Solved: SOC-2 Subservice Organization - CSP?

mgorman · ‎02-20-2020

So, as I am preparing a service description for a SOC-2 audit (the first). I have a question. Is a cloud service provider considered a subservice organization? I have seen a few things that indicate it is, while I personally feel it is a vendor, like Dell or IBM for servers, Microsoft or Red Hat for an operating system, etc. Any guidance from experience?

Troy_Fine · ‎02-20-2020

Good question. There is no silver bullet answer to this and there is judgment and different interpretations of the standards. I will provide you my stance as an auditor that performs SOC 2 audits.

The key to determining if a CSP is a SOC 2 subservice provider, is if you are relying on the vendor to perform a control and without the control, you would not be meeting a specific SOC 2 requirement. For instance, if you are using a CSP such as AWS and Azure to host the services you provide to customers, they would be a subservice provider, since you cannot meet the requirement for physical security without relying on AWS and Azure. However, if you are using a CSP for tracking changes and software development, this vendor would not be a subservice provider since you are not relying on them for specific controls.

Keep in mind, regardless of whether or not you determine if the vendor is a subservice provider, you are still responsible for monitoring key vendors. In this instance, you should have a vendor management program where key vendors are monitored on a regular basis, subservice orgs and non-subservice orgs.