Vanta automates compliance starting with SOC 2
Please enter your first name
Please enter your last name
Please enter a valid email address
Please enter a job title
Please enter your company name
Please enter your company website
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
👋
We'll be at SaaStr, Sep. 27-29. Come meet the team at booth 415!
Read More >

Determine which annual audits and assessments are required for your company

Checklist items

Perform and document ongoing technical and non-technical evaluations, internally or in partnership with a third-party security and compliance team like Vanta

Review the U.S. Dept of Health and Human Services Office for Civil Rights Audit Protocol

Conduct required HIPAA compliance audits and assessments

Checklist items

Perform and document ongoing technical and non-technical evaluations, internally or in partnership with a third-party security and compliance team like Vanta

Review the U.S. Dept of Health and Human Services Office for Civil Rights Audit Protocol

Document your plans and put them into action

Checklist items

Document every step of building, implementing, and assessing your compliance program

Vanta’s automated compliance reporting can streamline planning and documentation

Appoint a security
and compliance point person
in your company

Checklist items

Designate an employee as your HIPAA Compliance Officer

Schedule annual HIPAA training for all employees

Checklist items

Distribute HIPAA policies and procedures and ensure staff read and attest to their review

Document employee trainings and other compliance activities

Checklist items

Thoroughly document employee training processes, activities, and attestations

Establish and communicate clear breach report processes
to all employees

Checklist items

Ensure that staff understand what constitutes a HIPAA breach, and how to report a breach

Implement systems to track security incidents, and to document and report all breaches

Institute an annual review process

Checklist items

Annually assess compliance activities against theHIPAA Rules and updates to HIPAA

Continuously assess and manage risk

Checklist items

Build a year-round risk management program and integrate continuous monitoring

Understand the ins and outs of HIPAA compliance— and the costs of noncompliance

Determine which annual audits and assessments are required for your company

Checklist items

Perform and document ongoing technical and non-technical evaluations, internally or in partnership with a third-party security and compliance team like Vanta

Review the U.S. Dept of Health and Human Services Office for Civil Rights Audit Protocol

Conduct required HIPAA compliance audits and assessments

Checklist items

Perform and document ongoing technical and non-technical evaluations, internally or in partnership with a third-party security and compliance team like Vanta

Review the U.S. Dept of Health and Human Services Office for Civil Rights Audit Protocol

Document your plans and put them into action

Checklist items

Document every step of building, implementing, and assessing your compliance program

Vanta’s automated compliance reporting can streamline planning and documentation

Appoint a security and compliance point person in your company

Checklist items

Designate an employee as your HIPAA Compliance Officer

Schedule annual HIPAA training for all employees

Checklist items

Distribute HIPAA policies and procedures and ensure staff read and attest to their review

Document employee trainings and other compliance activities

Checklist items

Thoroughly document employee training processes, activities, and attestations

Establish and communicate clear breach report processes
to all employees

Checklist items

Ensure that staff understand what constitutes a HIPAA breach, and how to report a breach

Implement systems to track security incidents, and to document and report all breaches

Institute an annual review process

Checklist items

Annually assess compliance activities against theHIPAA Rules and updates to HIPAA

Continuously assess and manage risk

Checklist items

Build a year-round risk management program and integrate continuous monitoring

Understand the ins and outs of HIPAA compliance— and the costs of noncompliance

Everything you need to get HIPAA compliance audit ready, fast.

Vanta is “security in a box” for technology companies, trusted by hundreds. Our continuous monitoring software and robust range of automated checks can help you get compliance audit-ready, fast. Vanta can help your company:

  • Build a statement of applicability describing how you control for each HIPAA safeguard
  • Track how ePHI flows through your system and access points
  • Track HIPAA tasks like employee training
  • Develop a breach notification policy and template
  • Prepare for your HIPAA audit fieldwork… and more
Compliance and security automation

Your ISO 27001 Compliance Checklist

What is ISO 27001?

ISO 27001 is the global gold standard for ensuring the security of information and its supporting assets. Obtaining ISO 27001 certification can help an organization prove its security practices to potential customers anywhere in the world.

Our ISO 27001 checklist will help your organization successfully implement an Information Security Management System (ISMS) according to the standard, and prepare your org for an independent audit of your ISMS to obtain ISO 27001 certification. Let’s get started!

