FAQ: Are Third Party Vendor reviews required for SOC 1 and SOC 2?

FAQ: Are Third Party Vendor reviews required for SOC 1 and SOC 2?

As of the latest SSAE 18 and SOC 2 updates, vendor management and review of any relevant compliance / audit reports (SOC 1, SOC 2, HITRUST, ISO 27001/2, PCI, etc.) has become a key component of monitoring for potential security and compliance risks when outsourcing functions that use a third party’s data.

Additional FAQs

Are Third Party Vendor reviews required for SOC 1 and SOC 2?

As of the latest SSAE 18 and SOC 2 updates, vendor management and review of any relevant compliance / audit reports (SOC 1, SOC 2, HITRUST, ISO 27001/2, PCI, etc.) has become

What is SSAE 18 (formerly SSAE 16)?

A SOC 1 Type 1 report typically costs on average anywhere between $10,000 and $20,000 USD, without the readiness assessment project which most Organizations benefit from and can be an

How long does a SOC 1 take to complete?

This depends on how prepared and how many resources an Organization has to dedicate to the project. The first time through, usually a readiness assessment would be performed, and then

What are the SOC 2 criteria?

The five SOC 2 criteria are Security, Availability, Processing Integrity, Confidentiality, and Privacy.

What is SSAE 18 (formerly SSAE 16)?

The SSAE 18 audit standard is a framework for reporting on an examination of controls at a service organization relevant to user entities’ internal control over financial reporting.

Can an organization opt for both SOC2 and ISO 27001?

Yes, they can complement each other. SOC 2 may cover specific areas relevant to service organizations, while ISO 27001 provides a broader approach to information security management.

Get Our Emails

SOC Reporting Guide