If you're new to Vanta but already have an established compliance program, follow these steps to bring your current process into the Vanta platform.
Step 1: Uploading Custom Controls
Estimated time to complete: 5-7 hours.
In the Vanta platform, click on Compliance, followed by Controls.
Click Add control in the upper right corner, and then Import custom controls.
Click on the Download Excel template button to download the Excel template you’ll need to modify to upload your custom controls.
In the Excel template, please fill in the following fields:
Control Summary (Optional) - This is a short summary of your control requirement.
Control ID—This is a unique identifier for tracking your controls within Vanta. For example, if my company name was Test 123 Inc., I could identify my controls as “TEST-01” and numerate from there.
Control Description - This is the requirement details of your controls.
Domain (Optional) - This is the category used to organize your controls. Please select from the following options:
ARTIFICIAL_AUTONOMOUS_TECHNOLOGY
ASSET_MANAGEMENT
BUSINESS_CONTINUITY_DISASTER_RECOVERY
CAPACITY_PERFORMANCE_PLANNING
CHANGE_MANAGEMENT
CLOUD_SECURITY
COMPLIANCE
CONFIGURATION_MANAGEMENT
CONTINUOUS_MONITORING
CRYPTOGRAPHIC_PROTECTIONS
DATA_CLASSIFICATION_HANDLING
EMBEDDED_TECHNOLOGY
ENDPOINT_SECURITY
HUMAN_RESOURCES_SECURITY
IDENTIFICATION_AUTHENTICATION
INCIDENT_RESPONSE
INFORMATION_ASSURANCE
MAINTENANCE
MOBILE_DEVICE_MANAGEMENT
NETWORK SECURITY
PHYSICAL_ENVIRONMENTAL_SECURITY
PRIVACY
PROJECT_RESOURCE MANAGEMENT
RISK_MANAGEMENT
SECURE_ENGINEERING_ARCHITECTURE
SECURITY_AWARENESS_TRAINING
SECURITY_OPERATIONS
SECURITY_PRIVACY_GOVERNANCE
TECHNOLOGY_DEVELOPMENT_ACQUISITION
THIRD-PARTY_MANAGEMENT
THREAT_MANAGEMENT
VULNERABILITY_PATCH_MANAGEMENT
WEB_SECURITY
ADMINISTRATIVE
PHYSICAL
TECHNICAL
BASIC
DERIVED
For any controls for which you would like to upload specific criteria mappings, please add those mappings in a comma-delimited format with no spaces in between.
For example, if you are uploading a custom SOC 2 control and the criteria it is mapped to are CC 1.1 and CC 1.2, enter the following in the SOC 2 column for that specific control:
CC 1.1, CC 1.2
Below is an example import sheet for custom controls with SOC 2 and ISO 27001 mappings:
After filling in the custom control import file, repeat steps 1 and 2, and upload the file in the What data do you want to upload section.
Once uploaded, you’ll be navigated to the Review & finalize section, where you can review and update any formatting errors that may have occurred. Once you’ve reviewed and updated these errors, click the Import button to finish the import process.
You will see a Successfully uploaded X controls at the bottom of the screen, which you can view by filtering on “Source” as “Custom.”
Step 2: Uploading your Custom Framework
Estimated time to complete: 3-5 hours.
In the Vanta platform, click on Compliance, followed by Framework.s
In the upper right corner, click on Add framework
In the “Import custom framework” window, fill in the values below and click on Import sections:
Framework name: Full name of your framework that will appear in the framework you create.
Framework description (Optional): Description of the framework you create.
Short name (Optional): The abbreviated name of your framework that will appear on the “Frameworks” page.
Parent section name (Optional): Generally left blank
Child section name (Optional): Generally left blank
Click on the Download Excel template button to download the Excel template you’ll need to modify to upload your custom framework structure.
In the Excel template, please fill in the following fields:
Section ID - This is the unique ID of the parent or child section you are creating.
Section Name - This is the name of the parent or child section you are creating.
Section Description - This is the requirement details of the parent or child section you create.
Parent Section ID - This is the ID of the parent section you would like to map the child section you are creating. Note: Only fill in this value if you already have a valid parent section ID created in a prior row.
Control IDs: This should include a comma-delimited list of control IDs you’d like to map to either a parent or child section within Vanta. Note: If you have a parent and child section relationship, map the control IDs to the section ID column.
Section Type: Fill in either “P” if it is a parent section or “C” if it is a child section.
