Control Evidence Requirements for Vanta

Complete the remaining evidence requirements to be audit-ready

Overview

Our Vanta Velocity model will focus on the following key controls from Vanta’s standard list. While it’s best practice to implement all of these controls, for the purposes of this audit, we’ve highlighted the specific ones that are most relevant.

Once you’ve completed your initial setup in Vanta—integrating your systems, generating and uploading your policies, and completing the risk assessment and vendor risk activities—you’ll be ready to move on to the remaining audit checklist and evidence collection.

Please ensure that all systems involved in the audit have been properly integrated with Vanta, as missing integrations may result in incomplete evidence.

For example, if you’re using both Amazon Web Services (AWS) and Google Cloud Platform (GCP) for your infrastructure but have only integrated AWS, the audit will only reflect AWS-related evidence. To capture evidence from GCP, both systems need to be integrated.

Sample Requirements

Type 1: If you are working to a Type 1 audit, you can provide any one example of the control, a schedule, or a template if a live example has not been performed yet. 

Type 2: If you are conducting a Type 2 audit, AssuranceLab will provide you the sample selections from the populations in Vanta. For each of the selected samples, provide the evidence listed below in the table.

The event-driven populations such as personnel and vulnerabilities, will be available for us to sample based on what is already configured and populated within Vanta, so we can find those as the auditors ourselves, without having to request those from you, however for incidents, we will manually request a full population of incidents through the related evidence item within Vanta.

The time-based populations will be dependent on the frequency of those related controls, and the length of the audit period.

  • Audit period of 12 months:
    • Annually - evidence of the control being performed within the last 12 months.
    • Bi-annually - evidence of the control being performed within the last 6 months.
    • Quarterly - evidence of the control being performed over 2 quarters (sample selected by the auditor).

For audit periods shorter than 12 months, this will be scaled back accordingly. 

  • Audit period of 3 or 6 months:
    • Annually - evidence of the control being performed within the last 12 months.
    • Bi-annually - evidence of the control being performed within the last 6 months.
    • Quarterly - evidence of the control being performed over 1 quarters (sample selected by the auditor).

Audit checklist

The key focus items for the audit are described in the table below per Vanta control. The requirement column explains the expected audit evidence. You can click the control title to read more including the minimum expectations, better practices, and further explanation of each compliance control. 

 Title  Vanta Ref  Evidence requirements for
 Type 1
Evidence requirements for Type 2

 Commitments
 Externally
 Communicated

 PRM-1 Link to your public-facing terms of service or a contract template (MSA) used to establish agreements with customers and users.

Same evidence required as Type 1.

External Support Resources Available

 PRM-2

Guidelines and technical support resources available to customers.
For example, a Contact Us/FAQ/Knowledge page or an example onboarding email. 

Same evidence required as Type 1.

 Incident Response
 Plan Tested

 IRO-1 Incident Response Plan test completed annually, if you have not performed a test to date, ensure testing requirements are outlined in your policy. Evidence of completed test, with dates to confirm when it was completed, who was involved, and any lessons learned.
 Incident Response
 Policies Established
 IRO-2

Evidence of the documented Incident Response Plan that clearly outlines potential events, pre-planned response steps, and communication requirements,
as well as root-cause analysis requirements to prevent reoccurrence.

Same evidence required as Type 1.
 Incident
 Management
 Procedures Followed
 IRO-3 Evidence of a single sample incident remediation actions i.e. logging, classification, resolution and lessons learned devised. Population of incidents that occured during the observation period,  Sampled Incidents will be selected for further evidence.
 Penetration Testing  IAO-2 Penetration test report performed within the last 12 months or a confirmation of engagement letter from a third party tester.  The latest penetration test performed by an independent third-party within the last 12 months.
Background Checks Performed  HRS-1

If background checks have been completed to date, provide 1 sample certificate; please redact sensitive information if you would prefer. 

If background checks have not been completed to date, ensure a relevant policy outlines your intention to conduct them for future new hires or integrate a background check provider in Vanta. 

The completed background check certificates conducted for the Sampled New Hires.
 Code of Conduct
 Acknowledged by
 Employees and
 Enforced
 HRS-3 A sample employee compliant with policy acknowledgement, specifically Code of Conduct. Evidence of the signed Code of Conduct for the Sampled Employees.
 
