Vendor attestation reports

As part of your vendor management program, you should obtain and review the attestation reports (eg. SOC 2), certifications (eg. ISO 27001), or other evidence of security compliance (eg. security questionnaires), for your critical third-party service providers. This is the simplest way to verify appropriate security practices have been implemented to address your requirements and satisfy your compliance needs. The below critical providers should be considered at a minumum.

Infrastructure / DC providers

Your infrastructure provider, eg. AWS, GCP, Azure, is the most critical to confirm their compliance. While this may seem obvious, your review and confirmation of their security and compliance is performing this role on behalf of your customers that are a step removed from these providers. The review of their SOC 2 report should include ensuring appropriate physical security controls are protecting the data centres hosting your data, that general security is in place to ensure the systems and data are secured, and that monitoring and incident response activities have been defined and implemented to maintain the integrity of the environment. If you have a serverless architecture, the cloud provider also performs the server hardening and security patching on your behalf, which should be considered. 

Compliance standards like Consumer Data Right (CDR) require this verification to be formally performed. Other standards like SOC 2 and HIPAA, will include these providers in a "carve-out" method to reporting, noting these key controls that support your compliance. 

Enterprise software

Enterprise software, eg. Google Workspace, MS Office365, support various functions that have critical security implications. The review of their attestation reports should confirm that appropriate general security is applied, as well as reviewing specific controls where you are reliant on specific system components these providers offer.

Authentication and password manager software

Software that supports your authentication and password managers, has critical security implications if they were breached. Your review of their attestation reports should confirm that strong security practices are in place, that their access is restricted from your environment and that appropriate approvals and restrictions are in place where their team requires access to your instance for support purposes.