Product updates
Introducing automated ISO 27001 and HIPAA compliance

Introducing automated ISO 27001 and HIPAA compliance

Vanta was founded in 2017 with a mission to secure the internet and protect consumer data. From the ever-increasing number of data breaches, it’s clear that online security is only becoming more important. At the same time, we understand how hard it can be for fast-growing companies to invest the time and manpower it takes to build a solid security foundation. 

That’s why we started by automating SOC 2, the most commonly-accepted framework for demonstrating security in the United States. But SOC 2 has always been just the beginning for Vanta. In May, we announced an invite-only Beta for our two other most requested security standards, ISO 27001 and HIPAA.

Today, after several months of product refinement, we’re excited to announce public availability of our ISO 27001 and HIPAA compliance products. These standards are now available as standalone services or packaged with our award-winning SOC 2 offering. 

With this release, Vanta customers can enhance their security posture and prove compliance––all in one automated security platform.

ISO 27001 Certification

ISO 27001 is the global benchmark for demonstrating an effective Information Security Management System (ISMS). For businesses selling to customers outside of the US, a well-defined ISMS may be required by local law and potential buyers will likely ask to see an ISO 27001 certificate prior to purchasing. 

Becoming ISO 27001 certified is a months-long to even year-long process that requires documenting policies and procedures, identifying risks, assigning responsibilities, and training personnel. Further, ISO 27001 certification includes both an internal and external audit to ensure that an organization’s ISMS has been properly implemented.

Fortunately, Vanta’s ISO 27001 product brings clarity to this complexity. Vanta provides customizable policy templates to help you define the scope of your ISMS, assign roles and responsibilities, identify risks and mitigation measures, and more. And the Vanta platform leverages read-only integrations with leading cloud providers, task trackers, MDMs and more to automatically collect evidence for and map it to your Annex A controls.

In fact, Vanta automates over 80% of the ISO 27001 certification requirements - meaning you can spend less time on compliance, and more time growing your business.

As one of our ISO 27001 Beta customers said:

"Lots of companies claim to automate compliance but Vanta is actually doing it. They really help guide me through the SOC 2 and ISO 27001 experience. This is my first time working with both of these frameworks and I really appreciate having the Vanta team behind me to support."
– Vicky Levay, Director of Compliance at FloQast

HIPAA Compliance

Companies that create, access, store, or share Protected Health Information (PHI) must comply with HIPAA legal requirements or potentially face steep fines and penalties. But becoming HIPAA compliant can be a complex and time-consuming process. And because there is no independent audit associated with HIPAA, it can be difficult to even know whether or not you’re compliant at any given time.

Vanta’s HIPAA product demystifies the path towards becoming and staying HIPAA compliant. In fact, Vanta automates over 85% of the evidence requirements needed to prove HIPAA compliance and helps you manage the evidence that is not automated, such as signed Business Associate Agreements. Additionally, built into Vanta are CPA-vetted policy templates that help you codify your company’s PHI privacy and security procedures, saving you from drafting these documents from scratch or hiring a security consultant.

With Vanta’s HIPAA product, you’ll spend less time chasing down evidence from employees, systems, and Business Associates––and confidently track progress towards HIPAA compliance in one place.

As one of our HIPAA Beta customers said:

“Vanta's policy generator really saved our small team a lot of time at the beginning, to cover all our bases for SOC2 and HIPAA, especially as we're not experts in writing policies. It provides a solid foundation with a lot of options and the ability to fully customize them as needed.”
Anthony Powles, Head of Security at HeyMarket

The Vanta Platform

Vanta streamlines the path towards compliance with powerful automations, reports on where your business stands, and clear instructions on how to fix any gaps. Vanta does this by leveraging a robust library of API integrations that connect with the business tools you already use to automate most of the evidence gathering process. Vanta’s continuous monitoring platform is the foundation for all of the standards we support.

And to better serve our customers pursuing multiple standards at once, Vanta now gives you a single view to easily track progress towards each standard––and see the specific controls and pieces of evidence behind each requirement.

We’re very excited to introduce ISO 27001 and HIPAA compliance, our two most-requested standards. With SOC 2, ISO 27001, and HIPAA support, Vanta customers can further demonstrate their enhanced security posture, comply with US federal law, and reach new global customers. Book a demo to learn more.

About Vanta

Vanta restores trust in internet businesses by giving startups an easy-to-use set of tools to improve and prove their security. Over 1,000 fast-growing companies rely on Vanta to automate their security monitoring and prepare for SOC 2, ISO 27001, or HIPAA compliance in weeks instead of months. Vanta was founded in 2017 and is headquartered in San Francisco.

For more information, visit

Written by
No items found.
Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail

PCI Compliance Selection Guide

Determine Your PCI Compliance Level

If your organization processes, stores, or transmits cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate created by major credit card companies. Compliance is mandatory for any business that accepts credit card payments.

When establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand what constitutes a Merchant or Service Provider, and whether a Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is most applicable to your business.

Answer a few short questions and we’ll help identify your compliance level.


Does your business offer services to customers who are interested in your level of PCI compliance?


Identify your PCI SAQ or ROC level

The PCI Security Standards Council has established the below criteria for Merchant and Service Provider validation. Use these descriptions to help determine the SAQ or ROC that best applies to your organization.

Good news! Vanta supports all of the following compliance levels:


A SAQ A is required for Merchants that do not require the physical presence of a credit card (like an eCommerce, mail, or telephone purchase). This means that the Merchant’s business has fully outsourced all cardholder data processing to PCI DSS compliant third party Service Providers, with no electronic storage, processing, or transmission of any cardholder data on the Merchant’s system or premises.

Get PCI DSS certified


A SAQ A-EP is similar to a SAQ A, but is a requirement for Merchants that don't receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.

Learn more about eCommerce PCI

for service providers

A SAQ D includes over 200 requirements and covers the entirety of PCI DSS compliance. If you are a Service Provider, a SAQ D is the only SAQ you’re eligible to complete.

Use our PCI checklist

Level 1 for service providers

A Report on Compliance (ROC) is an annual assessment that determines your organization’s ability to protect cardholder data. If you’re a Merchant that processes over six million transactions annually or a Service Provider that processes more than 300,000 transactions annually, your organization is responsible for both a ROC and an Attestation of Compliance (AOC).

Automate your ROC and AOC

Download this checklist for easy reference


Learn more about how Vanta can help. You can also find information on PCI compliance levels at the PCI Security Standards Council website or by contacting your payment processing partner.

The compliance news you need. Delivered securely to your inbox.