Complete the remaining evidence requirements to be audit-ready
Overview
Our Vanta Velocity model will focus on the following key controls from Vanta’s standard list. While it’s best practice to implement all of these controls, for the purposes of this audit, we’ve highlighted the specific ones that are most relevant.
Once you’ve completed your initial setup in Vanta—integrating your systems, generating and uploading your policies, and completing the risk assessment and vendor risk activities—you’ll be ready to move on to the remaining audit checklist and evidence collection.
Please ensure that all systems involved in the audit have been properly integrated with Vanta, as missing integrations may result in incomplete evidence.
For example, if you’re using both Amazon Web Services (AWS) and Google Cloud Platform (GCP) for your infrastructure but have only integrated AWS, the audit will only reflect AWS-related evidence. To capture evidence from GCP, both systems need to be integrated.
Sample Requirements
Type 1: If you are working to a Type 1 audit, you can provide any one example of the control, a schedule, or a template if a live example has not been performed yet.
Type 2: If you are conducting a Type 2 audit, AssuranceLab will provide you the sample selections from the populations in Vanta. For each of the selected samples, provide the evidence listed below in the table.
The event-driven populations such as personnel and vulnerabilities, will be available for us to sample based on what is already configured and populated within Vanta, so we can find those as the auditors ourselves, without having to request those from you, however for incidents, we will manually request a full population of incidents through the related evidence item within Vanta.
The time-based populations will be dependent on the frequency of those related controls, and the length of the audit period.
- Audit period of 12 months:
- Annually - evidence of the control being performed within the last 12 months.
- Bi-annually - evidence of the control being performed within the last 6 months.
- Quarterly - evidence of the control being performed over 2 quarters (sample selected by the auditor).
For audit periods shorter than 12 months, this will be scaled back accordingly.
- Audit period of 3 or 6 months:
- Annually - evidence of the control being performed within the last 12 months.
- Bi-annually - evidence of the control being performed within the last 6 months.
- Quarterly - evidence of the control being performed over 1 quarters (sample selected by the auditor).
Audit checklist
The key focus items for the audit are described in the table below per Vanta control. The requirement column explains the expected audit evidence. You can click the control title to read more including the minimum expectations, better practices, and further explanation of each compliance control.
| Title | Vanta Ref | Evidence requirements for Type 1 |
Evidence requirements for Type 2 |
|
Commitments |
PRM-1 | Link to your public-facing terms of service or a contract template (MSA) used to establish agreements with customers and users.
|
|
|
External Support Resources Available |
PRM-2 |
Guidelines and technical support resources available to customers. |
|
|
Incident Response |
IRO-1 |
Incident Response Plan test completed annually. If you have not performed a test to date, ensure that testing requirements are outlined in your policy. |
Evidence of a completed annual incident response testing, with dates to confirm when it was completed, who was involved, and any lessons learned. |
| Incident Response Policies Established |
IRO-2 |
Evidence of the documented Incident Response Plan that clearly outlines potential events, pre-planned response steps, and communication requirements, |
|
| Incident Management Procedures Followed |
IRO-3 |
Evidence of a single sample incident remediation actions, i.e. logging, classification, resolution, and lessons learned devised. If not incidents have occurred to date, the Incident Response Plan. |
At the end of the observation period, a population of incidents that occurred during the observation period will be requested. From the population, samples will be selected and further evidence requested to confirm formal incident management process followed and remediation actions taken. |
| Penetration Testing | IAO-2 |
Penetration test report performed within the last 12 months. Alternatively, a letter confirming a third-party pen tester has been engaged and is planned to start or has started testing. |
The latest penetration test performed by an independent third-party within the last 12 months. |
| Background Checks Performed | HRS-1 |
If background checks have been completed to date, provide 1 sample certificate; please redact sensitive information if you would prefer. If background checks have not been completed to date, ensure a relevant policy outlines your intention to conduct them for future new hires or integrate a background check provider in Vanta. |
Personnel that were hired during the observation period, will be randomly selected. Background check certificates will be requested. |
| Code of Conduct Acknowledged by Employees and Enforced |
HRS-3 | Code of Conduct policy establishing workforce conduct standards of integrity, ethical values, and appropriate behavior to support a secure and effective working environment. | |
|
Confidentiality Agreement Acknowledged by Employees
|
HRS-5 |
A sample NDA or employee contract inclusive of non-disclosure clause. |
Personnel that were hired during the observation period, will be randomly selected. Signed NDA's or employment contracts will be requested.
