Subservice Organization Controls Management

Alina Archibald, CISA, CITP, CPA, and Josh Ditto, CC, CISSP
Author: Alina Archibald, CISA, CITP, CPA, and Josh Ditto, CC, CISSP
Date Published: 13 September 2023
Related: Subservice Organization Management— IT Controls for Peace of Mind

Finding the right vendor is complicated enough, but finding the right subservice organization that has a framework of proper controls in place in alignment with your own is even harder. However, you can make this process easier for your organization by selecting a standard set of controls that align with your goals. Once selected, these controls can become the gold standard that you use to evaluate subservice organizations.

Subservice organizations are vendors whose controls and health of operations ultimately affect your operations as well. Subservice organizations are often confused with the term vendor; however, not all vendors are subservice organizations.

There are many ways an organization can gain assurance of its subservice organizations’ controls, such as requesting system and organization controls (SOC) 2 reports or International Organization for Standardization (ISO) certifications. An SOC 2 report is a report and not a certification; therefore, it is important to read and analyze the SOC 2 report received and determine if any follow-up or additional clarity is needed with the subservice organization. However, these reports and certifications are costly, and not every organization can afford such services.

When SOC 2 reports and ISO certifications are unattainable, an organization can still request some level of assurance by creating its own custom controls questionnaire and have its subservice organization complete and certify it for accuracy.

In addition, it is important to understand the benchmark of minimum controls and how it should be derived. For instance, a risk assessment is the parent of the minimum controls framework; however, not every organization has performed one. When an organization does not have a risk assessment, it should still consider the basic controls for its operations and for its subservice operations to protect its clients.

What are these controls? Some necessary controls are physical and logical security, access controls, bring your own device policies, change management policies, network assessment and vulnerability scanning, workforce-related controls, hiring policies, acceptable use policies, information-sharing policies, cyberawareness training, audit policies, business continuity and disaster recovery plans, backup policies, incident response protocols, system availability criteria and data loss prevention policies.

Editor’s note: For further insights on this topic, read Alina Archibald and Josh Ditto’s recent Journal article, “Subservice Organization Management—IT Controls for Peace of Mind,” ISACA Journal, volume 4, 2023.

ISACA Journal