Loading...
Templates Inspections SEO page

Run: Vendor Security Assessment and SOC 2 Collection

Use this vendor security assessment and SOC 2 collection template to document a third party’s security posture, collect current attestations, and record onbo...

Fill this out, get a PDF emailed to you. No account required. Want to run it with your team and track results? Sign up free →

Inspection Scope and Vendor Profile

Record the vendor's legal entity name and a concise description of the service being provided.
Select whether this is a pre-onboarding assessment, annual review, or other re-assessment.
Confirm whether the vendor will store, process, transmit, or access company data or systems.
Identify the data types and systems in scope for the review.

Security Attestations and Certificates

Confirm that a current SOC 2 Type I or Type II report has been provided for review.
Record the SOC 2 report type and the coverage period.
Confirm whether an ISO certificate, such as ISO 27001, was provided when claimed or required.
Verify that the SOC 2 report, ISO certificate, or equivalent assurance document is current and within its validity period.
If the assurance report period is not current, confirm whether a bridge letter or equivalent explanation has been provided.

Security Governance and Access Controls

Confirm that the vendor has a designated security owner or equivalent accountable role.
Confirm that the vendor maintains role-based access control and least privilege for systems handling customer data.
Verify that MFA is enforced for administrative, privileged, and remote access where applicable.
Confirm that customer data is encrypted in transit and at rest using industry-standard controls.
Confirm that the vendor has a documented vulnerability scanning and patch management process.

Incident Response, Business Continuity, and Privacy

Confirm that the vendor maintains a documented incident response plan.
Record the contractual or policy-based timeframe for notifying customers of a security incident.
Confirm that the vendor maintains a business continuity or disaster recovery plan and tests it periodically.
Confirm that data retention, deletion, and privacy obligations are documented and aligned to the service scope.
Confirm whether the vendor uses subprocessors and whether oversight, approval, or disclosure is documented.

Findings, Exceptions, and Approval

List any deficiencies, non-conformances, or exceptions identified during the review.
Confirm whether a corrective action plan is required for any material security gap or missing evidence.
Confirm whether any residual risk or exception has been formally approved by the appropriate authority.
Inspector or reviewer signature confirming the assessment was completed.

Get your results

Enter your email — we'll send you a PDF of your filled-out template, plus the occasional MangoScoop newsletter (templates, workflow tips, product updates). Unsubscribe anytime — link is in every email.

Generated with MangoApps Templates — browse 250+ free
Ask AI Product Advisor

Hi! I'm the MangoApps Product Advisor. I can help you with:

  • Understanding our 40+ workplace apps
  • Finding the right solution for your needs
  • Answering questions about pricing and features
  • Pointing you to free tools you can try right now

What would you like to know?

AI-generated responses may not be 100% accurate