|
| Performance Evaluations Conducted | HRS-6 |
A completed performance evaluation, if not yet conducted, a template you intend to use. Ensure a relevant policy also states the frequency you intend to complete the reviews, i.e. bi-annually, annually. |
The completed performance evaluation for randomly Sampled Personnel will be requested. |
|
Risk Assessment Performed |
RSK-2 |
A Risk Assessment is performed annually, inclusive of risk mitigation actions.
|
|
| Risk Management Program Established | RSK-3 | Risk Management Policy. | |
| Continuity and Disaster Recovery Plans Established | BCD-1 | Continuity and Disaster Recovery Plan(s). |
|
| Continuity and Disaster Recovery Plans Tested | BCD-2 |
Continuity and Disaster recovery test completed annually, if not completed to date, ensure testing requirements are outlined in the policy. |
Evidence of an annually completed disaster recovery test, with dates to confirm when it was completed, who was involved, and any lessons learned. |
| Cybersecurity Insurance Maintained | BCD-3 | Active certificate of currency or cyber insurance policy details. If not maintained, this can be descoped. | |
| Board of Directors/ Executive Management Charter | GOV-2 |
Evidence to confirm who maintains information security oversight (Board of Directors, Executive Management, Info Sec Team, C-Suite etc.) For example, a Board Charter document, Information Security Policy roles and responsibilities. |
|
| Board of Directors/ Executive Management Meeting | GOV-4 |
Minutes from the most recent meeting. If Executive management maintains oversight as above, meeting minutes would be expected from an executive management meeting. If not yet performed, provide the meeting agenda for an upcoming meeting and a screenshot to confirm when the meeting is scheduled. Confirmation on the frequency of meetings (bi-annually, quarterly, annually etc.) |
Minutes from meeting/s held during the observation period ensure the date the meeting was held is documented. |
| Backup Processes Established | GOV-5 | Operations Security Policy. | |
| Management Roles and Responsibilities Defined | GOV-7 | Information Security Policy, with outlined roles and responsibilities for management. | |
| Organisational Structure Documented | GOV-8 | Current organisation chart with roles and reporting lines. | |
| Roles and Responsibilities Specified | GOV-10 | Information Security Policy, with outlined roles and responsibilities for information security. | |
| Security Policies Established and Reviewed | GOV-11 |
Set of Information Security Policies in scope are reviewed, approved and accepted by employees annually. |
Same evidence as Type 1, ensure all personnel are compliant. |
| Control Self-Assessments Conducted | IAO-1 | 'Company uses Vanta for continuous security monitoring' test is passing. | |
| Configuration Management System Established | CFG-1 | If CI/CD is in use, provide screenshot evidence showing automated testing as well as approval flows within the pipeline. If you are doing manual testing and approvals, please provide evidence of one change release ticket being completed, including testing and approvals. |
Same evidence as Type 1. If manual testing and approval are in place, a population of code changes throughout the observation period will be required, and sample evidence will be requested. |
| Change Management Procedures Enforced | CHG-1 | Evidence of CI/CD configuration for change management procedures, or evidence of configuration to show independent review and testing of changes by someone other than who made the code change. |
|
| Access Control Procedures Established | IAC-2 | Access Control Policy. | |
| Access Reviews Conducted | IAC-7 |
Documentation of a recently completed user access review. If not completed to date, ensure the review requirements are outlined in a policy, typically the access control policy. |
User access reviews of critical systems, completed during the observation period, ensure the date the review was completed and the systems reviewed are documented. |
| Access Revoked Upon Termination | IAC-8 | Evidence to confirm a formal process is followed and documented to revoke terminated employees' user access in accordance with your policy timelines. A termination checklist template or process outlined in a policy is accepted for Type 1. |
Terminated personnel will be sampled, and evidence will be requested to confirm access was revoked to your critical systems in a timely manner. |
| Access Requests Required | IAC-9 |
