SOC 2 Controls CC9: Risk Mitigation

CC9.1

SOC 2 CC9.1 requires that your organisation identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.

CC9.1 highlights the following points of focus:

Contemplates Mitigation of Risks of Business Disruption

Risk mitigation activities should include the development of prepared policies, procedures, communications, and other processing solutions to react to, alleviate, and recover from security events that disrupt your organisation’s operations. Those policies and procedures should include monitoring processes, information, and communications to meet your objectives during reaction, mitigation, and recovery endeavours.

Considers the Use of Insurance to Mitigate Financial Impact Risks

Your organisation’s risk management activities should consider the use of insurance to counteract the financial impact of loss incidents that would otherwise harm the ability of your organisation to meet its objectives.

CC9.2

SOC 2 CC9.2 requires that your organisation assesses and manages risks associated with vendors and business partners.

CC9.2 highlights the following points of focus:

Establishes Conditions for Vendor and Business Partner Engagements

Your organisation should determine specific requirements for any vendor and business partner engagements. This includes (1) scope of services and product specifications, (2) roles and responsibilities, (3) compliance requirements, and (4) service levels.

Evaluates Vendor and Business Partner Risks

The organisation should periodically assess the risks that its vendors and business partners (and those organisations’ vendors and business partners) signify to the achievement of its objectives.

Allocates Responsibility and Accountability for Managing Vendors and Business Partners

Your management team should assign responsibility and accountability for the supervision of risks associated with your organisation’s vendors and business partners.

Creates Communication Procedures for Vendors and Business Partners

The organisation should establish communication and resolution protocols for service or product issues related to vendors and business partners.

Creates Exception Handling Procedures From Vendors and Business Partners

Your organisation should establish exception-handling procedures for any service or product issues related to your organisation’s vendors and business partners.

Evaluates Vendor and Business Partner Performance

The organisation should assess the performance of vendors and business partners periodically.

Applies Procedures for Focusing on Issues Detected During Vendor and Business Partner Assessments

Your organisation should implement procedures for addressing issues identified with vendor and business partner relationships.

Employs Procedures for Terminating Vendor and Business Partner Relationships

The organisation should apply procedures for terminating vendor and business partner relationships.

Obtains Confidentiality Commitments from Vendors and Business Partners

Your organisation should acquire confidentiality commitments consistent with your confidentiality commitments and obligations from vendors and business partners who have access to confidential information.

Evaluates Compliance With Confidentiality Commitments of Vendors and Business Partners

The organisation should periodically and, as needed, assess vendors' and business partners' compliance with your confidentiality commitments and requirements.

Attains Privacy Commitments from Vendors and Business Partners

Your organisation should obtain privacy commitments, consistent with the organisation’s privacy commitments and requirements, from vendors and business partners who have access to personal information.

Evaluates Compliance with Privacy Commitments of Vendors and Business Partners

Periodically and as needed, your organisation should assess compliance by vendors and business partners with your privacy commitments and requirements.