For SOC 2, ISO 27001, and HIPAA, background checks will be a control and test in Vanta. An auditor will want to see that a company is appropriately vetting the employees they are hiring and assessing potential risks.
Are background checks a hard requirement for SOC 2/ISO 27001/HIPAA?:
- As background checks typically imply that a criminal history check was performed, it may not be a hard requirement for your audit. Reviewing a change to the control language with your auditor to accept reference checks or past-employment verification as alternatives is recommended. Your auditor would like to see if some vetting process occurred with your hiring procedures.
- If your company is self-attesting and there is a control relating to background checks, they would need to ensure they have a process in place and evidence for vetting employees from a security perspective.
Which integration partner can I use?
- Vanta integrates with Checkr, Certn, Vetty, and Rippling.
Do auditors need to see the entire background check?:
- Your auditor must see that the check was completed and confidential information can be removed. It is up to your team to decide if you would like to accept any potential risk associated with hiring an individual.
Do I need to retroactively perform background checks for all my employees?:
- No, your auditor wants to see those checks for new hires.
What about employees in countries that do not allow background checks?:
- Your auditor will adhere to the regulations of the country the employee is living in. Vanta recommends that you work with your auditor to decide on an alternative way to meet the control for those employees.
What if I am not using an integration partner or doing an alternative check process?:
- You can still upload evidence related to completed checks in Vanta. Customers can upload a URL on the People page for the selected employee. This will complete the task in Vanta, and the URL will be visible to auditors (customers may need to grant access).