Disclaimer: This post is educational content for engineers and teams preparing for SOC 2 audits. It is not legal or compliance advice. For guidance specific to your organization, consult a qualified auditor or compliance professional.
Your SOC 2 auditor is going to ask how you monitor third-party vendors. Here's what they actually need.
If you're a DevOps or SRE engineer helping your company get through SOC 2 for the first time, vendor monitoring is one of those areas that looks simple on paper but trips up a lot of teams. You know you're dependent on AWS, Stripe, GitHub, and a dozen other services — but "we check the status page sometimes" is not an answer that satisfies an auditor.
Let's break down exactly what CC9.2 requires, what evidence you need to collect, and how to get audit-ready without drowning in spreadsheets.
Already know what CC9.2 needs? Statusfield's compliance reports turn continuous vendor monitoring into audit-ready CC9.2 evidence — uptime, incident log, and alert-delivery records. On the Team plan ($99/mo), with a free trial.
What is CC9.2?
CC9.2 is part of the Common Criteria section of the SOC 2 Trust Services Criteria, specifically under Risk Mitigation — the criteria that deal with risks coming from outside your own systems. In summary, the criterion covers:
The entity assesses and manages risks associated with vendors and business partners.
In plain English: you need to prove that you actively monitor the third-party services your business depends on — and that you have a process for detecting and responding when they have problems.
This matters because your vendors' outages are your risk. If Stripe goes down and your billing breaks, or GitHub has an incident and your deployment pipeline fails, your customers feel that. SOC 2 auditors want to see that you treat vendor reliability as part of your own risk posture — not as someone else's problem.
What Auditors Want to See
When an auditor evaluates CC9.2, they increasingly expect evidence of a continuous, systematic monitoring process — not a one-time inventory or a spreadsheet you update quarterly. Continuous monitoring isn't the whole of CC9.2 (due diligence, contracts, and offboarding matter too), but it's the slice auditors probe hardest and the one teams most often can't produce on demand.
Specifically, expect to be asked for:
1. A Vendor Inventory
A documented list of the third-party services that are material to your operations. This typically includes:
- Infrastructure providers (AWS, GCP, Azure)
- Payment processors (Stripe, Braintree)
- Identity providers (Auth0, Okta)
- Communication tools used in operations (Slack, Intercom)
- CI/CD and deployment services (GitHub, Vercel, Heroku)
"Material" means: if this service has an incident, does it affect your ability to serve customers? If yes, it belongs on the list.
2. Evidence of Continuous Monitoring
This is where most teams struggle. Auditors increasingly ask for ongoing, timestamped records that you were watching your vendors — not just a note that says "we monitor these."
Evidence typically includes:
- Uptime percentages over the audit period (usually 6–12 months for SOC 2 Type 2)
- Incident logs with timestamps (when did you detect the issue? when was it resolved?)
- Alert configuration (proof that you have notifications set up, not just manual checking)
- Response records (what action did your team take when a vendor had an incident?)
3. Incident Logs
For every significant vendor incident during the audit period, auditors may ask: When did you know about it? How did you find out? What did you do?
A log entry like "2025-11-14 02:30 UTC — Stripe elevated API errors, payment retries activated, incident resolved 04:15 UTC" is exactly the kind of record that satisfies this question.
4. Alert Configuration Evidence
Screenshots or exports showing that you have active monitoring and alerting in place — not just passive awareness. This proves the monitoring is systematic, not reactive.
The Problem with Manual Monitoring
A lot of teams start their SOC 2 journey with a manual approach:
- Someone bookmarks the status pages of their 15 most important vendors
- There's a Slack channel where people paste links when they notice something is down
- At the end of each quarter, someone exports a few screenshots into a Google Drive folder
The problem isn't effort — it's gaps and provability.
Coverage gaps: Manual monitoring only works when someone is paying attention. If a vendor degrades at 3 AM on a Saturday, your spreadsheet doesn't know that.
Detection lag: Manual checks might happen once a day or once a week. Your auditor wants to see that you detected incidents close to when they happened, not hours later.
Inconsistent records: "We checked the status page" doesn't tell an auditor when you checked, what you saw, or what you did about it. It's not audit-ready evidence.
Scalability: When you're monitoring 20+ vendors across infrastructure, payments, auth, and communications, manual monitoring becomes a part-time job that nobody actually has time for.
For SOC 2 Type 1 (a point-in-time snapshot), you might get away with a well-prepared manual process. For SOC 2 Type 2 — which covers an observation period of 6–12 months — you need a system that produces continuous, timestamped records without human intervention.
How Automated Vendor Monitoring Solves CC9.2
Automated vendor monitoring tools address the gaps in manual processes by continuously polling vendor status sources and creating a durable record of what happened and when.
What this looks like in practice:
Real-time status checks — Instead of someone manually visiting a status page, automated tools check vendor status every few minutes and record the result. If a vendor degrades at 3:17 AM, there's a log entry at 3:17 AM.
Automatic incident detection — When a vendor transitions from "operational" to "degraded" or "outage," the system detects it immediately and can trigger alerts to your team via Slack, email, or webhook.
Timestamped incident history — Every status change is recorded with a timestamp. This creates the audit trail your auditor needs: when the incident started, how long it lasted, when it resolved.
Uptime calculation — Automated systems can calculate vendor uptime percentages over any time period — extremely useful when an auditor asks "what was your primary cloud provider's uptime over the past 12 months?"
