Vendor Security Assessment and SOC 2 Collection

Inspection template for assessing a third party's security posture and collecting SOC 2, ISO, and related security evidence before onboarding and on an annual basis.

Inspection Scope and Vendor Profile

• Vendor legal name and service description confirmed
  Record the vendor's legal entity name and a concise description of the service being provided.
• Review type identified
  Select whether this is a pre-onboarding assessment, annual review, or other re-assessment.
• Vendor will access company data or systems
  Confirm whether the vendor will store, process, transmit, or access company data or systems.
• Data classification and system scope documented
  Identify the data types and systems in scope for the review.

Security Attestations and Certificates

• Current SOC 2 report provided
  Confirm that a current SOC 2 Type I or Type II report has been provided for review.
• SOC 2 report type and period covered recorded
  Record the SOC 2 report type and the coverage period.
• ISO certificate provided if applicable
  Confirm whether an ISO certificate, such as ISO 27001, was provided when claimed or required.
• Certificate or report is current and unexpired
  Verify that the SOC 2 report, ISO certificate, or equivalent assurance document is current and within its validity period.
• Bridge letter or remediation note provided for report gaps
  If the assurance report period is not current, confirm whether a bridge letter or equivalent explanation has been provided.

Security Governance and Access Controls

• Security program owner identified
  Confirm that the vendor has a designated security owner or equivalent accountable role.
• Access control and least privilege practices documented
  Confirm that the vendor maintains role-based access control and least privilege for systems handling customer data.
• Multi-factor authentication enforced for administrative access
  Verify that MFA is enforced for administrative, privileged, and remote access where applicable.
• Encryption in transit and at rest confirmed
  Confirm that customer data is encrypted in transit and at rest using industry-standard controls.
• Vulnerability management and patching cadence documented
  Confirm that the vendor has a documented vulnerability scanning and patch management process.

Incident Response, Business Continuity, and Privacy

• Incident response plan available
  Confirm that the vendor maintains a documented incident response plan.
• Security incident notification timeframe documented
  Record the contractual or policy-based timeframe for notifying customers of a security incident.
• Business continuity or disaster recovery plan available
  Confirm that the vendor maintains a business continuity or disaster recovery plan and tests it periodically.
• Privacy and data retention practices documented
  Confirm that data retention, deletion, and privacy obligations are documented and aligned to the service scope.
• Subprocessor or fourth-party oversight addressed
  Confirm whether the vendor uses subprocessors and whether oversight, approval, or disclosure is documented.

Findings, Exceptions, and Approval

• Open deficiencies documented
  List any deficiencies, non-conformances, or exceptions identified during the review.
• Corrective action plan required for material gaps
  Confirm whether a corrective action plan is required for any material security gap or missing evidence.
• Risk acceptance or exception approved
  Confirm whether any residual risk or exception has been formally approved by the appropriate authority.
• Inspector signature
  Inspector or reviewer signature confirming the assessment was completed.