Supplier compliance rates

Compliance found wanting

While the number of SaaS vendors holding either SOC2 or ISO 27001 is generally high, the number holding both is less than half (45%).

Monitoring the compliance certification of vendors helps avoid regulatory penalties by ensuring your suppliers don’t undermine your security, data privacy or procedural frameworks and safeguards. And for some businesses, will even be crucial for working with their own customers.

And given how many SaaS vendors do not hold both of the most commonly-requested certifications, it emphasizes how important it is to consider having your compliance approval stage as early in the request workflow as possible - perhaps even at the intake stage itself.

Categories like CRM, Project Management, Customer Service, Monitoring and Analytics all process a lot of customer data, so seeing that 100% of the vendors that Vertice has worked with in these categories within the last 12 months have SOC 2 compliance is to be expected. But then large swathes of these vendors then make themselves harder to work with - for some, impossible - as so many lack the broader IT security certification of ISO 27001.

Granted, many of these vendors may be targeting businesses below enterprise level and therefore not deem it vital. And for many procurement teams, ISO 27001 may not be a requirement. Or at least not today… procurement then has to consider if their growth ambitions mean they will require ISO 27001 later down the line, and within the period of the contract.