SOC 2 CC9.1 requires that your organisation identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions
CC9.1 highlights the following points of focus:
Contemplates Mitigation of Risks of Business Disruption
Risk mitigation activities should include the development of prepared policies, procedures, communications, and other processing solutions to react to, alleviate, and recover from security events that disrupt your organisation’s operations. Those policies and procedures should include monitoring processes, information, and communications to meet your objectives during reaction, mitigation, and recovery endeavours.
Considers the Use of Insurance to Mitigate Financial Impact Risks
Your organisation’s risk management activities should consider the use of insurance to counteract the financial impact of loss incidents that would otherwise harm the ability of your organisation to meet its objectives.
SOC 2 CC9.2 requires that your organisation assesses and manages risks associated with vendors and business partners.
CC9.2 highlights the following points of focus:
Establishes Conditions for Vendor and Business Partner Engagements
Your organisation should determine specific requirements for any vendor and business partner engagements. This includes (1) scope of services and product specifications, (2) roles and responsibilities, (3) compliance requirements, and (4) service levels.
Evaluates Vendor and Business Partner Risks
The organisation should periodically assess the risks that its vendors and business partners (and those organisations’ vendors and business partners) signify to the achievement of its objectives.
Allocates Responsibility and Accountability for Managing Vendors and Business Partners
Your management team should assign responsibility and accountability for the supervision of risks associated with your organisation’s vendors and business partners.
Creates Communication Procedures for Vendors and Business Partners
The organisation should establish communication and resolution protocols for service or product issues related to vendors and business partners.
Creates Exception Handling Procedures From Vendors and Business Partners
Your organisation should establish exception handling procedures for any service or product issues related to your organisation’s vendors and business partners.
Evaluates Vendor and Business Partner Performance
The organisation should assess the performance of vendors and business partners on a periodic basis.
Applies Procedures for Focusing on Issues Detected During Vendor and Business Partner Assessments
Your organisation should implement procedures for addressing issues identified with vendor and business partner relationships.
Employs Procedures for Terminating Vendor and Business Partner Relationships
The organisation should apply procedures for terminating vendor and business partner relationships.
Obtains Confidentiality Commitments from Vendors and Business Partners
Your organisation should acquire confidentiality commitments that are consistent with your confidentiality commitments and obligations from vendors and business partners who have access to confidential information.
Evaluates Compliance With Confidentiality Commitments of Vendors and Business Partners
Periodically and as-needed, the organisation should assess compliance by vendors and business partners with your confidentiality commitments and requirements.
Attains Privacy Commitments from Vendors and Business Partners
Your organisation should obtain privacy commitments, consistent with the organisation’s privacy commitments and requirements, from vendors and business partners who have access to personal information.
Evaluates Compliance with Privacy Commitments of Vendors and Business Partners
Periodically and as-needed, your organisation should assess compliance by vendors and business partners with your privacy commitments and requirements, and take corr