Confidentiality Agreement Acknowledged by Employees
 HRS-5

A sample NDA or employee contract inclusive of non-disclosure clause.

Evidence of the signed Agreements for the Sampled New Employees.
Performance Evaluations Conducted  HRS-6

A completed performance evaluation, if not yet conducted, a template you intend to use. 

Ensure a relevant policy also states the frequency you intend to complete the reviews. 

The completed performance evaluation evidence for the Sampled Employees.

Risk Assessment Performed

 RSK-2 A Risk Assessment performed within the last 12 months, inclusive of risk mitigation actions.
If conducted in Vanta, ensure the auditor view is enabled. 

Same evidence required as Type 1, performed within the last 12 months.

Risk Management Program Established  RSK-3 Risk Management Policy. Same evidence required as Type 1.
Continuity and Disaster Recovery Plans Established  BCD-1 Continuity and Disaster
Recovery Plan(s).
Same evidence required as Type 1.
Continuity and Disaster Recovery Plans Tested  BCD-2

Continuity and Disaster recovery test completed annually, if not completed to date, ensure testing requirements are outlined in the policy.

Evidence of documented tests conducted and results for the business continuity and disaster recovery review exercises, performed within the last 12 months.
Cybersecurity Insurance Maintained  BCD-3 Active certificate of currency or cyber insurance policy details. Same evidence required as Type 1.
Board of Directors/ Executive Management  Charter  GOV-2 Evidence to confirm who maintains information security oversight, for example, a Board Charter or Information Security Policy. Same evidence required as Type 1.
Board of Directors/ Executive Management Meeting  GOV-4 Minutes from the most recent meeting, or if not yet performed, the meeting agenda template and scheduled date..  Same evidence required as Type 1.
Backup Processes Established  GOV-5 Operations Security Policy. Same evidence required as Type 1.
Management Roles and Responsibilities Defined  GOV-7 Information Security Policy, with outlined roles and responsibilities for management. Same evidence required as Type 1.
Organisational Structure Documented  GOV-8 Screenshot of a current organisation chart with roles and reporting lines.  Same evidence required as Type 1.
Roles and Responsibilities Specified  GOV-10 Information Security Policy, with outlined roles and responsibilities for information security. Same evidence required as Type 1.
Security Policies Established and Reviewed  GOV-11

Set of Information Security Policies in scope are reviewed, approved and accepted by employees annually.

Enable Policy Acceptance in the Personnel Checklist Section on Vanta (this enables the tracking of policy acknowledgements).

Same evidence required as Type 1, the the review been previously completed.
Control Self-Assessments Conducted  IAO-1 Passing test - Company uses Vanta for continuous security monitoring Same evidence required as Type 1.
Configuration Management System Established  CFG-1 If CI/CD is in use, provide screenshot evidence showing automated testing as well as approval flows within the pipeline.

If you are doing manual testing and approvals, please provide evidence of one change release ticket being completed, including testing and approvals.

Same evidence required as Type 1, if manual testing and approval in place, sample evidence is required for Type 2. 

Access Control Procedures Established  IAC-2 Access Control Policy. Same evidence requirement as Type 1.
Access Reviews Conducted  IAC-7 Documentation of an annual access review, if not completed to date, ensure the review requirements are outlined in your policy. The latest access control review that confirms user access to critical systems is appropriate, or modified accordingly.
Access Revoked Upon Termination  IAC-8 Evidence to confirm a formal process is followed and documented to revoke terminated employees' user access in accordance with your policy timelines. A termination checklist template or process outlined in a policy is accepted for Type 1.  The completed termination checklists or other evidence of access removal for the Sampled Terminated Employees.
Access Requests Required  IAC-9 Evidence to confirm a formal process is in place to grant/approve new user access, for example, an onboarding checklist, ticket system.  The completed onboarding checklist or access approval for the Sampled New Joiners.
Password Policy Enforced  IAC-11 Access Control Policy, or Password Policy. Same evidence requirement as Type 1.
Remote Access MFA Enabled  IAC-12 Evidence of the configuration of MFA across critical services (such as infrastructure and version control system). Same evidence requirement as Type 1.
Vulnerabilities Scanned and Remediated  VPM-2 Evidence to confirm a third-party vulnerability scanning tool is utilised and confirmation of the frequency scanning is configured to run, and manual evidence of a recent material vulnerability being logged and tracked through to resolution, typically in the form of a ticket.  Samples will be selected from the population of critical and high-risk vulnerabilities identified during the observation period to confirm that remediation timeframes were adhered to. 
Security Awareness Training  SAT-1 Evidence of the confirmed
security training is undertaken by current employees. 
Completed security training either through Vanta, or manually upload evidence of completion for the Sampled Employees.
MDM System Utilised  MDM-1

MDM system or Vanta Agent connected in Vanta.

