Sample Vendor Review (Example Only)

Quarterly vendor committee example with subservice org notes for SOC-004 alignment.

sample vendor management review minutes preview (SOC-SAMP-04)
.docx SOC-SAMP-04

Sample Vendor Review Minutes

Quarterly vendor committee example with subservice org notes for SOC-004 alignment.

Get SOC 2 Phase 3 Audit & Evidence Bundle
How to Fill Out This Sample Vendor Review Minutes

Sample vendor management review minutes — Demonstrates vendor review meeting structure for CC9.2. Use SOC-014 register and real SOC reports for your program of record.

Recommended Owner: Vendor Manager or Security Lead

What this file is for

Document purpose

Example vendor management review minutes with subservice organization notes.

In your program: CC9.2; align vendor list with SOC-014 and SOC-004 Section 7.

Before you start

Getting Started

  • Example only — sanitized fictional data (Acme Corp). Do not submit to auditors or regulators.
  • Copy structure and column usage into your live template (SOC-030, SOC-010, AI-014b, etc.).
  • Delete or overwrite every sample row before internal circulation.

Document tour

Fill out the file section by section

Work through the sections below in order. Each block matches a heading or tab in the downloaded SOC-SAMP-04 file.

Attendees
  • Document quorum and roles — match committee charter in COR-008 or SOC-017.
  • Include Security, Legal, and business owners for Critical/High vendors reviewed.
  • Example only — replace Acme names with your actual committee roster.
Vendors Reviewed
  • Table of vendor, criticality, SOC report date, and exceptions — copy layout to your minutes.
  • Each row should map to a SOC-014 subprocessor register entry with current DPA status.
  • Note report expiry and renewal actions — auditors check Critical tier coverage.
Subservice Organization Notes
  • Carve-out vs inclusive method must match SOC-004 and auditor agreement.
  • Document CUECs you operate vs those inherited from cloud providers.
  • Flag any vendor using subprocessors not listed in your register.
Action Items
  • Owner, due date, and ticket per open item — carry forward to next quarter.
  • Link closed actions to SOC report downloads or SOC-021 evidence IDs.
  • Escalate overdue Critical vendor actions to SOC-017 steering committee.
Approval
  • Vendor manager or CISO signature with review date.
  • File signed PDF in evidence repo and reference in SOC-020 next quarter.

Quality check

Before You Finalize

  • Real minutes need actual vendor SOC report status and action owners.

Evidence

Where to Store It

  • Store the completed file in your compliance evidence folder (signed PDF for policies).
  • Register the document in COR-013 with version, owner, and next review date.
  • Link the file from your evidence index or SOC-005 project plan when you use Phase 3 trackers.

Next Steps

After customizing Sample Vendor Review Minutes:

  1. 1Complete the file: Finish every section or tab in SOC-SAMP-04.
  2. 2Register: Add version and owner to COR-013.
  3. 3Operationalize: Train owners listed in the document.
  4. 4Evidence: Keep exports auditors can sample during fieldwork.
Get SOC 2 Phase 3 Audit & Evidence Bundle See what’s included