SOC 2
SOC 2 CC9.2: Vendor and Business Partner Management Explained
Assess and manage risks associated with vendors and business partners who have access to confidential information or provide services to the entity.
OFFICIAL REFERENCE (PARAPHRASED)
The entity assesses, on a periodic basis, the risks that vendors and business partners represent to the achievement of the entity's objectives. (AICPA TSC CC9.2)
Last reviewed: June 2026. Not legal or audit advice.
WHAT EVIDENCE SATISFIES THIS
- ✓ Vendor risk assessment procedure
- ✓ Completed vendor security questionnaires
- ✓ SOC 2/ISO reports from critical vendors
- ✓ Vendor review schedule and sign-off records
Cross-framework overlap
This control requirement also appears in:
See this control in your personalized checklist
Start free →See your readiness in 5 minutes
Answer a few questions and get a personalized, actionable checklist, free, no card.
Get your free checklist →