Evidence to confirm a formal process is in place to grant/approve new user access, for example, an onboarding checklist, ticket system. Policy outlinig the process or template is suffficent for Type 1. |
New Hires will be sampled, and evidence will be requested to confirm a formal process is in place to grant/approve new user access. |
| Password Policy Enforced | IAC-11 | Access Control Policy, or Password Policy. | |
| Remote Access MFA Enabled | IAC-12 | Evidence of the configuration of MFA across critical services (such as IAM, infrastructure and version control system). | |
| Vulnerabilities Scanned and Remediated | VPM-2 |
Evidence to confirm third-party vulnerability scanning tool/s are utilised, and confirmation of the frequency scanning is configured to run. Common systems used; AWS - Inspector, Azure - Microsoft Defender For Cloud, GCP - Web Security Scanner (Command Centre). Common third-party scanners: CrowdStrike, Intruder, Wiz |
|
| Security Awareness Training | SAT-1 | Evidence to confirm security training is undertaken by current employees annually. |
Ensure all current personnel have completed training annually. |
| MDM System Utilised | MDM-1 |
MDM system or Vanta Agent integrated in Vanta. |
Ensure all current personnel have an MDM system or Vanta Agent installed. |
| Intrusion Detection System Utilised | MON-1 | Intrusion detection system configuration. | |
| Log Management Utilised | MON-2 | Screenshot evidence of logging system used and logs being stored. | |
| Data Transmission Encrypted | NET-1 | Evidence of encryption in transit configuration. | |
| Vulnerability and System Monitoring Procedures Established | OPS-1 | Vulnerability Management Policy, or Operations Security Policy. |
|
| Asset Disposal Procedures Utilised | AST-1 | Data Management Policy, or Asset Management Policy. |
|
| Data Retention Procedures Established | AST-2 | Data Management Policy, or Asset Management Policy. |
|
| Production Inventory Maintained | AST-3 | Asset register, either tracked through Vanta, or manual evidence, inclusive of devices at a minimum. | |
| Production Deployment Access Restricted | CHG-2 | Version control system connected in Vanta, for example GitHub, GitLab. | |
| Development Lifecycle Established | CHG-3 | Operations Security Policy. | |
| Encryption Key Access Restricted | CRY-2 | Cryptography or Encryption Policy. |
|
| Portable media encrypted | CRY-3 |
If MDM is monitoring hard disk encryption, ensure at a minimum 1 current device is compliant. If no MDM is in use, provide screenshot evidence. |
If MDM is monitoring hard disk encryption, ensure all current devices are compliant. If no MDM is in use, Current personnel will be sampled, and screenshots of evidence will be requested to confirm compliance. |
| Data Encryption Utilised | CRY-4 | Configuration to show data is encrypted at-rest. | |
| Unique Account Authentication Enforced | CRY-5 | User access accounts are individually and uniquely assigned for all critical systems. | |
| Data Classification Policy Established | DCH-5 | Data Management Policy. | |
| Anti-Malware Technology Utilised | END-1 |
If MDM is monitoring anti-virus software, ensure, at a minimum, 1 current device is compliant. If no MDM is in use, provide screenshots of evidence. |
If MDM is monitoring anti-virus software, ensure all current devices are compliant. If no MDM is in use, Current personnel will be sampled, and screenshots of evidence will be requested to confirm compliance. |
| Third-Party Agreements Established |
TPM-1 |
Link to the public-facing of the cloud provider service agreement. For example. | |
| Vendor Management Program Established | TPM-2 | Third-Party Management Policy. | |
| Vendor Register | TPM-2 | Vendor registers inclusive of critical systems, monitored in Vanta; alternatively, upload a manual register. | |
| Availability Trust Service Criteria | |||
| Production Multi-Availability Zones Established | BCD-6 | Screenshot evidence to confirm multiple availability zones is configured within the infrastructure. | |
| System Capacity Reviewed | CAP-1 | Screenshot evidence to confirm auto-scaling configuration enabled within the infrastructure or evidence of reviews to show manual reviews are in place to review capacity on a frequent basis. | |
| Infrastructure Performance Monitored | MON-4 | Screenshot evidence of a load balancer configured within the infrastructure. | |
| Database replication utilised | BCD-4 | Screenshot evidence of daily backups configured within the infrastructure. | |
Added Processing Integrity or Privacy to you audit scope? Contact us for guidance on the additional scope areas.