How Do I Vet a Vendor's SOC 2 Report and Certifications?

Jun 17

A vendor's Service Organization Control 2 (SOC 2) report or ISO 27001 certificate tells you that an auditor checked specific controls, for a specific scope, over a specific window. It does not tell you the vendor is the right custodian for your data. To know that, ask which report type you are being shown, what scope and observation window it covers, whether the auditor noted exceptions, who issued it, how recent it is, and whether the controls actually map to the data you plan to share. A certificate is the start of due diligence, not the end.

Which SOC 2 type are you being shown?
What does the report actually cover?
How recent is the report and how long was the observation window?
Did the auditor note any exceptions?
Who performed the audit?
How long have the controls actually been running?
Do the controls map to your actual risk?
Can the vendor show controls operating, not just documented?
What a strong vendor answer looks like
Frequently Asked Questions

Certifications have become table stakes, which means they are now easy to wave around and hard to read well. A report produced quickly and inexpensively is not automatically weaker, but speed and price usually come from somewhere — often a narrower scope, a point-in-time snapshot, or a short observation window. The questions below let a procurement or security team tell the difference between a badge and real assurance, without needing to be auditors themselves.

Which SOC 2 Type Are You Being Shown? — Type I vs. Type II and why it matters

SOC 2 comes in two types, and the difference is the whole game. A Type I report describes whether controls are suitably designed at a single point in time. A Type II report tests whether those controls actually operated effectively across a period. If a vendor offers a certificate or a one-page summary rather than the report itself, ask for the full report and confirm it is a Type II.

A Type I is far faster and cheaper to obtain because nothing has to be proven over time. The cover letter from the auditor — called the opinion — is where the report type is stated. Asking for the full opinion, not a summary, is the fastest way to verify what you are actually being shown.

What Does the Report Actually Cover? — Scope, criteria, and carved-out systems

SOC 2 scope is defined by which Trust Services Criteria are included and which systems are in scope. Security is always included; availability, confidentiality, processing integrity, and privacy are optional and are only covered if the vendor chose to include them. A report can be legitimately clean while covering only one product, one environment, or one criterion.

Ask which systems and which criteria are in scope, and confirm that the product and data you will actually use are inside that boundary rather than carved out. A vendor with a strong certification over a narrow scope is not the same as a vendor with that same certification covering your full data environment.

How Recent Is the Report and How Long Was the Observation Window? — Timing and bridge letters

For a Type II, the value depends on how long the auditor observed the controls and how recently. A three-month window proves less than a twelve-month one, and a report whose period ended eighteen months ago tells you little about today.

Ask for the observation period and the report date. If there is a gap between the period end and now, ask for a bridge letter — sometimes called a gap letter — in which the vendor attests that nothing material changed in the interim. A vendor unwilling to provide one is a vendor asking you to extend trust beyond what their documentation supports.

Did the Auditor Note Any Exceptions? — Reading the testing section

A SOC 2 report is rarely a simple pass or fail. The testing section lists each control, the tests performed, and any exceptions the auditor found. A report can carry an unqualified opinion and still contain noted exceptions worth understanding.

Ask whether the opinion is unqualified and what exceptions, if any, appear in the results. Then ask how the vendor remediated them. A vendor who can speak plainly about their exceptions is usually a more reliable partner than one who insists there were none — exceptions exist in nearly every real program, and the response to them is what reveals program maturity.

Who Performed the Audit? — Independence and accreditation

A SOC 2 examination must be performed by a licensed Certified Public Accountant (CPA) firm, and an ISO 27001 certificate must come from an accredited certification body. Ask for the name of the auditing firm and, for ISO 27001, the accreditation body behind the certificate.

This is not about prestige; it is about independence and rigor. The same question applies to any framework: a credential is only as good as the independent party that issued it. If a vendor cannot readily name the firm and confirm its licensing, treat that as a gap in the documentation chain.

How Long Have the Controls Actually Been Running? — Annual cycles vs. a fresh badge

Automated compliance platforms and Governance, Risk, and Compliance (GRC) tools have made it faster than ever to obtain a first SOC 2 report. A vendor on its fourth consecutive annual Type II has demonstrated sustained control operation across multiple years. A vendor that obtained its first report last month — even a legitimate one — has demonstrated far less.

Ask when the vendor first achieved SOC 2, how many consecutive annual renewals they have completed, and whether their scope has expanded or contracted over time. Fast or first-year certifications are not automatically unreliable, but the timeline context changes what the badge actually proves. The pattern of renewals is the signal; the most recent badge is just the latest data point.

Do the Controls Map to Your Actual Risk? — Matching scope to your data

A certificate proves a vendor met a standard's requirements for their environment. It does not prove their controls fit the specific data you are about to hand them.

If you will share regulated or sensitive data, ask how their in-scope controls address that data category: where it will be stored, who can access it, and what their subprocessor list looks like. This is also where a current data processing agreement and a clear breach-notification commitment matter more than the badge itself — and where reviewing how a vendor handles data privacy pays off directly.

