Your auditor asks: “How do you monitor third-party vendors?”
Most teams give one of these answers. Auditors increasingly ask for ongoing monitoring, not point-in-time spreadsheets.
“We check their status pages manually”
“We have a spreadsheet we update monthly”
“We trust our vendors to tell us when something's wrong”
There's a better answer.
Continuous, automated monitoring with evidence you can hand directly to your auditor.
Continuous vendor monitoring with one-click SOC 2 & ISO evidence
Statusfield watches your vendor stack around the clock and generates a documented monitoring trail on demand.
24/7 Monitoring
Status checks every 5–30 minutes across 2,000+ vendors and tens of thousands of individual components — the API, not just the homepage banner. Automated, around the clock, with no manual spot-checks.
Monitoring Evidence
One-click evidence for SOC 2 & ISO requirements — uptime %, incident logs, and monitoring methodology.
Instant Alerts
Email, Slack, Discord, and webhook notifications the moment a vendor goes down.
What's in the report
Every evidence report is structured to answer the questions auditors actually ask.
Vendor Monitoring Report
Q1 2026 — Monitoring Period
Summary
12
Services Monitored
99.7%
Average Uptime
3
Total Incidents
Per-Service Uptime
| Vendor | Component | Uptime | Incidents |
|---|---|---|---|
| AWS | S3 / us-east-1 | 99.9% | 0 |
| Stripe | Payments API | 99.6% | 1 |
| GitHub | Actions | 98.8% | 2 |
Incident Timeline
Monitoring Methodology
Vendor statuses are polled from official status pages and API health endpoints at 5–30 minute intervals. Incidents are logged with start time, end time, affected components, and severity. Uptime is calculated as the percentage of checks returning operational status over the reporting period. This report is generated automatically by Statusfield and reflects observed status data only.
What does CC9.2 actually require?
CC9.2 is the Vendor and Business Partner Management control within the Common Criteria of the SOC 2 framework. It requires organizations to:
- Identify and assess risks from third-party vendors and business partners
- Establish monitoring activities to track the performance and availability of critical vendors
- Maintain documented evidence of ongoing vendor monitoring for auditor review
- Define processes for responding to vendor service disruptions that affect your own availability commitments
SOC 2 CC9.2 — Vendor & Business Partner Risk
The entity assesses and manages risks associated with vendors and business partners — which, for an availability-focused audit, means knowing your critical vendors, monitoring their performance, and keeping documented evidence that you did.
How Statusfield maps to CC9.2
CC9.2 Requirement
Identify critical third-party vendors
Statusfield
Build a monitored vendor list from 2,000+ services across infrastructure, payments, communications, and more.
CC9.2 Requirement
Establish ongoing monitoring
Statusfield
Automated status checks run every 5–30 minutes, 24/7, without manual intervention.
CC9.2 Requirement
Document monitoring evidence
Statusfield
Generate a point-in-time monitoring report for any date range with uptime data, incident logs, and methodology.
CC9.2 Requirement
Respond to vendor disruptions
Statusfield
Instant multi-channel alerts ensure your team knows the moment a vendor is affected.
The same evidence covers ISO 27001 A.5.22
Annex A 5.22 — Supplier Service Monitoring — requires organizations to regularly monitor, review and manage changes to supplier service delivery. Auditors look for:
- A supplier inventory covering the services your business depends on
- Ongoing performance evaluation of supplier service delivery
- Incident management with records of supplier service disruptions
- Communication channels that alert your team when a supplier degrades
Your vendor monitoring report doubles as supplier monitoring evidence — select the ISO 27001 framing when you generate it and hand your auditor the same uptime data, incident log, and methodology mapped to A.5.22.
What Statusfield covers, and what it doesn't
Vendor management has several parts. We automate the monitoring evidence; your GRC tool or auditor checklist handles the rest.
Statusfield covers
- Continuous vendor uptime and incident monitoring
- Timestamped incident log with severity and duration
- Proof that your team was alerted for each incident
- Vendor inventory with business-impact tiering
- Exportable monitoring reports for your audit period
You still need
- Collecting your vendors' own SOC 2 reports or certificates
- Documented review and sign-off of those reports
- Vendor due diligence before you onboard a new provider
- Contract and DPA tracking for each vendor
- Offboarding and access removal when you drop a vendor
- The rest of your audit (policies, access reviews, etc.)
Already using Vanta or Drata? Statusfield slots in as your continuous monitoring evidence, alongside their document workflows.
Monitoring evidence is available on the Team plan
Continuous monitoring evidence for CC9.2: the part of vendor management nobody does manually.
Team
- Monitoring evidence reports (PDF + shareable link)
- 75 component monitors
- 10 team members
- Email, Slack, Discord, webhooks
- Automated checks every 5–30 minutes
- Component-level monitoring
- Incident history (1-year retention)
Try Team free for 15 days. Cancel anytime.
Reports unlock after your first 30 days of monitoring history — auditors need history, not a snapshot.
Frequently asked questions
- How do you monitor third-party vendors for SOC 2?
- With continuous, automated monitoring instead of point-in-time spreadsheets. Statusfield checks vendor status pages every 5–30 minutes around the clock, logs every outage with severity and duration, and generates documented monitoring reports you can hand directly to your auditor.
- What does SOC 2 CC9.2 actually require?
- CC9.2 is the Vendor and Business Partner Management control within the Common Criteria of the SOC 2 framework. It requires organizations to identify and assess risks from third-party vendors and business partners, establish monitoring activities to track their performance and availability, maintain documented evidence of ongoing monitoring for auditor review, and define processes for responding to vendor service disruptions.
- What is in a vendor monitoring report?
- Per-vendor uptime percentages for your audit period, a timestamped incident log with severity and duration, alert delivery records showing your team was notified, and the monitoring methodology. Reports are exportable as PDF or shareable with auditors via a secure link.
- Does the vendor monitoring report work for ISO 27001?
- Yes. ISO 27001 Annex A 5.22 (Supplier Service Monitoring) requires organizations to regularly monitor, review and manage changes to supplier service delivery. The same vendor monitoring report — uptime data, incident log, alert records, and methodology — can be generated with ISO 27001 framing mapped to A.5.22.
- Does Statusfield replace a compliance platform like Vanta or Drata?
- No. Statusfield produces the continuous monitoring evidence for vendor uptime and incidents — one part of vendor management. You still need your vendors’ own SOC 2 reports or certificates, contract and DPA tracking, and the rest of your audit program. Statusfield slots in alongside your compliance platform and document workflows.