HECVAT Category
Documentation
Documentation covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Do you have a well-documented business continuity plan (BCP), with a clear owner, that is tested annually?
This question is asking whether your organization has a formal Business Continuity Plan (BCP) that is properly documented, has clear ownership, and is tested at least once a year.
Do you have a well-documented disaster recovery plan (DRP), with a clear owner, that is tested annually?
This question is asking whether your organization has a formal, documented Disaster Recovery Plan (DRP) in place. A DRP is a structured approach that outlines how an organization will recover and restore its IT infrastructure and operations following a disaster or major disruption. The question specifically asks about three key aspects:
Have you undergone a SSAE 18/SOC 2 audit?
This question is asking whether your organization has undergone a System and Organization Controls 2 (SOC 2) audit, which is based on the Statement on Standards for Attestation Engagements No. 18 (SSAE 18) framework.
Do you conform with a specific industry standard security framework (e.g., NIST Cybersecurity Framework, CIS Controls, ISO 27001, etc.)?
This question is asking whether your organization follows a recognized security framework to structure and guide your security practices. Security frameworks are standardized sets of guidelines, best practices, and recommendations that help organizations establish and maintain effective security controls.
Can you provide overall system and/or application architecture diagrams, including a full description of the data flow for all components of the system?
This question is asking whether you can provide comprehensive documentation of your system's architecture, including visual diagrams and detailed explanations of how data flows through all parts of your system.
Does your organization have a data privacy policy?
This question is asking whether your organization has a formal, documented policy that specifically addresses data privacy. A data privacy policy outlines how an organization collects, uses, stores, shares, and protects personal and sensitive information. It defines the organization's commitment to privacy principles, compliance with relevant regulations (like GDPR, CCPA, HIPAA), and the rights of individuals whose data you process.
Do you have a documented, and currently implemented, employee onboarding and offboarding policy?
This question is asking whether your organization has formal, documented procedures for adding new employees to your systems and removing departing employees' access. An onboarding policy ensures new employees receive proper access rights, training, and equipment in a consistent manner. An offboarding policy ensures that when employees leave, their access is promptly revoked, equipment is returned, and knowledge is transferred.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.