Alternatively, provide a screenshot to confirm current employees have hard-disk encryption enabled. 

All current personnel have an MDM system or Vanta Agent installed OR Hard-disk encryption enabled. 

Intrusion Detection System Utilised  MON-1 Intrusion detection system configuration. Same evidence required as Type 1.
Log Management Utilised  MON-2 Screenshot evidence of logging system used and logs being stored. Same evidence required as Type 1.
Data Transmission Encrypted  NET-1 Evidence of encryption in transit configuration. Same evidence required as Type 1.
Network Firewalls Utilised  NET-4 Evidence of firewall settings configured and reviewed at
least annually, or review template you intend to use. 
Same evidence required as Type 1.
Vulnerability and System Monitoring Procedures Established  OPS-1 Vulnerability Management
Policy, or Operations Security Policy.
Same evidence required as Type 1.
Asset Disposal Procedures Utilised  AST-1 Data Management Policy, or
Asset Management Policy.
Same evidence required as Type 1.
Data Retention Procedures Established  AST-2 Data Management Policy, or
Asset Management Policy.
Same evidence required as Type 1.
Production Inventory Maintained  AST-3 Asset register, either tracked through Vanta, or manual evidence, inclusive of devices at a minimum.  Same evidence required as Type 1.
Change Management Procedures Enforced  CHG-1 Evidence of CI/CD configuration for change management procedures, or evidence of configuration to show independent review and testing
of changes by someone other than who made the code change.
Same evidence required as Type 1.
Production Deployment Access Restricted  CHG-2 Version control system connected in Vanta. Same evidence required as Type 1.
Development Lifecycle Established  CHG-3 Operations Security Policy. Same evidence required as Type 1.
Encryption Key Access Restricted  CRY-2 Cryptography or Encryption
Policy.
Same evidence required as Type 1.
Portable media encrypted CRY-3 Evidence of the monitoring of hard-disk encryption enabled on personnel devices. Same evidence required as Type 1.
Data Encryption Utilised  CRY-4 Configuration to show data is encrypted at-rest. Same evidence required as Type 1.
Unique Account Authentication Enforced  CRY-5 User access accounts are individually and uniquely assigned for all critical systems. Same evidence required as Type 1.
Data Classification Policy Established  DCH-5 Data Management Policy. Same evidence required as Type 1.
Anti-Malware Technology Utilised  END-1 Anti-virus is installed and configured for a sample employee. Anti-virus is installed and configured for all current personnel.
Third-Party Agreements Established

 TPM-1

Link to the public-facing of the cloud provider service agreement. For example.  Same evidence required as Type 1.
Vendor Management Program Established  TPM-2 Third-Party Management Policy. Same evidence required as Type 1.
Vendor Register  TPM-2 Vendor registers inclusive of critical systems, monitored in Vanta; alternatively, upload a manual register.  Same evidence required as Type 1.
Availability Trust Service Criteria
Production Multi-Availability Zones Established  BCD-6 Screenshot evidence to confirm multiple availability zones is configured within the infrastructure. Same evidence required as Type 1.
System Capacity Reviewed  CAP-1 Screenshot evidence to confirm auto-scaling configuration enabled within the infrastructure or evidence of reviews to show manual reviews are in place to review capacity on a frequent basis. Same evidence required as Type 1.
Infrastructure Performance Monitored  MON-4 Screenshot evidence of a load balancer configured within the infrastructure. Same evidence required as Type 1.
Database replication utilised BCD-4 Screenshot evidence of daily backups configured within the infrastructure. Same evidence required as Type 1.

Added Processing Integrity or Privacy to you audit scope? Contact us for guidance on the additional scope areas.