Table of Contents
Summary
The Validated Assessment Program provides a way for organizations to demonstrate their adherence to common security controls in a format that is consumable and usable by your customers who use Whistic to manage their TPRM Program. The Assessment incorporates existing security frameworks like SOC, CAIQ, VSA, SIG, and looks at the top 50 controls.
This program provides value by offering greater assurance to your customers through independently validated security controls, allowing customers to expedite due diligence and meet internal assessment requirements more efficiently, and helping you avoid additional inquiries associated with validation.
Getting Started
What You'll Need:
- Policies, Procedures, and other evidence that can demonstrate control implementation for the 49 controls that are part of the Whistic Control Framework
- Completed Questionnaires and other frameworks like CAIQ, SIG or CIS
- Audits and Certifications like SOC 2 Type II reports, ISO Certifications, or PCI DSS Reports
Time Commitment: 2-3 hours total, including initial meetings, follow-up discussions during the assessment (if needed), and review/approval of final deliverables before publishing.
How to Obtain a Validated Assessment Badge
Step 1: Prepare Your Documentation. Gather the required documentation that demonstrates control implementation:
- Standards, Policies, or Procedures
- Independent Audit Reports or Certifications (i.e. SOC, ISO, PCI, HiTRUST etc.)
- Industry recognized Questionnaires (i.e. CAIQ, SIG, CIS etc.)
- Any other relevant security documentation
Note: All evidence must be relevant, appropriate, and recent (within the last 12 months). Evidence older than 12 months may be referenced, but not used solely to verify control implementation.
Step 2: Share Documentation with Whistic. Upload your documentation to your Whistic Profile for assessment purposes.
Note: You do not need to publish all security documentation in your profile. Whistic can simply reference the documentation in the assessment and remove the actual documentation afterward. The Whistic Profile is used to share documentation with Whistic only to complete the assessment.
Step 3: Participate in Assessment Process. Work with Whistic during the assessment process, which includes:
- Initial meetings to discuss your security posture
- Follow-up discussions during the assessment (if needed)
- Conversations with Trust and Security leaders as part of evidence gathering
Step 4: Review and Approve Final Deliverables. Before publishing, you'll review and approve:
- A Whistic Assessment Report
- A completed Questionnaire with all control write-ups (completed by Whistic)
- Your new Audit Badge
Step 5: Complete Assessment Publication.Β Once approved, your completed profile will include all deliverables and your new Validated Assessment Badge.
FAQ
What is the Validated Assessment Program?
The Validated Assessment Program provides a way for organizations to demonstrate their adherence to common security controls in a format that is consumable and usable by your Customers that use Whistic to manage their TPRM Program. The Assessment incorporates existing security frameworks like SOC, CAIQ, VSA, SIG and looks at the top 50 controls. It provides value in the following ways:
- Providing greater assurance to your customers by demonstrating key security controls have been independently validated.
- Allows customers to expedite due diligence and meet internal assessment requirements more efficiently.
- Helps you to avoid additional inquiries or questions associated with validation.
- Provides your customers a quick summary and independent opinion of implementation on the most critical controls without having to sift through tons of security documentation.
- Takes time consuming effort of documenting control validation off the plate of the TPRM program leaders
How does Whistic perform the Assessment?
Our work is completed in line with the Whistic Control Framework, a set of controls that are common across the most widely used Standards like the SIG, CAIQ and CIS. For each control, we determine if there is sufficient evidence of control implementation. A detailed description of the control and reference to all supporting documentation that was used to make that determination is included for each control. In order for evidence to be considered sufficient, it must be relevant, appropriate, and recent.
-
Relevant evidence includes but is not limited to:
- Independent Audit Reports or Certifications (i.e. SOC, ISO, PCI, HiTRUST etc.)
- Standards, Policies, or Procedures,
- Industry recognized Questionnaires (i.e. CAIQ, SIG, CIS etc.)
- Conversations with Trust and Security leaders
- Appropriate evidence must address the underlying risk the control aims to mitigate
- Recent evidence must be within the last 12 months. Evidence older than 12 months may be referenced, but not used solely to verify control implementation.
What is the time commitment for Customers?
2-3 hours. This would include initial meetings, follow up discussions during the assessment, if needed, and any review/approval of final deliverables before publishing.
What documentation do I need to share with Whistic?
- Policies, Procedures and other evidence that can be used to demonstrate control implementation for the 49 controls that are part of the Whistic Control Framework
- Completed Questionnaires and other frameworks like CAIQ, SIG or CIS
- Audits and Certifications like SOC 2 Type II reports, ISO Certifications, or PCI DSS Reports
Do I need to publish all of the Security Documentation?
No, you do not need to include all security documentation in your profile. We can simply reference the documentation in our assessment and remove the actual documentation. We do utilize the Whistic Profile to share documentation (with Whistic only) to complete the assessment.
What does a completed Profile contain?
- A Whistic Assessment Report
- A completed Questionnaire with all control writeups (completed by Whistic)
- New Audit Badge