Complete the remaining evidence requirements to be audit-ready
Overview
Our Vanta Velocity model will focus on the following key controls from Vanta’s standard list. While it’s best practice to implement all of these controls, for the purposes of this audit, we’ve highlighted the specific ones that are most relevant.
Once you’ve completed your initial setup in Vanta—integrating your systems, generating and uploading your policies, and completing the risk assessment and vendor risk activities—you’ll be ready to move on to the remaining audit checklist and evidence collection.
Please ensure that all systems involved in the audit have been properly integrated with Vanta, as missing integrations may result in incomplete evidence.
For example, if you’re using both Amazon Web Services (AWS) and Google Cloud Platform (GCP) for your infrastructure but have only integrated AWS, the audit will only reflect AWS-related evidence. To capture evidence from GCP, both systems need to be integrated.
Sample Requirements
Type 1: If you are working to a Type 1 audit, you can provide any one example of the control, a schedule, or a template if a live example has not been performed yet.
Type 2: If you are conducting a Type 2 audit, AssuranceLab will provide you the sample selections from the populations in Vanta. For each of the selected samples, provide the evidence listed below in the table.
The event-driven populations such as personnel and vulnerabilities, will be available for us to sample based on what is already configured and populated within Vanta, so we can find those as the auditors ourselves, without having to request those from you, however for incidents, we will manually request a full population of incidents through the related evidence item within Vanta.
The time-based populations will be dependent on the frequency of those related controls, and the length of the audit period.
Audit period of 12 months:
Annually - evidence of the control being performed within the last 12 months.
Bi-annually - evidence of the control being performed within the last 6 months.
Quarterly - evidence of the control being performed over 2 quarters (sample selected by the auditor).
For audit periods shorter than 12 months, this will be scaled back accordingly.
Audit period of 3 or 6 months:
Annually - evidence of the control being performed within the last 12 months.
Bi-annually - evidence of the control being performed within the last 6 months.
Quarterly - evidence of the control being performed over 1 quarters (sample selected by the auditor).
Audit checklist
The key focus items for the audit are described in the table below per Vanta control. The requirement column explains the expected audit evidence. You can click the control title to read more including the minimum expectations, better practices, and further explanation of each compliance control.
| Title | Ref | Requirement for Type 1 |
Requirement for Type 2 |
| PRM-1 | Evidence of standard terms of service (from your website) or a contract template used to establish agreements with customers and users. |
Same evidence required as Type 1. |
|
|
External Support Resources Available |
PRM-2 | Evidence of process for logging support requests through ticketing system or user guidance and support resources. | Same evidence required as Type 1. |
|
Incident Response |
IRO-1 | Evidence of completed Incident Response Plan test, or evidence of a confirmed calendar event, if not yet performed. |
Evidence of completed test, with dates to confirm when it was completed, who was involved, and any lessons learned. |
| Incident Response Policies Established |
IRO-2 |
Evidence of the documented Incident Response Plan that clearly outlines potential events, pre-planned response steps, and communication requirements, |
Same evidence required as Type 1. |
| Incident Management Procedures Followed |
IRO-3 | Evidence of a single sample incident logging, classification, resolution and lessons learned devised. | Evidence of incident logging, classification, resolution and lessons learned devised for the Sampled Incidents. |
| Penetration Testing | IAO-2 | Evidence of the latest penetration test performed, or a signed Statement of Work from an independent third-party with the scheduled date of the planned penetration test. | The latest penetration test performed by an independent third-party within the last 12 months. |
| Background Checks Performed | HRS-1 | Evidence of a completed background check for a sample new hire, or evidence that a background check provider is integrated within Vanta, and mentioned in the Human Resources Policy. | The completed background checks conducted for the Sampled New Hires. |
| Code of Conduct Acknowledged by Employees and Enforced |
HRS-3 | Evidence of a sample employee compliant with policy acknowledgement, specifically Code of Conduct. | Evidence of the signed Code of Conduct for the Sampled Employees. |
|
Confidentiality Agreement Acknowledged by Employees
|
HRS-5 | Evidence of a sample employee copy of a signed Confidentiality Agreement, or Employment Contract that includes a confidentiality clause. | Evidence of the signed Confidentiality Agreement for the Sampled Employees. |
