New in Vanta: Tools to streamline your audit
New in Vanta: Tools to streamline your audit
Whether it's from investors, prospects, or regulatory entities, someone, at some point, will ask about your company’s security posture. The best response is a SOC 2 report or an ISO 27001 certification. But to achieve those, you’ll have to prepare for an audit.
Before Vanta, audits were a stressful endeavor. Audits were prolonged, highly manual events requiring lots of time from various members of your organization. From documenting evidence to coordinating with stakeholders inside your organization, inefficiencies and frustration were the norm.
Fortunately, Vanta is specifically designed to streamline all things compliance, and that includes the audit. Vanta is the fastest product to get you to your audit, and—because of our deep investments in tools and services around the audit itself—Vanta’s the preferred platform of auditors to help get you through it.
In this post we take a look at some of these audit-focused investments. These newly released tools and services were designed to make you and your auditor’s life a bit easier when it comes time for audit.
Introducing: Smart System Description
One of the first documents your auditor will ask you for is a system description. The system description is a fundamental section of your SOC 2 report and outlines the scope of the system being audited, including all the internal controls in place.
It is your responsibility to write this section, oftentimes with limited or no support from your auditor. But gathering all the details for a system description can be time consuming and difficult—customers report spending up to 15 hours finding all the information and putting together the report itself, which can reach dozens of pages in length. A poorly written or incomplete system description can result in delays to your audit, or even a qualified SOC 2 report.
Smart System Description walks you through 13 important sections to complete, including details on your service description, people, and data operations. Best of all, Vanta pre-populates parts of these sections based on your existing work in the platform, saving you from over 10 hours of tracking down information.
An updated system description is needed each year for your SOC 2 audit, and Vanta will automatically remind your team or any assigned owner of its upcoming renewal. Keeping track of and modifying last year’s system description is easy because Vanta stores previous versions in one place for your team to access.
• View Smart System Description within the Documents page to get started.
Vanta Seamless Audit
Finding a trusted compliance platform, like Vanta, to guide you through and automate the evidence collection process is just one part of the equation of an audit. It can be equally, if not more, daunting to research and interview a handful of auditors to determine which is the right one for you. To make solving for a SOC 2 report or ISO 27001 certification a single motion, we’ve rolled the auditor selection into Vanta with Vanta Seamless Audit.
Vanta Seamless Audit simplifies the audit process by providing access to Vanta platform along with an independent, Vanta-vetted SOC 2 auditor in one simple transaction, and for one attractive price. Get matched directly with an independent, five-star rated auditor who brings years of expertise and knowledge of Vanta to your audit, cutting out countless hours of interviews.
And because Seamless Audit partners have completed hundreds of audits in Vanta before, they know the system well and can quickly get a clear view of your organization’s compliance performance. This deep understanding of how to use Vanta to review, request, and accept evidence greatly reduces your effort and audit prep time, with some customers reporting an 80% reduction in total audit completion time.
Audit Preferred Evidence
An exciting new benefit that comes with Vanta Seamless Audit is Audit Preferred Evidence. Preparing evidence for your audit can be a daunting task, especially on first view of your required documents in Vanta. To alleviate some of this initial anxiety and eliminate unnecessary work done by your team, we’ve launched Audit Preferred Evidence.
With Audit Preferred Evidence, your Seamless Audit partner has predefined exactly which evidence they’re looking for in Vanta during an audit. In turn, your team has clear instruction on your auditor’s evidence expectations upon first login and can get started immediately knowing that you’re on the right track.
Vanta automatically adjusts the Documents pages to match the requirements as determined by your auditor. Additional pieces of evidence or the Vanta defaults can be added at any time for further customization. Best of all, you and your team know precisely what your Seamless Audit partner is expecting, greatly reducing the typical stress, uncertainty, and time needed to get to audit and through it.
• Contact Sales or your Success Manager to learn more about Vanta Seamless Audit.
Customize your controls with Control Management
Controls are the commitments your organization maintains to stay secure and demonstrate trustworthiness to others. When preparing for an audit, much of your work centers on gathering evidence to show that your organization is delivering on its control commitments. Vanta greatly reduces the effort surrounding audit preparation by automating evidence collection and providing a list of industry-adopted controls for your company to follow.
