Complete the remaining evidence requirements to be audit-ready
Overview
Our Vanta Velocity model will focus on the following key controls from Vanta’s standard list. While it’s best practice to implement all of these controls, for the purposes of this audit, we’ve highlighted the specific ones that are most relevant.
Once you’ve completed your initial setup in Vanta—integrating your systems, generating and uploading your policies, and completing the risk assessment and vendor risk activities—you’ll be ready to move on to the remaining audit checklist and evidence collection.
Please ensure that all systems involved in the audit have been properly integrated with Vanta, as missing integrations may result in incomplete evidence.
For example, if you’re using both Amazon Web Services (AWS) and Google Cloud Platform (GCP) for your infrastructure but have only integrated AWS, the audit will only reflect AWS-related evidence. To capture evidence from GCP, both systems need to be integrated.
Sample Requirements
Type 1: If you are working to a Type 1 audit, you can provide any one example of the control, a schedule, or a template if a live example has not been performed yet.
Type 2: If you are conducting a Type 2 audit, AssuranceLab will provide you the sample selections from the populations in Vanta. For each of the selected samples, provide the evidence listed below in the table.
The event-driven populations such as personnel and vulnerabilities, will be available for us to sample based on what is already configured and populated within Vanta, so we can find those as the auditors ourselves, without having to request those from you, however for incidents, we will manually request a full population of incidents through the related evidence item within Vanta.
The time-based populations will be dependent on the frequency of those related controls, and the length of the audit period.
- Audit period of 12 months:
- Annually - evidence of the control being performed within the last 12 months.
- Bi-annually - evidence of the control being performed within the last 6 months.
- Quarterly - evidence of the control being performed over 2 quarters (sample selected by the auditor).
For audit periods shorter than 12 months, this will be scaled back accordingly.
- Audit period of 3 or 6 months:
- Annually - evidence of the control being performed within the last 12 months.
- Bi-annually - evidence of the control being performed within the last 6 months.
- Quarterly - evidence of the control being performed over 1 quarters (sample selected by the auditor).
Audit checklist
The key focus items for the audit are described in the table below per Vanta control. The requirement column explains the expected audit evidence. You can click the control title to read more including the minimum expectations, better practices, and further explanation of each compliance control.
| Title | Vanta Ref | Evidence requirements for Type 1 |
Evidence requirements for Type 2 |
| PRM-1 | Link to your public-facing terms of service or a contract template (MSA) used to establish agreements with customers and users. |
Same evidence required as Type 1. |
|
|
External Support Resources Available |
PRM-2 |
Guidelines and technical support resources are available to customers. |
Same evidence required as Type 1. |
|
Incident Response |
IRO-1 | Incident Response Plan test completed annually, if you have not performed a test to date, a screenshot of a calendar event for a scheduled date to conduct testing. | Evidence of completed test, with dates to confirm when it was completed, who was involved, and any lessons learned. |
| Incident Response Policies Established |
IRO-2 |
Evidence of the documented Incident Response Plan that clearly outlines potential events, pre-planned response steps, and communication requirements, |
Same evidence required as Type 1. |
| Incident Management Procedures Followed |
IRO-3 | Evidence of a single sample incident remediation actions i.e. logging, classification, resolution and lessons learned devised. | Population of incidents that occured during the observation period, Sampled Incidents will be selected for further evidence. |
| Penetration Testing | IAO-2 | Penetration test report performed within the last 12 months or a confirmation of engagement letter from a third party tester. | The latest penetration test performed by an independent third-party within the last 12 months. |
| Background Checks Performed | HRS-1 |
If background checks have been completed to date, provide 1 sample certificate; please redact sensitive information if you would prefer. If background checks have not been completed to date, ensure a relevant policy outlines your intention to conduct them for future new hires or integrate a background check provider in Vanta. |
The completed background check certificates conducted for the Sampled New Hires. |
| Code of Conduct Acknowledged by Employees and Enforced |
HRS-3 | A sample employee compliant with policy acknowledgement, specifically Code of Conduct. | Evidence of the signed Code of Conduct for the Sampled Employees. |
|