Below is an example import sheet for a custom framework using the custom controls example in Phase 1:
After filling in the custom framework import file, navigate to the upload window and upload the file in the “What data do you want to upload” section.
Once uploaded, you’ll be navigated to the Review & finalize section, where you can review and update any formatting errors that may have occurred. Once you’ve reviewed and updated these errors, click the Import button to finish the import process.
Once uploaded, you’ll be navigated to the “Review & finalize” section, where you can review and update any formatting errors that may have occurred. Once you’ve reviewed and updated these errors, click the “Import” button to finish the import process.
Step 3: Mapping Vanta Tests to your controls
Estimated completion time: 10-20 hours.
From the custom framework you created in Phase 2, click on the control you would like to make a mapping for - Vanta AI will auto-suggest potential mapping options based on your control description. Click the check mark next to the applicable test to accept a suggestion.
If you’d like to map a test or document manually, click the “+” button next to each header to search for and add the necessary fields.
Step 4: Create Custom Tests & Map Your Controls
With Custom Tests, Vanta users can use Vanta-built tests or create their own and map them to controls and frameworks.
Creating a Custom Test
From the Tests page, select + Create custom test
Add:
Test name
Description
How to fix/remediate instructions
From the drop-down, select the integration the custom test will be associated with
Use the simple logic builder to build the test
Select Create
Mapping the Test to Controls
From the Tests page, select the Custom tab
Search for your test
Select the test
Open the Controls tab.
Select Add control
Choose the controls you want mapped to this test, and click Add.
Step 5: Create Custom Documents
Custom documents help you organize and track important compliance information. The process is straightforward, whether you're creating a new document, linking it to a control, or making edits. Follow the steps below to manage your custom documents efficiently.
Creating Custom Documents
Select the +Add document button in the upper right-hand corner of the Documents page.
In the box that appears on the screen, fill out all applicable fields.
When done, click the Create document button at the bottom.
Next, you'll be brought to the Add Document to control window
If the Add document to control modal doesn't appear automatically, you can open it by clicking More in the upper right corner of the new document and selecting Add control
In the Add document to control modal, search for the name of the desired Control
You can use the Framework dropdown to narrow down the search results.
When you locate the desired Control, select the name and click the Add button on the right.
To add files to the new document, select Upload under Add a new document
If the document is linked in another platform, select Add Link and paste the URL into the open field.
Choose the file you would like to upload
Add a description and the document's effective date
Select Upload
Editing Custom Documents
Click on the More button in the top right corner of the document's page.
Select Edit Custom document from the dropdown.
On the box on the page, fill out all changes to the Custom Document.
When done making changes, click the Save.
Step 6: Bring in your Policies
Use Vanta's Templates
From the Policies page, select Start for the policy you would like to work on
From here, you can import your policy or take advantage of Vanta's templates and policy editor.
Creating the policy from scratch will take you to the predefined template.
Use Vanta's template to create a policy that reflects your organization's needs
Using the policy editor
Use a pre-established template
Make any necessary edits
Submit for approval
You can also delete and reset the template by selecting Delete and Reset in the top right-hand corner of the policy editor page.
Once the edits have been made, select Submit for approval
Choose the approver
If you are the approver, you can approve the document. You can assign the approval to someone else if you do not wish to be the approver.
Once approved, the policy can be assigned to employees in onboarding settings.
If the policy has already been assigned to employees, you can ask them to reaccept it once the pop-up model approves it.
Create a New Version
Open the designated policy
Select Create a new version
Upload a File
Select the policy title
Select Upload a file from the computer
Select Upload to select the file from your device, or Drag & drop the document into the highlighted space.
Please Note:
Currently, supported file types are .docx and .pdf, which must be 50 MB or less.
Importing a .docx file may result in altered formatting from the original document.
Sync a File
If you have Confluence, SharePoint or Google Drive connected to Vanta, you can use these integrations to sync policy files into Vanta
Please Note:
Currently, supported file types from Google Drive are Google Doc and .pdf
Creating Custom Policies
From the left-hand navigation panel, select Policies
From the top right-hand corner, select + Custom Policies
Add a policy title and policy description
Select Create
Use the policy editor tool to draft the policy, upload it from your computer, or sync a file from Confluence, Microsoft SharePoint, or Google Drive.
Once the policy is drafted, you can continue to edit or submit it for approval.
When submitting for approval, choose the approver or approve the policy yourself if you have admin permissions.
Approve the employee assignment. When approved, the listed employee groups will be asked to accept this policy.
