[REVIEW] soc2-gap: add critical vendor concentration and exit evidence gates

[malb200710-dev]

Review target

skills/compliance/soc2-gap

Gap

The SOC 2 gap skill covers vendor inventory and SOC report collection under CC9.2, but it does not require evidence for vendor concentration risk, exit readiness, portability tests, or subservice dependency monitoring for critical vendors.

Why this matters

For SOC 2 readiness, third-party risk is not only about collecting annual SOC reports. A critical vendor can create audit and operational risk when:

• multiple in-scope services depend on the same provider or region;
• customer commitments rely on a sole-source vendor;
• customer data cannot be exported or restored elsewhere;
• termination/deletion procedures are not tested;
• subservice organizations change without review;
• there is no owner, cadence, or risk acceptance for unresolved concentration risk.

Proposed evidence gates

Add CC9.2 evidence for:

• critical vendor tiering;
• concentration analysis;
• exit plan and fallback procedure;
• portability/export/restore test evidence;
• subservice dependency review;
• owner, review frequency, trigger events, and risk acceptance.

Also add a Critical Vendor Exit Matrix deliverable to the SOC 2 output.

Bounty request

Reviewer tier ($25) if this review is accepted. I can provide payment details if accepted.

[malb200710-dev]

Implemented this review as PR #2240: #2240

Scope: CC9.2 critical vendor tiering, concentration analysis, exit planning, portability tests, subservice dependencies, owner/review cadence, and risk acceptance evidence.

[JamesJi79]

/attempt #2239

I will submit a VALID GAP analysis for this review.

[JamesJi79]

VALID GAP - critical vendor concentration and exit evidence for SOC 2 gap

Why Valid (FP confirmed)

The SOC 2 gap skill correctly covers vendor inventory and SOC report collection under CC9.2, and collects standard TPRM artifacts. However, CC9.2 (Use of Third Parties) in the 2017 TSC requires the organization to evaluate the risks of third-party dependencies, including concentration risk and termination procedures. The current skill stops at annual SOC report collection - it does not verify whether the organization has assessed that multiple in-scope services depend on the same critical vendor, whether an exit plan exists, whether portability has been tested, or whether subservice dependencies are monitored for change. An auditor reviewing CC9.2 in depth would identify these gaps as missing evidence, making the current skill's output incomplete for a formal SOC 2 readiness assessment. The FP confirms the skill correctly identifies vendor inventory but lacks the depth required for a thorough CC9.2 evaluation.

Coverage Gaps

Gap 1 - Critical vendor tiering with concentration analysis - The skill collects a flat vendor inventory but does not tier vendors by criticality (tier-1: sole-source for in-scope service; tier-2: single-region concentration; tier-3: standard). Without tiering, concentration risk remains invisible - three tier-1 vendors in the same cloud provider never trigger a flag. Need gate: Require a vendor tiering matrix with concentration analysis showing which in-scope services depend on each tier-1 vendor and which tier-1 vendors share a single geographic region or upstream provider.

Gap 2 - Exit readiness and portability test evidence - The skill does not require exit plans, fallback procedures, or portability tests for critical vendors. If a tier-1 vendor becomes unavailable (bankruptcy, acquisition, sanction), the organization may have no documented exit path, no data export procedure, and no tested restore from backup. An auditor would flag this as a CC9.2 deficiency. Need gate: For each tier-1 vendor, require an exit readiness package (exit plan + data export script/method + restore test evidence with date and result).

Gap 3 - Subservice dependency change monitoring - Critical vendors often use subservice organizations (e.g., AWS as a subservice of a SaaS ISV) that can change without the customer's knowledge. The current skill has no mechanism to detect subservice changes or trigger a re-assessment. Need gate: Require a subservice dependency map and an annual review cadence that cross-references the subservice SOC reports (type II) with the current subservice list, flagging any mismatch.

Suggested Gates

1. COMP-SOC2-01: Vendor tiering matrix with concentration heatmap - The skill must output a vendor tiering matrix that classifies each vendor as tier-1/2/3 and overlays a concentration heatmap identifying vendors sharing geography, upstream, or in-scope service dependency. Evidence: tiering matrix with >=1 concentration cluster identified and risk-accepted or mitigated.

2. COMP-SOC2-02: Tier-1 exit readiness package - For each tier-1 vendor, the skill must produce an exit readiness package containing: exit plan, automated data export method, restore test evidence. Evidence: exit readiness package for >=1 tier-1 vendor with documented restore test result and date.

3. COMP-SOC2-03: Subservice dependency change review - The skill must produce a subservice dependency map and compare it against the most recent subservice SOC report (type II), flagging any subservice that appears in the report but not the map, or vice versa. Evidence: subservice dependency review output showing <=30-day stale cross-reference.