| Performance Evaluations Conducted | HRS-6 | Evidence of a completed performance evaluation for a sample employee, or evidence of a performance evaluation template of what will be reviewed, if not yet performed. |
The completed performance evaluation evidence for the Sampled Employees. |
|
Risk Assessment Objectives Specified |
RSK-1 | Evidence of the documented Risk Management Policy or Risk Assessment Framework that defines the risk assessment objectives to support the risk assessment process. |
Same evidence required as Type 1. |
|
Risk Assessment Performed |
RSK-2 | Evidence of the completed Risk Assessment managed within Vanta, or manual evidence, inclusive of risk mitigation plan. |
Same evidence required as Type 1, performed within the last 12 months. |
| Risk Management Program Established | RSK-3 | Evidence of the documented Risk Management Policy. | Same evidence required as Type 1. |
| Continuity and Disaster Recovery Plans Established | BCD-1 | Evidence of the documented Continuity and Disaster Recovery Plan(s). |
Same evidence required as Type 1. |
| Continuity and Disaster Recovery Plans Tested | BCD-2 | Evidence of documented tests conducted and results for the business continuity and disaster recovery review, or a confirmed scheduled calendar event, if not yet performed. | Evidence of documented tests conducted and results for the business continuity and disaster recovery review exercises, performed within the last 12 months. |
| Cybersecurity Insurance Maintained | BCD-3 | Evidence of the active certificate of currency or cyber insurance policy details. | Same evidence required as Type 1. |
| Board of Directors Charter | GOV-2 | Evidence to confirm who maintains information security oversight, for example a Board Charter or Information Security Policy. | Same evidence required as Type 1. |
| Board of Directors Meeting | GOV-4 | Evidence of the latest meeting agenda and minutes, with evidence of briefing on information security, or if not yet performed, the scheduled calendar event. | The latest conducted Board meeting agenda and minutes, with evidence of briefing on information security. |
| Backup Processes Established | GOV-5 | Evidence of the documented Operations Security Policy. | Same evidence required as Type 1. |
| Management Roles and Responsibilities Defined | GOV-7 | Evidence of the documented Information Security Policy, with outlined roles and responsibilities for management. | Same evidence required as Type 1. |
| Organisational Structure Documented | GOV-8 | Evidence of the documented organisation chart with roles and reporting lines. | Same evidence required as Type 1. |
| Roles and Responsibilities Specified | GOV-10 | Evidence of the documented Information Security Policy, with outlined roles and responsibilities for information security. | Same evidence required as Type 1. |
| Security Policies Established and Reviewed | GOV-11 |
Evidence of the Information Security Policies in place and reviewed within the last 12 months, if not yet performed, manual evidence of a scheduled annual review. |
Same evidence required as Type 1, the the review been previously completed. |
| Support System Available | GOV-12 | Evidence of the end user support channels, knowledge-base, or user guides. |
Same evidence required as Type 1. |
| Control Self-Assessments Conducted | IAO-1 | Evidence of the records of review of controls in Vanta by control owners, or if not yet performed, manual evidence of this being scheduled. | Records of review of the controls in Vanta by the control owners, including any corrective actions or modifications identified. |
| Configuration Management System Established | CFG-1 | Evidence to see a CI/CD system is configured within Vanta, or manual evidence to see the configuration of CI/CD in the chosen system (eg. GitHub, GitLab, or Bitbucket etc.). |
Same evidence required as Type 1. |
| Production Application Access Restricted | IAC-1 | Evidence of the user access roles for any services that access production. | Same evidence requirement as Type 1. |
| Access Control Procedures Established | IAC-2 | Evidence of the documented Access Control Policy. | Same evidence requirement as Type 1. |
| Access Reviews Conducted | IAC-7 | Evidence of the latest access control review, or a scheduled calendar event of an access review with a list of critical systems to review, if not yet performed. |
The latest access control review that confirms user access to critical systems is appropriate, or modified accordingly. |
| Access Revoked Upon Termination | IAC-8 | Evidence of a manual exit checklist template or evidence of other confirmation of access removal for a sample terminated employee, tracked within Vanta. |
The completed exit checklist or other confirmation of access removal for the Sampled Terminated Employees. |
| Access Requests Required | IAC-9 | Evidence of a manual onboarding checklist template or evidence of completed access approval for a sample new joiner, tracked within Vanta. | The completed onboarding checklist or access approval for the Sampled New Joiners. |
| Password Policy Enforced | IAC-11 | Evidence of the documented Access Control Policy, or Password Policy. | Same evidence requirement as Type 1. |
