Introducing automated ISO 27001 and HIPAA compliance
Vanta was founded in 2017 with a mission to secure the internet and protect consumer data. From the ever-increasing number of data breaches, it’s clear that online security is only becoming more important. At the same time, we understand how hard it can be for fast-growing companies to invest the time and manpower it takes to build a solid security foundation.
That’s why we started by automating SOC 2, the most commonly-accepted framework for demonstrating security in the United States. But SOC 2 has always been just the beginning for Vanta. In May, we announced an invite-only Beta for our two other most requested security standards, ISO 27001 and HIPAA.
Today, after several months of product refinement, we’re excited to announce public availability of our ISO 27001 and HIPAA compliance products. These standards are now available as standalone services or packaged with our award-winning SOC 2 offering.
With this release, Vanta customers can enhance their security posture and prove compliance––all in one automated security platform.
ISO 27001 is the global benchmark for demonstrating an effective Information Security Management System (ISMS). For businesses selling to customers outside of the US, a well-defined ISMS may be required by local law and potential buyers will likely ask to see an ISO 27001 certificate prior to purchasing.
Becoming ISO 27001 certified is a months-long to even year-long process that requires documenting policies and procedures, identifying risks, assigning responsibilities, and training personnel. Further, ISO 27001 certification includes both an internal and external audit to ensure that an organization’s ISMS has been properly implemented.
Fortunately, Vanta’s ISO 27001 product brings clarity to this complexity. Vanta provides customizable policy templates to help you define the scope of your ISMS, assign roles and responsibilities, identify risks and mitigation measures, and more. And the Vanta platform leverages read-only integrations with leading cloud providers, task trackers, MDMs and more to automatically collect evidence for and map it to your Annex A controls.
In fact, Vanta automates over 80% of the ISO 27001 certification requirements - meaning you can spend less time on compliance, and more time growing your business.
As one of our ISO 27001 Beta customers said:
"Lots of companies claim to automate compliance but Vanta is actually doing it. They really help guide me through the SOC 2 and ISO 27001 experience. This is my first time working with both of these frameworks and I really appreciate having the Vanta team behind me to support."
– Vicky Levay, Director of Compliance at FloQast
Companies that create, access, store, or share Protected Health Information (PHI) must comply with HIPAA legal requirements or potentially face steep fines and penalties. But becoming HIPAA compliant can be a complex and time-consuming process. And because there is no independent audit associated with HIPAA, it can be difficult to even know whether or not you’re compliant at any given time.
Vanta’s HIPAA product demystifies the path towards becoming and staying HIPAA compliant. In fact, Vanta automates over 85% of the evidence requirements needed to prove HIPAA compliance and helps you manage the evidence that is not automated, such as signed Business Associate Agreements. Additionally, built into Vanta are CPA-vetted policy templates that help you codify your company’s PHI privacy and security procedures, saving you from drafting these documents from scratch or hiring a security consultant.
With Vanta’s HIPAA product, you’ll spend less time chasing down evidence from employees, systems, and Business Associates––and confidently track progress towards HIPAA compliance in one place.
As one of our HIPAA Beta customers said:
“Vanta's policy generator really saved our small team a lot of time at the beginning, to cover all our bases for SOC2 and HIPAA, especially as we're not experts in writing policies. It provides a solid foundation with a lot of options and the ability to fully customize them as needed.”
–Anthony Powles, Head of Security at HeyMarket
The Vanta Platform
Vanta streamlines the path towards compliance with powerful automations, reports on where your business stands, and clear instructions on how to fix any gaps. Vanta does this by leveraging a robust library of API integrations that connect with the business tools you already use to automate most of the evidence gathering process. Vanta’s continuous monitoring platform is the foundation for all of the standards we support.
And to better serve our customers pursuing multiple standards at once, Vanta now gives you a single view to easily track progress towards each standard––and see the specific controls and pieces of evidence behind each requirement.
We’re very excited to introduce ISO 27001 and HIPAA compliance, our two most-requested standards. With SOC 2, ISO 27001, and HIPAA support, Vanta customers can further demonstrate their enhanced security posture, comply with US federal law, and reach new global customers. Book a demo to learn more.
Vanta restores trust in internet businesses by giving startups an easy-to-use set of tools to improve and prove their security. Over 1,000 fast-growing companies rely on Vanta to automate their security monitoring and prepare for SOC 2, ISO 27001, or HIPAA compliance in weeks instead of months. Vanta was founded in 2017 and is headquartered in San Francisco.
For more information, visit https://www.vanta.com.
PCI Compliance Selection Guide
Determine Your PCI Compliance Level
If your organization processes, stores, or transmits cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate created by major credit card companies. Compliance is mandatory for any business that accepts credit card payments.
When establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand what constitutes a Merchant or Service Provider, and whether a Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is most applicable to your business.
Answer a few short questions and we’ll help identify your compliance level.
Does your business offer services to customers who are interested in your level of PCI compliance?
Identify your PCI SAQ or ROC level
The PCI Security Standards Council has established the below criteria for Merchant and Service Provider validation. Use these descriptions to help determine the SAQ or ROC that best applies to your organization.
Good news! Vanta supports all of the following compliance levels:
A SAQ A is required for Merchants that do not require the physical presence of a credit card (like an eCommerce, mail, or telephone purchase). This means that the Merchant’s business has fully outsourced all cardholder data processing to PCI DSS compliant third party Service Providers, with no electronic storage, processing, or transmission of any cardholder data on the Merchant’s system or premises.
Get PCI DSS certified
A SAQ A-EP is similar to a SAQ A, but is a requirement for Merchants that don't receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.
Learn more about eCommerce PCI
A SAQ D includes over 200 requirements and covers the entirety of PCI DSS compliance. If you are a Service Provider, a SAQ D is the only SAQ you’re eligible to complete.
Use our PCI checklist
A Report on Compliance (ROC) is an annual assessment that determines your organization’s ability to protect cardholder data. If you’re a Merchant that processes over six million transactions annually or a Service Provider that processes more than 300,000 transactions annually, your organization is responsible for both a ROC and an Attestation of Compliance (AOC).
Automate your ROC and AOC