SOC 2 Vendor Assessment Questionnaire Guide

Service Organization Control 2 (SOC 2), developed by the American Institute of Certified Public Accountants (AICPA), is the predominant trust framework for technology and SaaS vendors. When an enterprise client sends you a SOC 2-based vendor assessment questionnaire, they are evaluating your organization against the Trust Services Criteria (TSC) — a set of principles governing how you handle their data. SOC 2 assessors evaluate five Trust Services Categories: Security (formerly the Common Criteria, and the only mandatory category), Availability, Processing Integrity, Confidentiality, and Privacy. Security is always in scope and covers your foundational controls — logical and physical access, system operations, change management, and risk mitigation. The other four categories are included based on the nature of your service and the data you handle. For vendor assessment questionnaires (as opposed to a formal SOC 2 audit), assessors are looking for evidence that you have controls in place that align with TSC, even if you do not yet have a formal SOC 2 Type II report. They want to see written policies, implemented technical controls, monitoring and logging capabilities, and evidence of regular review. A SOC 2 Type II report from a CPA firm is the gold standard because it provides third-party assurance that your controls were operating effectively over a defined period (typically 6-12 months). If you do not have one, your questionnaire responses and supporting evidence need to compensate by demonstrating control maturity through alternative means. Cyber Defense Agent's compliance mapping engine aligns your scan results to SOC 2 Trust Services Criteria, showing assessors which CC (Common Criteria) controls your external posture supports. This gives you a head start on demonstrating Security category compliance with verifiable data.

Each Trust Services Category requires specific evidence that demonstrates your controls are designed, implemented, and operating effectively. Security (CC1-CC9 Common Criteria): This is the foundation. Prepare evidence for logical access controls (MFA enforcement, role-based access, privileged access management), network security (firewall rules, network segmentation, intrusion detection), change management (change approval process, testing requirements, rollback procedures), system monitoring (logging, SIEM, alerting), vulnerability management (scanning cadence, remediation SLAs, patch management), and incident response (written IRP, tabletop exercise documentation, breach notification procedures). CDA scan data directly supports several CC controls by demonstrating your external security configuration, vulnerability exposure, and email authentication posture. Availability (A1): If included in scope, demonstrate your uptime commitments (SLAs), redundancy and failover architecture, backup procedures and testing, disaster recovery plan and RTO/RPO targets, and capacity monitoring. Provide historical uptime data and DR test results. Processing Integrity (PI1): Demonstrate input validation, processing accuracy checks, output reconciliation, quality assurance procedures, and error handling mechanisms. This is most relevant for vendors processing financial or operational data. Confidentiality (C1): Show how you protect confidential information through data classification policies, encryption at rest and in transit, access restrictions, data retention and disposal procedures, and NDA requirements. Provide your data classification matrix and encryption specifications. Privacy (P1-P8): If handling personal information, demonstrate your privacy notice, consent mechanisms, data subject access request procedures, data minimization practices, and cross-border data transfer safeguards. Reference your privacy policy and any applicable compliance (GDPR, CCPA). For SMBs without a formal SOC 2 report, the key is organizing this evidence into a clear, accessible package. Create a shared evidence folder with current policy documents, CDA reports, configuration screenshots, and test results that you can reference in questionnaire responses.

Small and mid-sized businesses consistently struggle with the same SOC 2 gaps. Identifying and addressing these before you receive a vendor assessment questionnaire dramatically improves your results. Gap 1: No formal risk assessment. SOC 2 requires a documented risk assessment process (CC3.1-CC3.4). Many SMBs operate on informal risk awareness without a written risk register or formal assessment methodology. Fix: conduct an annual risk assessment using the NIST CSF framework. Document identified risks, likelihood, impact, and mitigation measures. Cyber Defense Agent's scan results identify external-facing risks that should be included. Gap 2: Incomplete access management. Assessors consistently find that SMBs lack formal user provisioning and deprovisioning procedures, quarterly access reviews, and privileged access management controls. Fix: implement a documented onboarding/offboarding checklist, schedule quarterly access reviews with manager attestation, and enforce separate admin accounts for privileged access. Gap 3: Missing or untested incident response plan. Having an IRP is not sufficient — assessors look for evidence of annual testing through tabletop exercises, documented lessons learned, and plan updates. Fix: conduct an annual tabletop exercise, document results, and update your IRP based on findings. Gap 4: No change management process. Even small teams need a documented process for approving, testing, and deploying system changes. Fix: implement a lightweight change management process with approval requirements, testing verification, and rollback procedures. Document changes in a change log. Gap 5: Insufficient logging and monitoring. Assessors expect centralized logging, defined retention periods, and evidence of log review. Fix: enable audit logging on all critical systems, centralize logs (cloud SIEM or log management), define a 90-day minimum retention period, and establish a regular log review process. Cyber Defense Agent's pre-assessment readiness workflow walks you through each of these gaps, maps your current scan data to TSC controls, and generates a readiness report showing your SOC 2 alignment percentage. This lets you prioritize remediation efforts before the formal assessment begins.