HECVAT Category

Documentation

Documentation covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.

Assessment Questions

DOCU-01

Do you have a well-documented business continuity plan (BCP), with a clear owner, that is tested annually?

Business continuity readiness is the focus here: assessors expect a formal BCP that is documented, has a clear owner, and is tested at least once a year.

DOCU-02

Do you have a well-documented disaster recovery plan (DRP), with a clear owner, that is tested annually?

Disaster recovery readiness is what's being probed here: reviewers want a formal, documented DRP that has a clear owner and is tested every year. A DRP is a structured approach that outlines how an organization will recover and restore its IT infrastructure and operations following a disaster or major disruption. The question specifically asks about three key aspects:

DOCU-03

Have you undergone a SSAE 18/SOC 2 audit?

Independent attestation is the focus here: assessors want confirmation that your organization has completed a SOC 2 audit conducted under the SSAE 18 attestation framework.

DOCU-04

Do you conform with a specific industry standard security framework (e.g., NIST Cybersecurity Framework, CIS Controls, ISO 27001, etc.)?

Reviewers want to know whether your security practices are anchored to a recognized industry framework such as the NIST Cybersecurity Framework, CIS Controls, or ISO 27001. Security frameworks are standardized sets of guidelines, best practices, and recommendations that help organizations establish and maintain effective security controls.

DOCU-05

Can you provide overall system and/or application architecture diagrams, including a full description of the data flow for all components of the system?

Architecture documentation is the focus here: assessors want diagrams and a full written description showing how data moves through every component of your system.

DOCU-06

Does your organization have a data privacy policy?

Reviewers want to see a formal, documented policy that speaks specifically to data privacy rather than general security. A data privacy policy outlines how an organization collects, uses, stores, shares, and protects personal and sensitive information. It defines the organization's commitment to privacy principles, compliance with relevant regulations (like GDPR, CCPA, HIPAA), and the rights of individuals whose data you process.

DOCU-07

Do you have a documented, and currently implemented, employee onboarding and offboarding policy?

Employee lifecycle access control is the focus here: reviewers want documented, currently active procedures for granting access to new hires and revoking it from departing staff. An onboarding policy ensures new employees receive proper access rights, training, and equipment in a consistent manner. An offboarding policy ensures that when employees leave, their access is promptly revoked, equipment is returned, and knowledge is transferred.

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron