Table of Contents

• What is the Validated Assessment Program?

• How does Whistic perform the Assessment?

• What is the time commitment for Customers?

• What documentation do I need to share with Whistic?
• Do I need to publish all of the Security Documentation?
• What does a completed Profile look like?

What is the Validated Assessment Program?

The Validated Assessment Program provides a way for organization’s to demonstrate their adherence to common security controls in a format that is consumable and usable by your Customers that use Whistic to manage their TPRM Program. The Assessment incorporates existing security frameworks like SOC, CAIQ, VSA, SIG and looks at the top 50 controls. It provides value in the following ways:

• Providing greater assurance to your customers by demonstrating key security controls have been independently validated.  
• Allows customers to expedit due diligence and meet internal assessment requirements more efficiently.
• Helps you to avoid additional inquiries or questions associated with validation.
• Provides your customers a quick summary and independent opinion of implementation on the most critical controls without having to sift through tons of security documentation.
• Takes time consuming effort of documenting control validation off the plate of the TPRM program leaders

How does Whistic perform the Assessment?

Our work is completed in line with the Whistic Control Framework, a set of controls that are common across the most widely used Standards like the SIG, CAIQ and CIS. 

For each control, we determine if there is sufficient evidence of control implementation. A detailed description of the control and reference to all supporting documentation that was used to make that determination is included for each control. In order for evidence to be considered sufficient, it must be relevant, appropriate, and recent. 

• Relevant evidence includes but is not limited to:
  • Independent Audit Reports or Certifications (i.e. SOC, ISO, PCI, HiTRUST etc.)
  • Standards, Policies, or Procedures, 
  • Industry recognized Questionnaires (i.e. CAIQ, SIG, CIS etc.)
  • Conversations with Trust and Security leaders
• Appropriate evidence must address the underlying risk the control aims to mitigate 
• Recent evidence must be within the last 12 months. Evidence older than 12 months may be referenced, but not used solely to verify control implementation.

What is the time commitment for Customers?

• 2-3 hours. This would include initial meetings, follow up discussions during the assessment, if needed, and any review/approval of final deliverables before publishing.

What documentation do I need to share with Whistic?

• Policies, Procedures and other evidence that can be used to demonstrate control implementation for the 49 controls that are part of the Whistic Control Framework
• Completed Questionnaires and other frameworks like CAIQ, SIG or CIS
• Audits and Certifications like SOC 2 Type II reports, ISO Certifications, or PCI DSS Reports

Do I need to publish all of the Security Documentation?

• No, you do not need to include all security documentation in your profile. We can simply reference the documentation in our assessment and remove the actual documentation.
• We do utilize the Whistic Profile to share documentation (with Whistic only) in order to complete the assessment.

What does a completed Profile look like?

• Here is an example of a Profile that we built for Google. Each Profile will contain
• A Whistic Assessment Report
• A completed Questionnaire with all control writeups (completed by Whistic)
• New Audit Badge