VENDOR RISK MANAGEMENT IN CLOUD-CENTRIC ARCHITECTURES: A SYSTEMATIC REVIEW OF SOC 2, FEDRAMP, AND ISO 27001 PRACTICES

Abstract

This systematic review synthesizes evidence on vendor risk management (VRM) in cloud-centric architectures with explicit attention to three anchor frameworks—SOC 2, FedRAMP, and ISO/IEC 27001—and their combined effects on organizational governance and operational performance. Following PRISMA 2020 procedures, we searched multidisciplinary databases and targeted repositories (2000–2024), identifying 1,344 records, screening 1,086 after de-duplication, and including 149 studies in the final corpus. Across these studies, four results recur. First, layered adoption—pairing a risk-based management system (ISO/IEC 27001) with market-credible attestation (SOC 2 Type II) and, where applicable, regulatory authorization (FedRAMP)—is consistently associated with shorter third-party onboarding cycles, fewer and less persistent audit exceptions, and clearer control ownership. Second, lifecycle governance practices—continuous monitoring cadences, time-bound remediation plans, and routine executive review—correlate with improved control effectiveness, reduced configuration drift and privilege creep, and faster incident containment. Third, evidence portability—cross-mapping control catalogs and curating reusable proof sets—yields procurement efficiencies, lowers audit fatigue, and enables a single corrective action to close findings across multiple regimes. Fourth, outcomes depend on organizational embedding: executive sponsorship, board-level key risk indicators, and cross-functional workflows (security–legal–procurement–audit) translate formal standards into day-to-day reliability. The evidence base, however, exhibits geographic concentration in OECD contexts and limited longitudinal designs, qualifying generalizability and underscoring the importance of context when interpreting effect sizes. Overall, the review portrays VRM not as a discrete compliance task but as an integrated system of communication and control in which portfolio alignment of frameworks, portability of assurance evidence, lifecycle cadence, and organizational integration jointly account for reliable gains in audit predictability, onboarding efficiency, and operational resilience across distributed cloud supply chains.