.

Annex A.5.22 is the ongoing monitoring requirement: the organization should regularly review, monitor, and audit supplier services and deliveries. For critical suppliers, this typically means annual service review meetings with documented outcomes, in addition to the periodic assessment of their security posture.

For organizations pursuing dual SOC 2 and ISO 27001 compliance, the vendor risk program can be designed once and mapped to both frameworks. The key is to structure your vendor inventory and assessment records with enough detail to satisfy both sets of evidence requirements without duplicating work.

A Practical Timeline for Getting CC9.2 Ready

For a company starting audit prep with vendor risk behind schedule, a compressed timeline that produces defensible evidence looks like this:

Week 1: Build the complete vendor inventory. Include every vendor with data access, assign tiers, and identify gaps (vendors without current assessments).

Week 2: Complete assessments for all Tier 1 vendors. Download and note review of SOC 2 reports for certified vendors. Send questionnaires to uncertified vendors with a 5-business-day response request.

Week 3: Review contracts for all Tier 1 vendors. Confirm DPAs are in place for those handling EU customer data. Flag any vendors with contracts missing standard security provisions — note the gap and the planned remediation.

Week 4: Document the assessment process itself. Create a vendor risk management policy (if you do not have one) or update the existing one. Set up your review schedule for the following year.

This timeline produces a defensible CC9.2 evidence package even starting from scratch. The weaker point will be the "ongoing" monitoring evidence — if assessments were not performed during the full audit period, you can document that the process is now established and being followed. Auditors typically accept this for first-year engagements while noting the gap as a management letter comment.