Can the Vendor Show Controls Operating, Not Just Documented? — Evidence beyond the certificate

The strongest signal is a vendor who can move past the certificate to evidence the program runs day to day. A certificate confirms a snapshot; operating evidence confirms a practice.

Ask for a recent penetration test summary, their incident response approach, and how they would handle a data subject request or a security event involving your data. This is the same distinction between meeting a framework and being genuinely secure that experienced buyers look for.

GRC platforms and automated compliance tools have changed how evidence is collected and organized, and genuinely useful ones reduce administrative burden significantly. What they do not replace is the human judgment behind the program — deciding which controls the environment actually needs, calibrating them to the business, and determining how to respond when something goes wrong. A vendor who describes their compliance program primarily in terms of a tool is describing documentation management, not an operating security function. Ask who owns the program by name, what their background is, and how they handle exceptions or control failures. A well-run program has a person behind it who can answer those questions directly.

What Does a Strong Vendor Answer Look Like? — Badge vs. real assurance

A vendor with real assurance answers these readily: a current Type II report covering the product and criteria you care about, a reasonable observation window, multiple annual cycles on record, a named CPA firm, a transparent account of any exceptions and how they were fixed, a named owner of the program, and a clear explanation of how their controls protect your specific data.

A vendor relying on a badge tends to deflect, to offer a certificate instead of a report, or to treat the questions as friction. Neither answer is a verdict on its own, but the pattern of answers tells you a great deal about whether you are buying proven trust or a logo.

The point is not that fast or affordable certifications are worthless. It is that a certification is a claim, and procurement's job is to understand exactly what the claim covers before relying on it. Asking these questions protects your organization and, just as usefully, signals to good vendors that you know the difference — which is the kind of scrutiny the strongest partners welcome. For a fuller view of how mature vendors prove themselves, see how organizations demonstrate a strong security posture and what cybersecurity due diligence involves.

Frequently Asked Questions

Is a SOC 2 Type I report good enough when evaluating a vendor?

A Type I confirms controls were suitably designed at a single point in time, but it does not test whether they operated effectively over a period. For an ongoing relationship, ask for a Type II, which covers an observation window. A Type I can be a reasonable interim signal from a newer vendor, but treat it as a starting point and ask when their first Type II is due.

What is the difference between a SOC 2 certificate and a SOC 2 report?

There is no official SOC 2 "certificate." The deliverable is a report issued by a CPA firm, including the auditor's opinion, the system description, and the detailed test results. If a vendor offers only a badge or a summary, ask for the full report so you can see the scope, the observation window, and any exceptions.

How recent does a vendor's SOC 2 report need to be?

Reports cover a defined past period, so look at both the observation window and how long ago it ended. If meaningful time has passed since the period end, ask for a bridge letter in which the vendor attests that nothing material has changed. A report whose period ended well over a year ago should prompt a request for the current one.

Does an ISO 27001 certificate cover the same things as a SOC 2 report?

Not exactly. ISO 27001 certifies that a vendor operates an information security management system (ISMS) meeting the standard, with a defined scope captured in their Statement of Applicability. SOC 2 reports on controls against the Trust Services Criteria over a period. Ask for the scope of each, since a certificate or report can legitimately cover only part of a vendor's business.

Can a vendor legitimately obtain a SOC 2 in a few weeks?

Yes, under limited conditions — typically a narrow scope, a Type I rather than a Type II, or a short minimum observation window. The report is not automatically unreliable, but it is not equivalent to a vendor on their fourth consecutive annual Type II with broad scope. Ask what type the report is, what the observation window was, and how many annual cycles the vendor has completed. That context turns a fast certification from an unknown into an answer.

What if a vendor says their compliance program is automated or runs on a GRC tool?

GRC tools are useful for organizing evidence and streamlining auditor communication. They are not a compliance program. Ask who owns the program by name and how that person handles exceptions, incidents, and control failures. Automated documentation does not replace human judgment. If a vendor cannot name a person responsible for their security program, that gap is worth weighing carefully.

What if a vendor pushes back on these questions?

Reasonable vendors expect security and procurement scrutiny and answer it without friction. Persistent deflection, an offer of a badge in place of a report, or treating standard questions as obstacles is itself a signal worth weighing alongside the documentation.

Where to Go Next

To go deeper, see questions to ask your vendors about their certifications, how to vet a vendor for data privacy, how to avoid common pitfalls in cybersecurity reviews, how organizations demonstrate a strong security posture, and what cybersecurity due diligence involves.

Shayne Adler

Shayne Adler is the co-founder and Chief Executive Officer (CEO) of Aetos Data Consulting, specializing in cybersecurity due diligence and operationalizing regulatory and compliance frameworks for startups and small and midsize businesses (SMBs). With over 25 years of experience across nonprofit operations and strategic management, Shayne holds a Juris Doctor (JD) and a Master of Business Administration (MBA) and studied at Columbia University, the University of Michigan, and the University of California. Her work focuses on building scalable compliance and security governance programs that protect market value and satisfy investor and partner scrutiny.

Connect with Shayne on LinkedIn

https://www.aetos-data.com