1

Develop a roadmap for successful implementation of an ISMS and ISO 27001 certification

Implement Plan, Do, Check, Act (PDCA) process to recognize challenges and identify gaps for remediation

Consider ISO 27001 certification costs relative to org size and number of employees

Clearly define scope of work to plan certification time to completion

Select an ISO 27001 auditor

2

Set the scope of your organization’s ISMS

Decide which business areas are covered by the ISMS and which are out of scope

Consider additional security controls for business processes that are required to pass ISMS-protected information across the trust boundary

Inform stakeholders regarding scope of the ISMS

3

Establish an ISMS governing body

Build a governance team with management oversight

Incorporate key members of top management, e.g. senior leadership and executive management with responsibility for strategy and resource allocation

4

Conduct an inventory of information assets

Consider all assets where information is stored, processed, and accessible

  • Record information assets: data and people
  • Record physical assets: laptops, servers, and physical building locations
  • Record intangible assets: intellectual property, brand, and reputation

Assign to each asset a classification and owner responsible for ensuring the asset is appropriately inventoried, classified, protected, and handled

5

Execute a risk assessment

Establish and document a risk-management framework to ensure consistency

Identify scenarios in which information, systems, or services could be compromised

Determine likelihood or frequency with which these scenarios could occur

Evaluate potential impact of each scenario on confidentiality, integrity, or availability of information, systems, and services

Rank risk scenarios based on overall risk to the organization’s objectives

6

Develop a risk register

Record and manage your organization’s risks

Summarize each identified risk

Indicate the impact and likelihood of each risk

7

Document a risk treatment plan

Design a response for each risk (Risk Treatment)

Assign an accountable owner to each identified risk

Assign risk mitigation activity owners

Establish target dates for completion of risk treatment activities

8

Complete the Statement of Applicability worksheet

Review 114 controls of Annex A of ISO 27001 standard

Select controls to address identified risks

Complete the Statement of Applicability listing all Annex A controls, justifying inclusion or exclusion of each control in the ISMS implementation

9

Create an Information Security Policy, the highest-level internal document in your ISMS

Build a framework for establishing, implementing, maintaining, and continually improving the ISMS

Include information or references to supporting documentation regarding:

  • Information Security Objectives
  • Leadership and Commitment
  • Roles, Responsibilities, and Authorities
  • Approach to Assessing and Treating Risk
  • Control of Documented Information
  • Communication
  • Internal Audit
  • Management Review
  • Corrective Action and Continual Improvement
  • Policy Violations
10

Assemble required documents and records

Review ISO 27001 Required Documents and Records list

Customize policy templates with organization-specific policies, process, and language

11

Establish employee training and awareness programs

Conduct regular trainings to ensure awareness of new policies and procedures

Define expectations for personnel regarding their role in ISMS maintenance

Train personnel on common threats facing your organization and how to respond

Establish disciplinary or sanctions policies or processes for personnel found out of compliance with information security requirements

12

Perform an internal audit

Allocate internal resources with necessary competencies who are independent of ISMS development and maintenance, or engage an independent third party 

Verify conformance with requirements from Annex A deemed applicable in your ISMS's Statement of Applicability

Share internal audit results, including nonconformities, with the ISMS governing body and senior management

Address identified issues before proceeding with the external audit

13

Undergo external audit of ISMS to obtain ISO 27001 certification

Engage an independent ISO 27001 auditor

Conduct Stage 1 Audit consisting of an extensive documentation review; obtain feedback regarding readiness to move to Stage 2 Audit

Conduct Stage 2 Audit consisting of tests performed on the ISMS to ensure proper design, implementation, and ongoing functionality; evaluate fairness, suitability, and effective implementation and operation of controls

14

Address any nonconformities

Ensure that all requirements of the ISO 27001 standard are being addressed

Ensure org is following processes that it has specified and documented

Ensure org is upholding contractual requirements with third parties

Address specific nonconformities identified by the ISO 27001 auditor

Receive auditor’s formal validation following resolution of nonconformities

15

Conduct regular management reviews

Plan reviews at least once per year; consider a quarterly review cycle 

Ensure the ISMS and its objectives continue to remain appropriate and effective

Ensure that senior management remains informed

Ensure adjustments to address risks or deficiencies can be promptly implemented

16

Calendar ISO 27001 audit schedule and surveillance audit schedules

Perform a full ISO 27001 audit once every three years

Prepare to perform surveillance audits in the second and third years of the Certification Cycle

17

Consider streamlining ISO 27001 certification with automation

Transform manual data collection and observation processes into automated and continuous system monitoring

Identify and close any gaps in ISMS implementation in a timely manner

18

Learn more about achieving ISO 27001 certification with Vanta

Book an ISO 27001 demo with Vanta

Download this checklist for easy reference

DOWNLOAD NOW

Additional HIPAA Resources

The SOC 2 Compliance Checklist

Read More

Vanta's guide to SOC 2

Read More

What does a SOC 2 audit cost?

Read More

“Getting our SOC 2 and HIPAA was an absolute game-changer for the way that Nayya is able to sell into larger companies.”

Akash Magoon  | Co-Founder + Chief Technology Officer, Nayya

Everything you need to get compliance audit ready, fast.

GET STARTED