Overview
Vendor SLA Management is the process of defining, tracking, and reviewing service level agreements with third-party vendors to ensure they meet availability, performance, and support commitments. This process supports SOC 2 CC9.2 by reducing operational risk from vendor service failures through regular monitoring and documented follow-up.
Step-by-Step Process
Identify in-scope vendors
The Engineering Lead reviews the vendor inventory to identify vendors with SLAs that impact system availability, security, or support. Vendors providing infrastructure, hosting, monitoring, or critical integrations must be included. The output is an updated list of in-scope vendors for the quarter.
Role: Engineering Lead
Collect current SLA documents
The Engineering Lead or delegate gathers the most recent signed SLA or contract addendum for each in-scope vendor. Documents are verified to ensure they include measurable service levels such as uptime, response time, and remediation timelines. The output is a centralized folder containing current SLA documents.
Role: Engineering Lead
Define SLA metrics to monitor
For each vendor, the Engineering Lead documents the specific SLA metrics to be tracked, such as monthly uptime percentage or support response time. Metrics are aligned with what is contractually committed in the SLA. The output is a standardized SLA metrics register.
Role: Engineering Lead
Review vendor performance data
On a quarterly basis, the Engineering Lead reviews vendor-provided reports, dashboards, or invoices to assess actual performance against SLA metrics. Any missed SLAs or anomalies are noted. The output is a completed quarterly SLA performance review.
Role: Engineering Lead
Document SLA breaches
If a vendor fails to meet an SLA, the Engineering Lead documents the breach, including date, metric missed, and business impact. Supporting evidence such as reports or tickets is attached. The output is a logged SLA breach record.
Role: Engineering Lead
Initiate remediation or escalation
For documented breaches, the Engineering Lead contacts the vendor to request remediation, credits, or corrective actions per the contract. Actions taken and vendor responses are recorded. The output is a remediation or escalation record linked to the breach.
Role: Engineering Lead
Approve and retain quarterly review
The Engineering Lead signs off on the quarterly SLA review and ensures all records are stored in the compliance repository. Retention is verified to meet audit and policy requirements. The output is an approved and archived quarterly SLA review package.
Role: Engineering Lead
What You Need Before Starting
- Vendor inventory with service criticality
- Signed vendor SLAs or contract addendums
- Access to vendor performance reports or dashboards
- Central document repository (e.g., shared drive or GRC folder)
Evidence Your Auditor Expects
- Quarterly SLA review document dated and approved by the Engineering Lead
- Signed vendor SLA PDF files with effective dates
- Screenshots of vendor uptime or performance dashboards with visible timestamps
- SLA breach log showing date identified, metric missed, and resolution status
How This Looks In Your Tools
Spreadsheet
Create a master SLA tracker in Excel or Google Sheets with tabs for Vendors, SLA Metrics, and Quarterly Reviews. Use columns for Vendor Name, SLA Metric, Target, Actual Performance, Review Quarter, and Status.
During each quarter, update the ‘Actual Performance’ and ‘Status’ columns using data from vendor reports. Save the file with a filename that includes the quarter (e.g., “Vendor_SLA_Review_Q2_2026.xlsx”) and store it in the compliance folder.
Jira
In Jira, go to Projects > Create Project and create a project named “Vendor Management” if one does not exist. Create an issue type called “SLA Review” and add custom fields for Vendor Name, SLA Metric, Target, and Actual Performance.
Each quarter, create one SLA Review issue per vendor and attach performance reports using the Attachments section. If an SLA breach occurs, create a linked issue of type “Incident” or “Task” to track remediation, and update the SLA Review issue status to “Breach Identified.”
ServiceNow
Navigate to Vendor Management > Vendors and confirm all in-scope vendors are listed with active contracts. Open each vendor record and review the Contract > SLA Definitions section to confirm SLA metrics are documented.
Go to Performance Analytics or Reports > View / Run to pull quarterly performance data. Log SLA breaches by creating a record under Vendor > Issues or by opening an Incident linked to the vendor record, and attach supporting evidence before closing the quarterly review.
Common Audit Findings
- SLA reviews not performed quarterly
- This occurs when reviews are done ad hoc or skipped due to resource constraints. Prevent this by scheduling recurring quarterly calendar reminders and assigning a single accountable owner.
- Missing or outdated SLA documents
- Auditors often find unsigned or expired SLAs because renewals are not tracked. Maintain a central repository and review SLA effective dates during each quarterly cycle.
- No evidence of performance evaluation
- Organizations sometimes rely on verbal assurances from vendors. Always retain dated reports or screenshots showing actual performance against SLA targets.
- Untracked SLA breaches
- SLA failures may be known operationally but not formally logged. Require written breach records and link them to remediation actions to demonstrate control effectiveness.