| Remote Access MFA Enabled | IAC-12 | Evidence of the configuration of MFA across critical services (such as infrastructure, and code.) | Same evidence requirement as Type 1. |
| Service Infrastructure Maintained | VPM-1 | Evidence of the logging and planned resolution timeframes of vulnerabilities from scans, penetration testing, or other sources for a sample vulnerability. |
Same evidence requirement as Type 1, for the Sampled Vulnerabilities. |
| Vulnerabilities Scanned and Remediated | VPM-2 | Evidence of the latest vulnerability scan report(s) or system record showing when they were conducted and the results, showing a sample vulnerability that was remediated in line with defined SLA timeframe. | Same evidence requirement as Type 1, for the Sampled Vulnerabilities. |
| Security Awareness Training | SAT-1 | Evidence of the confirmed security training tracked in Vanta, or manually upload evidence for a sample new joiner. |
Completed security training either through Vanta, or manually upload evidence of completion for the Sampled New Joiners. |
| MDM System Utilised | MDM-1 | Evidence of MDM system, or Vanta Agent configuration. | Same evidence required as Type 1. |
| Intrusion Detection System Utilised | MON-1 | Evidence of intrusion detection system configuration. | Same evidence required as Type 1. |
| Log Management Utilised | MON-2 | Evidence of logging system used, and logs being stored. |
Same evidence required as Type 1. |
| Infrastructure Performance Monitored | MON-4 | Evidence of infrastructure logging system used, and logs being stored. |
Same evidence required as Type 1. |
| Data Transmission Encrypted | NET-1 | Evidence of encryption in transit configuration. | Same evidence required as Type 1. |
| Network Firewalls Reviewed | NET-3 | Evidence of firewall settings reviewed at least annually. | Same evidence required as Type 1. |
| Network Firewalls Utilised | NET-4 | Evidence of firewall settings configured and reviewed at least annually. |
Same evidence required as Type 1. |
| Vulnerability and System Monitoring Procedures Established | OPS-1 | Evidence of the documented Vulnerability Management Policy, or Operations Security Policy. |
Same evidence required as Type 1. |
| Asset Disposal Procedures Utilised | AST-1 | Evidence of the documented Data Management Policy, or Asset Management Policy. |
Same evidence required as Type 1. |
| Data Retention Procedures Established | AST-2 | Evidence of the documented Data Management Policy, or Asset Management Policy. |
Same evidence required as Type 1. |
| Production Inventory Maintained | AST-3 | Evidence of the information asset register, either tracked through Vanta, or manual evidence. |
Same evidence required as Type 1. |
| Change Management Procedures Enforced | CHG-1 | Evidence of CI/CD configuration for change management procedures, or evidence of configuration to show independent review and testing of changes by someone other than who made the code change. |
Same evidence required as Type 1. |
| Production Deployment Access Restricted | CHG-2 | Evidence of the configured version control system. |
Same evidence required as Type 1. |
| Development Lifecycle Established | CHG-3 | Evidence of the documented Operations Security Policy. | Same evidence required as Type 1. |
| Encryption Key Access Restricted | CRY-2 | Evidence of the documented Cryptography or Encryption Policy. |
Same evidence required as Type 1. |
| Data Encryption Utilised | CRY-4 | Evidence of the configuration to show data is encrypted at-rest. | Same evidence required as Type 1. |
| Unique Account Authentication Enforced | CRY-5 | Evidence of user access accounts are individually and uniquely assigned for all critical systems. | Same evidence required as Type 1. |
| Data Classification Policy Established | DCH-5 | Evidence of the documented Data Management Policy. |
Same evidence required as Type 1. |
| Anti-Malware Technology Utilised | END-1 | Evidence that anti-virus is installed and configured for a sample of one employee. | Evidence that anti-virus is installed and configured for Sampled Employees. |
| Third-Party Agreements Established |
TPM-1 |
Evidence of the cloud provider infrastructure service agreement. | Same evidence required as Type 1. |
| Vendor Management Program Established | TPM-2 | Evidence of the documented Third-Party Management Policy. | Same evidence required as Type 1. |
| Vendor Register | TPM-2 | Evidence of the vendor register, either tracked through Vanta, or manual evidence. | Same evidence required as Type 1. |
| Availability Trust Service Criteria | |||
| Production Multi-Availability Zones Established | BCD-6 | Manual evidence of multiple availability zone configuration enabled within infrastructure. | Same evidence required as Type 1. |
| System Capacity Reviewed | CAP-1 | Manual evidence of auto-scaling configuration enabled within infrastructure, or evidence of reviews to show manual reviews are in place to review capacity on a frequent basis. | Same evidence required as Type 1. |
Added Processing Integrity or Privacy to you audit scope? Contact us for guidance on the additional scope areas