FAQ: Are Third Party Vendor reviews required for SOC 1 and SOC 2?

FAQ: Are Third Party Vendor reviews required for SOC 1 and SOC 2?

As of the latest SSAE 18 and SOC 2 updates, vendor management and review of any relevant compliance / audit reports (SOC 1, SOC 2, HITRUST, ISO 27001/2, PCI, etc.) has become a key component of monitoring for potential security and compliance risks when outsourcing functions that use a third party’s data.

Additional FAQs

How long does a SOC 1 take to complete?

This depends on how prepared and how many resources an Organization has to dedicate to the project. The first time through, usually a readiness assessment would be performed, and then

How many updates to SOC 1 have their been?

SOC 1 stemmed from the original SAS 70 report, which, once SSAE 16 was issued in April 2010, the formal report name was changed to being a SOC 1 report

When is SSAE-18 Effective?

SSAE-18 is effective for all reports issued after May 1, 2017.

We have a SOC 2. How much effort is GDPR?

Assuming your Company is subject to GDPR, the level of effort depends a lot on the maturity of Organizational and Privacy controls. The Organizational will be mostly met by implementation

How does a company get SOC 2 certified?

SOC 2 is not a certification, it’s a third party attestation of the controls in place at your organization. Typically when a company is asking this question though the answer

Are Third Party Vendor reviews required for SOC 1 and SOC 2?

As of the latest SSAE 18 and SOC 2 updates, vendor management and review of any relevant compliance / audit reports (SOC 1, SOC 2, HITRUST, ISO 27001/2, PCI, etc.)

Get Our Emails

SOC Reporting Guide