Confidentiality Agreement Acknowledged by Employees
|
HRS-5 |
A sample NDA or employee contract inclusive of non-disclosure clause. |
Evidence of the signed Agreements for the Sampled New Employees. |
| Performance Evaluations Conducted | HRS-6 |
A completed performance evaluation, if not yet conducted, a template you intend to use. Ensure a relevant policy also states the frequency you intend to complete the reviews. |
The completed performance evaluation evidence for the Sampled Employees. |
|
Risk Assessment Objectives Specified |
RSK-1 | Risk Management Policy or Risk Assessment Framework that defines the risk assessment objectives to support the risk assessment process. |
Same evidence required as Type 1. |
|
Risk Assessment Performed |
RSK-2 | A Risk Assessment performed within the last 12 months, inclusive of risk mitigation actions. If conducted in Vanta, ensure the auditor view is enabled. |
Same evidence required as Type 1, performed within the last 12 months. |
| Risk Management Program Established | RSK-3 | Risk Management Policy. | Same evidence required as Type 1. |
| Continuity and Disaster Recovery Plans Established | BCD-1 | Continuity and Disaster Recovery Plan(s). |
Same evidence required as Type 1. |
| Continuity and Disaster Recovery Plans Tested | BCD-2 |
Continuity and Disaster recovery test completed annually, if not completed to date, a confirmed calendar event. |
Evidence of documented tests conducted and results for the business continuity and disaster recovery review exercises, performed within the last 12 months. |
| Cybersecurity Insurance Maintained | BCD-3 | Active certificate of currency or cyber insurance policy details. | Same evidence required as Type 1. |
| Board of Directors/ Executive Management Charter | GOV-2 | Evidence to confirm who maintains information security oversight, for example, a Board Charter or Information Security Policy. | Same evidence required as Type 1. |
| Board of Directors/ Executive Management Meeting | GOV-4 | Minutes from the most recent meeting, or if not yet performed, the scheduled calendar event and meeting agenda. | Same evidence required as Type 1. |
| Backup Processes Established | GOV-5 | Operations Security Policy. | Same evidence required as Type 1. |
| Management Roles and Responsibilities Defined | GOV-7 | Information Security Policy, with outlined roles and responsibilities for management. | Same evidence required as Type 1. |
| Organisational Structure Documented | GOV-8 | Screenshot of a current organisation chart with roles and reporting lines. | Same evidence required as Type 1. |
| Roles and Responsibilities Specified | GOV-10 | Information Security Policy, with outlined roles and responsibilities for information security. | Same evidence required as Type 1. |
| Security Policies Established and Reviewed | GOV-11 |
Set of Information Security Policies in scope are reviewed, approved and accepted by employees annually. |
Same evidence required as Type 1, the the review been previously completed. |
| Support System Available | GOV-12 | Screenshot evidence or links to client support channels, knowledge-base, or user guides. | Same evidence required as Type 1. |
| Control Self-Assessments Conducted | IAO-1 | Passing test - Company uses Vanta for continuous security monitoring | Same evidence required as Type 1. |
| Configuration Management System Established | CFG-1 | If CI/CD is in use, provide screenshot evidence showing automated testing as well as approval flows within the pipeline. If you are doing manual testing and approvals, please provide evidence of one change release ticket being completed, including testing and approvals. |
Same evidence required as Type 1, if manual testing and approval in place, sample evidence is required for Type 2. |
| Production Application Access Restricted | IAC-1 | Evidence of the user access roles for any services that access production. | Same evidence requirement as Type 1. |
| Access Control Procedures Established | IAC-2 | Access Control Policy. | Same evidence requirement as Type 1. |
| Access Reviews Conducted | IAC-7 | Documentation of an annual access review, if not completed to date, a template you intend to use. | The latest access control review that confirms user access to critical systems is appropriate, or modified accordingly. |
| Access Revoked Upon Termination | IAC-8 | Evidence to confirm a formal process is followed and documented to revoke terminated employees' user access in accordance with your policy timelines. A termination checklist template or process outlined in a policy is accepted for Type 1. | The completed termination checklists or other evidence of access removal for the Sampled Terminated Employees. |
| Access Requests Required | IAC-9 | Evidence to confirm a formal process is in place to grant/approve new user access, for example, an onboarding checklist, ticket system. | The completed onboarding checklist or access approval for the Sampled New Joiners. |
| Password Policy Enforced | IAC-11 | Access Control Policy, or Password Policy. | Same evidence requirement as Type 1. |
