What to Do If a Vendor Doesn’t Have a SOC 2 or ISO 27001 Report
70% of small business vendors lack SOC 2 or ISO 27001 certifications. Yet these same vendors often handle your most sensitive data—customer information, financial records, and business-critical systems.
This creates a dilemma: Do you limit yourself to only certified vendors, or do you find another way to assess risk?
The reality is that SOC 2 compliance can cost $15,000–$50,000 annually, with 6–12 months of preparation time. ISO 27001 certification often runs $25,000–$100,000+ for implementation and maintenance. Many excellent smaller vendors—especially startups and specialized service providers—simply can’t justify these costs.
But that doesn’t mean you’re stuck choosing between security and functionality.
Here’s how to perform thorough due diligence using a structured risk assessment approach that protects your business without requiring expensive certifications.
Why SOC 2 and ISO 27001 Matter (And What to Look for Instead)
These certifications demonstrate that a vendor has:
- Documented security policies – Look for written procedures and clear responsibilities.
- Ongoing internal controls – Ask about monitoring, testing, and review processes.
- Independent validation – Seek evidence of third-party assessments or audits.
- Culture of compliance – Evaluate their willingness to engage in security discussions.
Some vendors may also hold certifications like PCI DSS, HIPAA, or FedRAMP. These offer similar assurance in specific industries.
Step 1: Use a Structured Risk Assessment Framework
The 5-Point Scoring System
Rate each category on a 1–5 scale:
- 5 - Excellent: Comprehensive controls and documentation
- 4 - Good: Strong practices with minor gaps
- 3 - Adequate: Basic controls in place
- 2 - Concerning: Limited controls or documentation
- 1 - High Risk: No controls or visibility
Risk Ratings:
- 20–25: Low Risk
- 15–19: Medium Risk
- 10–14: High Risk
- <10: Critical Risk
Governance & Risk Management
Key Questions:
- Who oversees cybersecurity?
- Are there documented security policies?
- Has a risk assessment been completed recently?
Security Certifications & Testing
Key Questions:
- Do you follow a framework (NIST, CIS, ISO)?
- When was your last vulnerability scan or pen test?
- Is MFA used across systems?
Data Handling & Privacy
Key Questions:
- Where is data stored, and how is it encrypted?
- How is access to data controlled?
- Do you have a breach notification process?
Infrastructure & Operations
Key Questions:
- What cloud services are used?
- How is system activity monitored?
- Is there a documented onboarding/offboarding process?
Business Continuity & Incident Response
Key Questions:
- Is there a documented incident response plan?
- When was it last tested?
- What are your recovery time objectives (RTO/RPO)?
Step 2: Evaluate Responses and Assign Risk Ratings
Look for:
- Specific practices, timelines, and tooling
- Regular reviews and updates
- Reference to established frameworks
Avoid:
- Vague or evasive answers
- Lack of ownership or documentation
- “We’ll deal with it when it happens” attitudes
Mini Case Study: Vendor Assessment Example
A small business assessed a marketing vendor without formal certifications:
- Governance: 4
- Testing: 3
- Data Handling: 5
- Infrastructure: 4
- Continuity: 2
Score: 18/25 – Medium Risk
They proceeded with additional contract terms and a 6-month follow-up to review DR planning.
Step 3: Document Your Assessment
Your vendor risk file should include:
- Overall risk score
- Completed questionnaire
- Evidence provided
- Key gaps and improvement requests
- Review cadence (e.g., annual or quarterly)
This documentation can support audits or legal defense if needed.
Step 4: Set Clear Expectations and Controls
For vendors without certifications:
- Include security clauses in the contract
- Establish response expectations (e.g., breach notice within 24 hours)
- Require periodic reassessments
- Set remediation timelines (30, 90, 180 days)
When to Walk Away
Some signs that a vendor poses too much risk:
- Refuses to complete a security review
- Shares passwords or lacks encryption
- Has no incident response plan
- Can’t show evidence of controls or improvement plans
You don’t need perfect vendors—but you do need responsible ones.
What If You Must Use a High-Risk Vendor?
Use compensating controls:
- Limit data sharing
- Monitor access more closely
- Require third-party tools or secure APIs
- Add liability clauses and indemnity in the contract
Final Thoughts
SOC 2 and ISO 27001 aren’t the only ways to validate a vendor. With structured review processes, clear expectations, and practical controls, small businesses can make informed decisions—even without formal certifications.
Anchor Cyber Security helps small businesses build scalable vendor review processes with clear frameworks, questionnaires, and security clauses tailored to your risk level.
Need help? Schedule a consultation.