For SOC 2, ISO 27001, and HIPAA, background checks will be a control and test in Vanta. An auditor will want to see that a company is appropriately vetting the employees they are hiring and assessing potential risks.

 

Are background checks a hard requirement for SOC 2/ISO 27001/HIPAA?:

  • As background checks typically imply that a criminal history check was performed, it may not be a hard requirement for your audit. It is recommended to review a change to the control language with your auditor to accept reference checks or past-employment verification as alternatives. Your auditor would like to see if some vetting process occurred with your hiring procedures.
  • If your company is self-attesting and there is a control relating to background checks, they would need to ensure they have a process in place and evidence for vetting employees from a security perspective. 

 

Which integration partner can I use?

  • Vanta integrates with Checkr, Certn, and Vetty
 

 

Do auditors need to see the entire background check?:

  • Your auditor will need to see that the check was completed, and confidential information can be removed. It is up to your team to decide if you would like to accept any potential risk associated with hiring an individual.

 

Do I need to get retroactively perform background checks for all of my employees?:

  • No, your auditor will want to see those checks for any new hires moving forward.

 

What about employees in countries that do not allow background checks?:

  • Your auditor will adhere to the regulations of the country the employee is living in. Vanta recommends that you work with your auditor to decide on an alternative way to meet the control for those employees.

 

What if I am not using an integration partner or doing an alternative check process?:

  • You will still be able to upload evidence related to completed checks in Vanta. Customers can upload a URL on the People page for the selected employee. This will complete the task in Vanta, and the URL will be visible to auditors (customers may need to grant access).
  • Customers can also upload evidence of completed checks for new hires on the Documents page for completed background checks.