There are times, however, when your organization may wish to maintain controls not reflected in Vanta’s default list. This is especially true for companies that have completed a SOC 2 or ISO 27001 audit in the past and wish to carry-over existing controls into Vanta. There are also times where Vanta’s default controls may not be applicable to your business. To address these scenarios and provide increased customization, we’ve released Control Management.
Control Management gives your team the flexibility to create custom controls and opt-out of Vanta defaults. Custom controls work seamlessly with the rest of Vanta and are displayed, monitored, and reported alongside Vanta’s default set. Custom controls can be further defined with evidence requirements. Choose one of Vanta’s default tests or create your own evidence requirement. The possibilities for the customization of controls are vast with Control Management.
Control and Test ownership
When it comes time to get audit ready, lack of accountability can cost your team weeks in delays due to coordination costs and backlogged work. Control and test ownership in Vanta solves that with clear oversight and accountability within your compliance program.
Vanta makes it easy for teams to stay accountable with control and test ownership. Organizations can assign control owners, who are ultimately responsible for the health and implementation of a control. Control owners or admins can then assign tests to test owners who are responsible for getting the underlying issue resolved. Both control and test owners are kept updated on the health of their assigned items with notifications along the way.
Establishing ownership is crucial for any high-performing compliance program and especially so when your team approaches an audit. Keep your team informed and accountable throughout the audit experience with control and test ownership.
• View and manage your controls from the Compliance page.
• Control ownership will be available to all users at the end of August.
Managing policies in Vanta with Confluence
Policies codify your security practices into agreements for internal and external audiences. These documents can be challenging to understand or write. That’s why Vanta provides templates and an in-app policy editor to help your team create the collection of policies needed prior to an audit.
To get you through policy creation faster and one step closer to audit, we’re expanding the ways you can use Vanta to manage policies. We’ve heard that sometimes you’d prefer to use an external document management tool, such as Confluence, for policy creation and revision control. To match your team’s preferred workflow, you can now sync policies into Vanta directly from Confluence.
Now your team can work on policy iterations within Confluence and sync the final version into Vanta. For any policies not stored in Confluence, you can always use Vanta’s document upload feature or native policy editor to meet your policy requirements.
• Visit the Integrations page to connect your Confluence account to Vanta.
PCI Compliance Selection Guide
Determine Your PCI Compliance Level
If your organization processes, stores, or transmits cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate created by major credit card companies. Compliance is mandatory for any business that accepts credit card payments.
When establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand what constitutes a Merchant or Service Provider, and whether a Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is most applicable to your business.
Answer a few short questions and we’ll help identify your compliance level.
Does your business offer services to customers who are interested in your level of PCI compliance?
Identify your PCI SAQ or ROC level
The PCI Security Standards Council has established the below criteria for Merchant and Service Provider validation. Use these descriptions to help determine the SAQ or ROC that best applies to your organization.
Good news! Vanta supports all of the following compliance levels:
A SAQ A is required for Merchants that do not require the physical presence of a credit card (like an eCommerce, mail, or telephone purchase). This means that the Merchant’s business has fully outsourced all cardholder data processing to PCI DSS compliant third party Service Providers, with no electronic storage, processing, or transmission of any cardholder data on the Merchant’s system or premises.
Get PCI DSS certified
A SAQ A-EP is similar to a SAQ A, but is a requirement for Merchants that don't receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.
Learn more about eCommerce PCI
A SAQ D includes over 200 requirements and covers the entirety of PCI DSS compliance. If you are a Service Provider, a SAQ D is the only SAQ you’re eligible to complete.
Use our PCI checklist
A Report on Compliance (ROC) is an annual assessment that determines your organization’s ability to protect cardholder data. If you’re a Merchant that processes over six million transactions annually or a Service Provider that processes more than 300,000 transactions annually, your organization is responsible for both a ROC and an Attestation of Compliance (AOC).
Automate your ROC and AOC