In a SOC 2 audit, the auditor is going to expect that you know, understand, and enforce your controls. Vanta is being used to provide evidence that shows that you are enforcing your controls. The auditor will be looking at language very literally and as assertions that you are making about your control environment. These are the master set of controls that Vanta has built our tests on. For example, your control language says you require SAT to be completed prior to onboarding new employees. If you hire someone and do not complete SAT prior to onboarding, this will create an exception in your report.

 

Readiness checklist

  • Audit observation window added in Company Settings & auditor given access to Vanta instance
  • PDF of policies created and approved within last 12 months
    •  Note: It is important to read through your policies at some point pre-audit
  • On the People page 
    • Ensure they include employee name and a screenshot of the completed module
    • Screenshots for SAT checked
    • For HIPAA customers, check for HIPAA SAT
  • On the Vulnerabilities page
    • Note: If using a 3rd party scanning tool that does not integrate with Vanta, you will need to provide screenshots to the auditor for configuration and high/medium severity vulnerabilities being closed during the SLA window or have a clear plan to remediate (you can add this evidence to the Documents tab)
    • Ensure a 3rd party scanning tool has been installed (e.g. Snyk, Qualys, AWS Inspector, etc.)
    •  All High/Medium severity vulnerabilities resolved or have a plan to be resolved
    •  Check SLA violations to be sure all have been acknowledged
  •  On the Risk Assessment page
    • Reminder: If your team is fully remote, the Physical Security section does not need to be filled out
    • All modules completed for SOC 2 and HIPAA (if applicable)
    • Scenarios created for specific risks identified
    • At least 1 task created to mitigate risk identified
    • For ISO 27001 customers, check for an upload of the template to the Documents tab
    • Customers can complete this during their observation window!
  • On the Access page
    •  Cloud Infrastructure
    •  Identity Provider
    •  Version Control
    • Ensure that individual users are linked to individual accounts (ie. no shared accounts)
    • MFA is enabled (when possible)
  • Inventory
    • Check resources to ensure they have owners and descriptions
    • Use our Bulk Tagging feature to update resources in bulk!
  • Vendors
    • Example: “AWS SOC 3 report meets expectations and requirements. All services in scope” or “Exception in AWS SOC 3 report noted, does not have effect on use of service”
    • Ensure that all SOC 2, SOC 3, or ISO 27001 reports are added 
    • Ensure all security questionnaires are filled out (unless a SOC 2, SOC 3, or ISO 27001 report is added)
    • Complete comments on vendor security controls indicating you’ve read the security documentation and determined that the security of the external vendor is on par with your security controls
    • Add the date that the vendor was reviewed
    • For HIPAA customers, ensure a BAA has been uploaded for any vendors you share ePHI with
  • Tests
    • Confirm that all tests are passing (or close to passing/have planned remediation)
    • Check for deactivated tests, and that deactivated test have been addressed with auditor
  • Documents
    • All applicable resources uploaded
    • We recommend that all documentation during observation window is uploaded
  • Databases
    • Note: you can only access the databases page via a link provided by Vanta. The Vanta test does not pull for the Redshift clusters.
    • Databases page reviewed and all appropriate databases are encrypted 

Your Auditor is looking for ownership over your controls as they are the basis for the audit taking place. To ensure you are prepared, ahead of your audit, you and your CSM will...

  • Review the Standards page and get an overview of Vanta's master set of controls and how they relate to tests 
  • Review how Vanta collects evidence either by automated tests through integrations or manual uploads on the Documents tab
  • Review control language so you know what your auditor is referring to throughout your audit.
    • For SOC 2 customers, review list of controls and any custom control language (e.g. “Background checks are completed for all employees” vs. “Background checks are performed prior to onboarding new employees”)
  • Prep for the “Interview” section of the Fieldwork Call and ensure you feel comfortable speaking to the ownership of controls
    • Example: Auditor will ask members of your team to explain their onboarding process and are looking to hear that the onboarding process reflects the actual controls you have listed in the sheet.
    • Review what you don’t need to answer what and what to, and when to push back and ask for more time 
    • Go over the control language with the control owners so they understand what their responsibilities are (e.g. HR Teams, Engineers, etc.)