SOC 2 CC9.2 · ISO 27001 A.5.22

Vendor Monitoring Evidence for SOC 2 & ISO 27001

Continuous vendor monitoring evidence for CC9.2 and A.5.22, documented and exportable. 2,000+ vendors watched around the clock.

Your auditor asks: “How do you monitor third-party vendors?”

Most teams give one of these answers. Auditors increasingly ask for ongoing monitoring, not point-in-time spreadsheets.

We check their status pages manually

We have a spreadsheet we update monthly

We trust our vendors to tell us when something's wrong

There's a better answer.

Continuous, automated monitoring with evidence you can hand directly to your auditor.

Continuous vendor monitoring with one-click SOC 2 & ISO evidence

Statusfield watches your vendor stack around the clock and generates a documented monitoring trail on demand.

24/7 Monitoring

Status checks every 5–30 minutes across 2,000+ vendors and tens of thousands of individual components — the API, not just the homepage banner. Automated, around the clock, with no manual spot-checks.

Monitoring Evidence

One-click evidence for SOC 2 & ISO requirements — uptime %, incident logs, and monitoring methodology.

Instant Alerts

Email, Slack, Discord, and webhook notifications the moment a vendor goes down.

What's in the report

Every evidence report is structured to answer the questions auditors actually ask.

Vendor Monitoring Report

Q1 2026 — Monitoring Period

Summary

12

Services Monitored

99.7%

Average Uptime

3

Total Incidents

Per-Service Uptime

VendorComponentUptimeIncidents
AWSS3 / us-east-199.9%0
StripePayments API99.6%1
GitHubActions98.8%2

Incident Timeline

Feb 11, 2026StripePayments APIPartial Outage47 min
Mar 6, 2026GitHubActionsMajor Outage2h 11min

Monitoring Methodology

Vendor statuses are polled from official status pages and API health endpoints at 5–30 minute intervals. Incidents are logged with start time, end time, affected components, and severity. Uptime is calculated as the percentage of checks returning operational status over the reporting period. This report is generated automatically by Statusfield and reflects observed status data only.

Export as PDF
Share secure link
SOC 2 Framework

What does CC9.2 actually require?

CC9.2 is the Vendor and Business Partner Management control within the Common Criteria of the SOC 2 framework. It requires organizations to:

  • Identify and assess risks from third-party vendors and business partners
  • Establish monitoring activities to track the performance and availability of critical vendors
  • Maintain documented evidence of ongoing vendor monitoring for auditor review
  • Define processes for responding to vendor service disruptions that affect your own availability commitments

SOC 2 CC9.2 — Vendor & Business Partner Risk

The entity assesses and manages risks associated with vendors and business partners — which, for an availability-focused audit, means knowing your critical vendors, monitoring their performance, and keeping documented evidence that you did.

Summary of SOC 2 CC9.2 (Vendor & Business Partner Management)

How Statusfield maps to CC9.2

CC9.2 Requirement

Identify critical third-party vendors

Statusfield

Build a monitored vendor list from 2,000+ services across infrastructure, payments, communications, and more.

CC9.2 Requirement

Establish ongoing monitoring

Statusfield

Automated status checks run every 5–30 minutes, 24/7, without manual intervention.

CC9.2 Requirement

Document monitoring evidence

Statusfield

Generate a point-in-time monitoring report for any date range with uptime data, incident logs, and methodology.

CC9.2 Requirement

Respond to vendor disruptions

Statusfield

Instant multi-channel alerts ensure your team knows the moment a vendor is affected.

ISO 27001 Framework

The same evidence covers ISO 27001 A.5.22

Annex A 5.22 — Supplier Service Monitoring — requires organizations to regularly monitor, review and manage changes to supplier service delivery. Auditors look for:

  • A supplier inventory covering the services your business depends on
  • Ongoing performance evaluation of supplier service delivery
  • Incident management with records of supplier service disruptions
  • Communication channels that alert your team when a supplier degrades

Your vendor monitoring report doubles as supplier monitoring evidence — select the ISO 27001 framing when you generate it and hand your auditor the same uptime data, incident log, and methodology mapped to A.5.22.

What Statusfield covers, and what it doesn't

Vendor management has several parts. We automate the monitoring evidence; your GRC tool or auditor checklist handles the rest.

Statusfield covers

  • Continuous vendor uptime and incident monitoring
  • Timestamped incident log with severity and duration
  • Proof that your team was alerted for each incident
  • Vendor inventory with business-impact tiering
  • Exportable monitoring reports for your audit period

You still need

  • Collecting your vendors' own SOC 2 reports or certificates
  • Documented review and sign-off of those reports
  • Vendor due diligence before you onboard a new provider
  • Contract and DPA tracking for each vendor
  • Offboarding and access removal when you drop a vendor
  • The rest of your audit (policies, access reviews, etc.)

Already using Vanta or Drata? Statusfield slots in as your continuous monitoring evidence, alongside their document workflows.

Monitoring evidence is available on the Team plan

Continuous monitoring evidence for CC9.2: the part of vendor management nobody does manually.

Team

$99/mo
  • Monitoring evidence reports (PDF + shareable link)
  • 75 component monitors
  • 10 team members
  • Email, Slack, Discord, webhooks
  • Automated checks every 5–30 minutes
  • Component-level monitoring
  • Incident history (1-year retention)

Try Team free for 15 days. Cancel anytime.

Reports unlock after your first 30 days of monitoring history — auditors need history, not a snapshot.

Need monitoring evidence on a different plan? Contact us

Frequently asked questions

How do you monitor third-party vendors for SOC 2?
With continuous, automated monitoring instead of point-in-time spreadsheets. Statusfield checks vendor status pages every 5–30 minutes around the clock, logs every outage with severity and duration, and generates documented monitoring reports you can hand directly to your auditor.
What does SOC 2 CC9.2 actually require?
CC9.2 is the Vendor and Business Partner Management control within the Common Criteria of the SOC 2 framework. It requires organizations to identify and assess risks from third-party vendors and business partners, establish monitoring activities to track their performance and availability, maintain documented evidence of ongoing monitoring for auditor review, and define processes for responding to vendor service disruptions.
What is in a vendor monitoring report?
Per-vendor uptime percentages for your audit period, a timestamped incident log with severity and duration, alert delivery records showing your team was notified, and the monitoring methodology. Reports are exportable as PDF or shareable with auditors via a secure link.
Does the vendor monitoring report work for ISO 27001?
Yes. ISO 27001 Annex A 5.22 (Supplier Service Monitoring) requires organizations to regularly monitor, review and manage changes to supplier service delivery. The same vendor monitoring report — uptime data, incident log, alert records, and methodology — can be generated with ISO 27001 framing mapped to A.5.22.
Does Statusfield replace a compliance platform like Vanta or Drata?
No. Statusfield produces the continuous monitoring evidence for vendor uptime and incidents — one part of vendor management. You still need your vendors’ own SOC 2 reports or certificates, contract and DPA tracking, and the rest of your audit program. Statusfield slots in alongside your compliance platform and document workflows.

Ready to make your next audit easier?

Set up continuous vendor monitoring in minutes. Generate compliance reports whenever your auditor asks.