Third Party
Definition
In SOC 2 contexts, a third party is any external organization or individual outside the reporting entity that provides services, systems, people, or processes that could affect the entity’s service commitments, system requirements, or the effectiveness of controls relevant to the Trust Services Criteria. Third parties can include vendors, suppliers, contractors, consultants, outsourcing providers, cloud and hosting providers, payment processors, managed service providers, and business partners. In a SOC 2 examination, third parties are important because they may operate subservice organizations or otherwise perform activities that the entity relies on to deliver its services. The organization remains accountable for managing these dependencies by defining requirements in contracts, assessing risk before onboarding, limiting access to data and systems, monitoring performance and security, and ensuring incidents are handled and reported appropriately. SOC 2 reporting may describe how third-party services are treated (for example, whether certain subservice organization controls are included or carved out) and may identify complementary controls the organization must operate to address residual risk. Effective third-party governance reduces exposure to security, availability, confidentiality, processing integrity, and privacy risks introduced by external dependencies.
Real-World Examples
Startup using a payment processor
A startup relies on an external payment processor to handle card payments; it reviews the provider’s security reports, restricts API keys, and monitors transaction anomalies.
Scaleup outsourcing support operations
A scaleup uses a third-party support vendor with access to customer tickets; it enforces least privilege, logs access, and requires secure handling of customer data in contracts.
Enterprise with a managed infrastructure provider
An enterprise runs production workloads on a managed infrastructure provider; it evaluates shared responsibility boundaries, validates monitoring coverage, and tests incident notification procedures.
A third party is an external entity that provides services, people, or technology that can affect your security and compliance obligations, especially where it touches your data or systems.
A vendor is typically a contracted supplier of goods or services, while third party is broader and can include vendors, partners, contractors, and outsourced providers that introduce risk.
TPRM is the process of assessing, contracting, monitoring, and offboarding third parties to reduce security, privacy, and operational risks that can impact your customers and audits.
Common third parties include suppliers, service providers, cloud and hosting providers, payment processors, contractors, consultants, outsourcing providers, and business partners that access data or systems.
Third parties can increase the risk of data breaches, service outages, unauthorized access, weak change control, poor incident response, and non-compliance through shared processes and systems.
Perform assessments before onboarding, before granting access to sensitive data or production systems, after major scope changes, and on a recurring schedule based on the third party’s risk tier.
Typical evidence includes security and audit reports, policies, penetration test summaries, incident response commitments, data handling terms, access control practices, and service reliability information.
Tiering commonly considers data sensitivity, system access level, business criticality, service dependency, geographic and regulatory exposure, and the third party’s security maturity.
Refresh frequency is usually risk-based: high-risk or critical providers may be reviewed at least annually, while lower-risk providers may be reviewed every 2–3 years or upon material change.
Offboarding should remove access, rotate credentials, retrieve or securely destroy data, confirm termination of subservice providers where applicable, validate contract closure terms, and document completion for audit evidence.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-26 | WatchDog Security GRC Wiki Team | Initial publication |