| Remote Access MFA Enabled | IAC-12 | Evidence of the configuration of MFA across critical services (such as infrastructure and version control system). | Same evidence requirement as Type 1. |
| Service Infrastructure Maintained | VPM-1 | Evidence to confirm a third-party vulnerability scanning tool is utilised and confirmation of the frequency scanning is configured to run. | Same evidence requirement as Type 1, for the Sampled Vulnerabilities. |
| Vulnerabilities Scanned and Remediated | VPM-2 | Manual evidence of a recent vulnerability being logged and tracked through to resolution, typically in the form of a ticket. | Samples will be selected from the population of critical and high-risk vulnerabilities identified during the observation period to confirm that remediation timeframes were adhered to. |
| Security Awareness Training | SAT-1 | Evidence of the confirmed security training is undertaken by current employees. |
Completed security training either through Vanta, or manually upload evidence of completion for the Sampled Employees. |
| MDM System Utilised | MDM-1 |
MDM system or Vanta Agent connected in Vanta. Alternatively, provide a screenshot to confirm current employees have hard-disk encryption enabled. |
All current personnel have an MDM system or Vanta Agent installed OR Hard-disk encryption enabled. |
| Intrusion Detection System Utilised | MON-1 | Intrusion detection system configuration. | Same evidence required as Type 1. |
| Log Management Utilised | MON-2 | Screenshot evidence of logging system used and logs being stored. | Same evidence required as Type 1. |
| Infrastructure Performance Monitored | MON-4 | Evidence of infrastructure logging system used, and logs being stored. |
Same evidence required as Type 1. |
| Data Transmission Encrypted | NET-1 | Evidence of encryption in transit configuration. | Same evidence required as Type 1. |
| Network Firewalls Reviewed | NET-3 | Evidence of firewall settings reviewed at least annually. | Same evidence required as Type 1. |
| Network Firewalls Utilised | NET-4 | Evidence of firewall settings configured and reviewed at least annually, or review template you intend to use. |
Same evidence required as Type 1. |
| Vulnerability and System Monitoring Procedures Established | OPS-1 | Vulnerability Management Policy, or Operations Security Policy. |
Same evidence required as Type 1. |
| Asset Disposal Procedures Utilised | AST-1 | Data Management Policy, or Asset Management Policy. |
Same evidence required as Type 1. |
| Data Retention Procedures Established | AST-2 | Data Management Policy, or Asset Management Policy. |
Same evidence required as Type 1. |
| Production Inventory Maintained | AST-3 | Asset register, either tracked through Vanta, or manual evidence, inclusive of devices at a minimum. | Same evidence required as Type 1. |
| Change Management Procedures Enforced | CHG-1 | Evidence of CI/CD configuration for change management procedures, or evidence of configuration to show independent review and testing of changes by someone other than who made the code change. |
Same evidence required as Type 1. |
| Production Deployment Access Restricted | CHG-2 | Version control system connected in Vanta. | Same evidence required as Type 1. |
| Development Lifecycle Established | CHG-3 | Operations Security Policy. | Same evidence required as Type 1. |
| Encryption Key Access Restricted | CRY-2 | Cryptography or Encryption Policy. |
Same evidence required as Type 1. |
| Data Encryption Utilised | CRY-4 | Configuration to show data is encrypted at-rest. | Same evidence required as Type 1. |
| Unique Account Authentication Enforced | CRY-5 | User access accounts are individually and uniquely assigned for all critical systems. | Same evidence required as Type 1. |
| Data Classification Policy Established | DCH-5 | Data Management Policy. | Same evidence required as Type 1. |
| Anti-Malware Technology Utilised | END-1 | Anti-virus is installed and configured for a sample employee. | Anti-virus is installed and configured for all current personnel. |
| Third-Party Agreements Established |
TPM-1 |
Link to the public-facing of the cloud provider service agreement. For example. | Same evidence required as Type 1. |
| Vendor Management Program Established | TPM-2 | Third-Party Management Policy. | Same evidence required as Type 1. |
| Vendor Register | TPM-2 | Vendor registers inclusive of critical systems, monitored in Vanta; alternatively, upload a manual register. | Same evidence required as Type 1. |
| Availability Trust Service Criteria | |||
| Production Multi-Availability Zones Established | BCD-6 | Screenshot evidence to confirm multiple availability zones is configured within the infrastructure. | Same evidence required as Type 1. |
| System Capacity Reviewed | CAP-1 | Screenshot evidence to confirm auto-scaling configuration enabled within the infrastructure or evidence of reviews to show manual reviews are in place to review capacity on a frequent basis. | Same evidence required as Type 1. |
Added Processing Integrity or Privacy to you audit scope? Contact us for guidance on the additional scope areas.