Note: These are all the Employee Groups with a checklist that has "Select All" checked in the Policy Acceptance category for Ongoing Tasks
Mapping Custom Policies to Tests
Two new policy tests will be created for each custom policy. These tests will monitor whether these custom policies are revised and approved annually and whether all relevant employees accept each approved version. All new tests appear on the Tests page under the Policies category.
Mapping Custom Policies to Controls
Open the desired custom policy
From the policy, select the Controls tab
Select Add control
From here, you can search for specific controls and select Add.
If you would like to remove a custom-mapped control from the policy, you can select the control and click Remove
Deactivate Unused Policy Tests
Once your custom policies have been imported and mapped to relevant controls, you must deactivate any unused policy tests corresponding to Vanta policy templates you are not using.
For example, if you’re pursuing SOC 2, you will automatically see Vanta policy templates on your Policies page.
To remove these policy templates from your Policies page and unmap them from the related controls, you must deactivate the corresponding tests associated with them. If you do not deactivate these tests, your controls will continue to show that they need attention.
On the Tests page, find the policy tests corresponding to the Vanta policy templates you do not plan to use. You can do this by searching the name of the policy and finding the test that indicates “Company has an approved <policy name>.”
Click the policy test.
Select the three-dot menu to the right of the name of the test.
Select Deactivate.
Repeat this for any policy templates you do not plan to use. Once the policy test is deactivated, this policy template will no longer appear on your Policies page, and the test will be removed from your controls.
You can always reverse this action by going into your deactivated tests and clicking reactivate monitoring on the test you want to reactivate.
Step 7: Bringing in your Risk Register
Creating a Manual Risk Scenario
Complete the pop-up modal with
Description: Describe the actual or potential risk to your company's people, facilities, technology, and data
Category: The category of risk
Likelihood: the likelihood of an intentional or accidental incident based on this risk.
Impact: how much the exploitation of this risk would harm your organization's ability to continue to operate
Notes (optional): Describe actions you are already taking that may mitigate or negate this risk. This field can be left blank if no existing actions apply here.
Select Create Risk scenario.
Marking a risk scenario as sensitive will make it visible/editable to admins only
Uploading a Scenario via Import
Choose the +Add scenario button
Select Via Import
Upload the file using the risk scenario template
Risk Scenario Required | This describes an actual or potential risk to your organization's people, processes, technology, data, and facilities. |
Risk ID | The unique ID of the risk. Used to reference and update existing risks. We will auto-generate one if you don't specify it. |
Inherent Likelihood | Select a score that represents how likely an intentional or accidental incident will occur based on this risk. The whole number must be in the range of 1 to 5. You can adjust your range in the risk management settings. |
Inherent Impact | Select a score that represents how much the exploitation of this risk would harm your organization's ability to continue to operate. The whole number must be in the range of 1 to 5. You can adjust your range in the risk management settings. |
Residual Likelihood | Select a score that represents how likely an intentional or accidental incident will occur based on this risk. The whole number must be in the range of 1 to 5. You can adjust your range in the risk management settings. |
Residual Impact | Select a score that represents how much the exploitation of this risk would harm your organization's ability to continue to operate. The whole number must be in the range of 1 to 5. You can adjust your range in the risk management settings. |
Note | Additional context about the risk scenario and why it has a specific impact and likelihood scores. |
Risk Treatment | Indicate how your leadership team wants to address an identified risk. Please note: not all risks need to be addressed immediately (or at all). The value must be one of the supported options. |
Categories | A comma-separated list of categories this risk scenario belongs to. You can reference the current category options in your Risk Management settings and/or enter new values. |
Owner | The person responsible for tracking and mitigating this risk scenario. This should be the email address of a valid Vanta user. |
Risk Type (CIA) | Risk Type (CIA) classifies risks using the Confidentiality, Integrity, and Availability (CIA) triad. |
Additional notes | A place to enter additional notes about this risk scenario The value must be "text" |
Extra column | Place more info in this column The value must be "text" |
Cost | Estimate the cost of a risk scenario The value must be "integer" |
Impact | Estimate the cost of a risk scenario The value must be "integer" |
Equipment Needed | What equipment is required to mitigate this risk The value must be "text" |
Controls | The controls this risk is associated with. You need to provide a list of comma-separated control IDs. |
Select Import
Adding Scenarios from the Risk Library
The Risk library contains detailed risk scenarios that can be quickly added to your Risk Register.
This can be done through the Risk Library Tab or the + Add Scenario button
From the Risk Library tab, prebuilt risk scenarios can be added or removed from your Risk register