Resources
Everything you need to know
Company
Security and customers first
Close

Request a demo

Find out today the difference that Hicomply’s unique solution can make to your business.

Close

Thank you for your request

Success

In the meantime, connect with Hicomply for insights on authentication and fraud prevention

Close

ROI Calculator

See how much you could save with Hicomply

Hicomply feature Yearly saving
Automated scoping Easily scope your ISMS with the Hicomply platform
Asset register autogeneration A shorter learning curve for organisations and a simplified process
Risk assessment Autogenerate your risk register and risk treatment plan
Extended policy templates 90% of the essential are already written out of the box
Controls framework All controls are pre-loaded and already linked to the risks they mitigate
Task management Automate all actions, administration and setup time of your ISMS
Real time monitoring Understand status and progress across your ISMS with the Hicomply dashboard
Compliance & Training Your whole team, on the same page
Audit readiness Hicomply makes sure you have everything in place for your audit
Auditor access Give auditors a dedicated login to access and audit your ISM
Back to Resource Hub

SOC 2 Controls: CC9 Risk Mitigation

CC9.1

SOC 2 CC9.1 requires that your organisation identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions

CC9.1 highlights the following points of focus:

Contemplates Mitigation of Risks of Business Disruption

Risk mitigation activities should include the development of prepared policies, procedures, communications, and other processing solutions to react to, alleviate, and recover from security events that disrupt your organisation’s operations. Those policies and procedures should include monitoring processes, information, and communications to meet your objectives during reaction, mitigation, and recovery endeavours.

Considers the Use of Insurance to Mitigate Financial Impact Risks

Your organisation’s risk management activities should consider the use of insurance to counteract the financial impact of loss incidents that would otherwise harm the ability of your organisation to meet its objectives.

CC9.2

SOC 2 CC9.2 requires that your organisation assesses and manages risks associated with vendors and business partners.

CC9.2 highlights the following points of focus:

Establishes Conditions for Vendor and Business Partner Engagements

Your organisation should determine specific requirements for any vendor and business partner engagements. This includes (1) scope of services and product specifications, (2) roles and responsibilities, (3) compliance requirements, and (4) service levels.

Evaluates Vendor and Business Partner Risks

The organisation should periodically assess the risks that its vendors and business partners (and those organisations’ vendors and business partners) signify to the achievement of its objectives.

Allocates Responsibility and Accountability for Managing Vendors and Business Partners

Your management team should assign responsibility and accountability for the supervision of risks associated with your organisation’s vendors and business partners.

Creates Communication Procedures for Vendors and Business Partners

The organisation should establish communication and resolution protocols for service or product issues related to vendors and business partners.

Creates Exception Handling Procedures From Vendors and Business Partners

Your organisation should establish exception handling procedures for any service or product issues related to your organisation’s vendors and business partners.

Evaluates Vendor and Business Partner Performance

The organisation should assess the performance of vendors and business partners on a periodic basis.

Applies Procedures for Focusing on Issues Detected During Vendor and Business Partner Assessments

Your organisation should implement procedures for addressing issues identified with vendor and business partner relationships.

Employs Procedures for Terminating Vendor and Business Partner Relationships

The organisation should apply procedures for terminating vendor and business partner relationships.

Obtains Confidentiality Commitments from Vendors and Business Partners

Your organisation should acquire confidentiality commitments that are consistent with your confidentiality commitments and obligations from vendors and business partners who have access to confidential information.

Evaluates Compliance With Confidentiality Commitments of Vendors and Business Partners

Periodically and as-needed, the organisation should assess compliance by vendors and business partners with your confidentiality commitments and requirements.

Attains Privacy Commitments from Vendors and Business Partners

Your organisation should obtain privacy commitments, consistent with the organisation’s privacy commitments and requirements, from vendors and business partners who have access to personal information.

Evaluates Compliance with Privacy Commitments of Vendors and Business Partners

Periodically and as-needed, your organisation should assess compliance by vendors and business partners with your privacy commitments and requirements, and take corr

SOC 2 Hub

More Resource Hub

ISO27001
NIST 800-53 Hub
ISO27001
SOC 2 Controls: CC8 Change Management
ISO27001
SOC 2 Controls: CC7 System Operations