Monitoring configuration as evidence — The configuration itself (which vendors you're monitoring, what alert thresholds are set) serves as evidence that a systematic process is in place.
Want the step-by-step setup — vendor inventory, alert configuration, and generating the evidence report? See the companion guide: How to Satisfy SOC 2 CC9.2 with Automated Vendor Monitoring.
What Goes in a Vendor Monitoring Compliance Report
When it's time to pull evidence for your auditor, a well-structured vendor monitoring compliance report typically includes:
Vendor Inventory Summary
- List of monitored vendors
- Classification by criticality or category (infrastructure, payments, auth, etc.)
- Monitoring start date for each vendor
Uptime Statistics
- Uptime percentage per vendor over the audit period
- Total hours monitored
- Total hours of detected incidents
Incident Log
A table or export showing:
- Date and time of incident start
- Affected vendor and service
- Incident severity (partial vs. major outage)
- Time to detection (how quickly your monitoring caught it)
- Time to resolution
- Any notes on team response
Alert Configuration Evidence
- Screenshot or export of your monitoring setup
- Alert channels configured
- Escalation rules (if any)
Monitoring Coverage Statement
A brief summary confirming that monitoring ran continuously throughout the audit period, with any exceptions noted (e.g., a planned maintenance window).
This package gives your auditor exactly what they need to evaluate CC9.2 without a lengthy back-and-forth requesting additional documentation.
"Audit-Ready" vs. "SOC 2 Certified"
This is worth saying clearly, because the language matters.
Statusfield and similar vendor monitoring tools help you collect audit-ready evidence. They do not certify you, guarantee SOC 2 compliance, or replace the role of an auditor.
SOC 2 certification (or more precisely, a SOC 2 attestation report) is issued by a licensed CPA firm after a formal audit process. No software tool can certify you — only an auditor can.
What vendor monitoring tools can do:
- Produce the evidence an auditor evaluates
- Reduce the time you spend gathering and formatting that evidence
- Help you identify gaps in your monitoring before the audit starts
- Demonstrate to your auditor that a systematic process is in place
When describing your compliance posture to customers or prospects, use language like: "We maintain audit-ready evidence for our SOC 2 audit" or "We're actively preparing for SOC 2 Type 2 certification." Avoid claiming to be "SOC 2 certified" or "SOC 2 compliant" before you have an issued attestation report from a licensed auditor.
How Statusfield Helps
Statusfield monitors 2,000+ SaaS and cloud vendors — including AWS, GitHub, Stripe, Cloudflare, and most major infrastructure and SaaS providers — and produces continuous, timestamped status records.
For CC9.2 specifically, Statusfield can help you:
- Build your vendor inventory — Add the services your business depends on and start monitoring immediately
- Generate incident logs automatically — Every status change is recorded with timestamps you can export for your auditor
- Calculate uptime over any date range — Pull uptime stats for your entire audit period in seconds
- Document your monitoring configuration — Your monitoring setup serves as evidence that a systematic process is in place
- Stay ahead of incidents — Real-time alerts mean your team knows about vendor issues as they happen, not hours later
If you're working toward SOC 2, our compliance overview page explains how the platform's audit export features work.
Start building your CC9.2 evidence trail → Compliance reports are on the Team plan ($99/mo), with a free trial. Statusfield monitors 2,000+ vendors out of the box — no manual assembly required.
What Your Auditor Actually Needs: A Quick Summary
Going back to the original question — here's the short version of what satisfies CC9.2:
- A documented vendor inventory — What services are you dependent on?
- Evidence of continuous monitoring — Not just "we have a process," but timestamped records proving the process ran throughout the audit period
- An incident log — Every significant vendor incident, with detection and resolution timestamps
- Alert configuration — Proof that your monitoring is active and automated, not just manual spot-checks
- Uptime data — Availability statistics for your material vendors over the audit period
The teams that sail through this control are the ones who treated vendor monitoring as an ongoing operational practice — not something they scrambled to document two weeks before the audit.
Start logging now. Your future self (and your auditor) will thank you.
Have questions about SOC 2 vendor monitoring? We're happy to talk through your setup — reach out at support@statusfield.com or check out the compliance page for more details on how Statusfield handles audit evidence.
This post is for educational purposes only and does not constitute legal or compliance advice. Consult a qualified auditor for guidance specific to your organization.
Know the moment a tool you depend on goes down
Statusfield watches 2,000+ services your business depends on and alerts you the moment they break.
Free plan · No credit card
Related Articles
How to Satisfy SOC 2 CC9.2 with Automated Vendor Monitoring
A practical step-by-step guide to meeting SOC 2 CC9.2 through automated vendor monitoring — covering vendor inventory, continuous evidence collection, incident documentation, and audit-ready compliance reports.
Is Fly.io Down? How to Check Fly.io Status Right Now
App deployments failing? Machines not starting? Learn how to check if Fly.io is down, what breaks during a Fly.io outage (Machines API, Fly Proxy, Postgres, DNS, deployments), and how to stay ahead of platform incidents.
Is New Relic Down? How to Check New Relic Status Right Now
New Relic not loading dashboards? Agents stopped reporting? Learn how to check if New Relic is down, what breaks (APM, alerts, distributed tracing, logs), and how to get instant alerts when your monitoring goes blind.