Document ID: SOC2-VMP-001 | Version: 1.0 | Date: March 2026 | Classification: Internal | Owner: CISO / Procurement
Purpose
This policy establishes requirements for managing risks associated with third-party vendors and service providers who have access to [Organisation Name]‘s systems or customer data. It implements CC9.1 and CC9.2 of the SOC 2 Common Criteria.
1. Vendor Classification
| Tier | Definition | Examples | Due Diligence Level |
|---|---|---|---|
| Tier 1 — Critical | Vendor with access to customer data or production systems | Cloud providers (AWS/Azure), payment processors, monitoring tools with data access | Full assessment + contract review + annual review |
| Tier 2 — Significant | Vendor with access to internal systems or indirect customer data risk | HR software, internal SaaS tools, contractors | Standard assessment + contract clauses |
| Tier 3 — Standard | Vendor with no access to systems or data | Office supplies, catering, non-technical services | Basic vendor registration |
2. Pre-Engagement Due Diligence
Tier 1 Checklist
- Obtain and review vendor’s most recent SOC 2 Type II report (or equivalent)
- Assess vendor’s data protection and privacy practices (GDPR/CCPA compliance)
- Review vendor’s incident response and breach notification procedures
- Confirm vendor’s subprocessor list and assess material subprocessors
- Review vendor’s business continuity and disaster recovery capabilities
- Conduct security questionnaire (CAIQ or custom)
- Legal review of Data Processing Agreement (DPA)
- Executive / CISO approval before engagement
Tier 2 Checklist
- Security questionnaire (abbreviated)
- Review of vendor’s privacy policy and data handling practices
- Confirm minimum contractual security requirements (see Section 4)
- CISO approval for vendors with system access
3. Vendor Register
| Vendor | Tier | Data Accessed | SOC 2 / Cert | DPA Signed | Next Review | Owner |
|---|---|---|---|---|---|---|
| AWS | 1 | Infrastructure / Customer data | SOC 2 Type II ✅ | ✅ | Annual | DevOps Lead |
| [Vendor Name] | 1 | [Data types] | [Cert] | ✅ / ❌ | [Date] | [Owner] |
4. Mandatory Contract Security Clauses
All Tier 1 and Tier 2 vendor contracts must include:
- Data protection obligations — Vendor must implement appropriate technical and organisational measures to protect data
- Breach notification — Vendor must notify [Organisation Name] within 72 hours of discovering any security incident affecting our data
- Subprocessor restrictions — Vendor must not engage new subprocessors without prior written consent
- Audit rights — [Organisation Name] has the right to audit vendor security controls or request third-party attestation
- Data return / deletion — On contract termination, vendor must return or destroy all data within 30 days and certify deletion
- Penetration testing — Vendor must conduct annual penetration testing and provide summary results on request
- Regulatory compliance — Vendor must maintain compliance with applicable data protection laws
5. Ongoing Monitoring
| Activity | Frequency | Responsible |
|---|---|---|
| Review Tier 1 vendor SOC 2 reports | Annually (on report issuance) | CISO |
| Access review for vendor accounts | Quarterly | IT Admin |
| Vendor security questionnaire refresh | Annually | Compliance |
| Review vendor incident notifications | Ongoing | Security Operations |
| Monitor vendor CVEs for critical systems | Monthly | DevOps |
6. Vendor Offboarding
When a vendor relationship ends:
- Revoke all system and data access within 24 hours of contract termination
- Obtain written confirmation of data deletion within 30 days
- Remove vendor accounts from all systems
- Archive vendor record and contract for 7 years
- Document any unresolved security issues for future reference
7. Review
This policy is reviewed annually and updated to reflect changes in the vendor landscape.
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | March 2026 | [Author] | Initial issue |