Table of Contents

Reach SOC 2 Compliance in 6 Weeks or Less.

  /

  / Vanta Implementation Checklist for Your First Audit

Vanta Implementation Checklist for Your First Audit

Most companies configure Vanta backwards. They connect integrations first, watch tests turn green, and only then ask which framework they are actually being audited against. By the time the auditor asks for the observation window start date, half the account needs to be rebuilt. The order you set things up in Vanta matters almost as much as what you set up, and getting it wrong costs weeks you do not have before a first audit.

This checklist walks through the sequence that actually holds up under audit: the decisions to make before you touch the platform, the sequence of configuration inside it, and the final readiness checks before you hand the account to an auditor.

Vanta Implementation Checklist

Why a Vanta Implementation Checklist Matters Before Your First Audit

Vanta is compliance automation software, not a compliance program. It monitors, syncs, and flags. It does not decide your scope, pick your framework, or tell you when your observation window can safely begin. Those calls are yours, and if you make them after connecting integrations rather than before, you end up rescoping mid-implementation, which resets test history and pushes your audit timeline back by weeks.

A first-time implementation typically runs six to twelve weeks from account creation to a fully passing test suite, depending on how much of the underlying control environment already existed. Companies that skip the pre-implementation planning stage and jump straight into connecting AWS and Okta tend to discover, three weeks in, that half their integrations are out of scope, their policies do not match their actual operations, and their observation window needs to restart.

Ready for your first audit?

Get audit-ready with expert Vanta implementation support.

Pre-Implementation: Foundational Decisions to Make First

Define Your Target Framework (e.g., SOC 2, ISO 27001, HIPAA)

Every downstream Vanta setting, from which integrations you connect to which policies you publish, depends on the framework you are pursuing. SOC 2 Type II evaluates your controls against the AICPA’s five Trust Services Criteria, security, availability, processing integrity, confidentiality, and privacy, with security as the only mandatory category. ISO 27001 asks you to build a full Information Security Management System (ISMS) under a structured set of clauses, backed by a broader set of technical, physical, and organizational controls in Annex A. HIPAA and PCI DSS bring their own control sets tied to specific data types, protected health information and cardholder data, respectively.

If your customers are asking for a specific report, let that drive the decision rather than defaulting to whichever framework has the most templates in Vanta’s library. A fintech company with enterprise banking customers may need SOC 2 first and PCI DSS second. A healthcare SaaS vendor almost always needs HIPAA regardless of what else it pursues. Mapping frameworks to actual customer and contractual requirements before configuration saves you from scoping controls you will never use.

Important: Choosing multiple frameworks at once is common, but sequencing them wrong creates duplicate work. Configure your primary framework fully, get through a full observation cycle if pursuing Type II, and add secondary frameworks once your evidence collection habits are established. Vanta will map shared controls across frameworks automatically, but only once both are active in the account.

Set Your Audit Timeline and Observation Window

If you are pursuing SOC 2 Type I, there is no observation window. The audit evaluates whether your controls are designed correctly as of a single point in time, and you can move to audit as soon as your tests pass. SOC 2 Type II is different: the observation window, also called the audit window or monitoring period, is the span during which the auditor samples evidence to confirm your controls actually operated, not just that they existed on paper. For a first Type II audit, a three to six month window is standard. Mature organizations settling into an annual cadence typically move to a full twelve-month window once they have proven consistent operation.

Do not start the observation window until you are confident your controls are actually running as designed. Auditors can sample any event from the first day of the window forward, and a control failure in week two of a six-month window is just as damaging to your report as one in week twenty. This is the single most common timeline mistake first-time customers make in Vanta: they start the clock the day they finish connecting integrations, before policies are published, before HR sync is confirmed, and before access reviews have actually happened once.

Identify Internal Owners and Stakeholders

Every control needs a named owner inside Vanta, not a department. “Engineering” is not a control owner. The engineering manager who reviews production access quarterly is. Before you start configuring, map out who owns identity and access management, who owns vendor risk, who owns HR onboarding and offboarding, and who owns policy publication and employee acknowledgment. If your organization is small enough that one person wears several of these hats, that is fine, but it needs to be explicit in the tool, because Vanta’s task assignments and reminder emails route based on these ownership fields.

Choose Your Auditor Before You Configure Vanta

Auditor selection affects configuration choices that are expensive to reverse. Different CPA firms and ISO certification bodies have different tolerances for exceptions, different expectations around evidence formatting, and different preferences on how granular your control mapping should be. Get your auditor engaged, or at minimum shortlisted, before you finalize your framework scope and observation window in Vanta. Some firms will do a pre-audit readiness call that surfaces scoping issues Vanta’s automated checks will not catch, like whether a particular subprocessor needs to be in scope.

Step 1: Configure Company Settings in Vanta

Add Company Details and Business Information

Start with the basics: legal entity name, headquarters address, description of the service you provide, and the systems that process customer data. This becomes the backbone of your system description, the narrative document that accompanies your SOC 2 report and explains what your company does and how the in-scope systems support it. Getting this wrong early means rewriting the system description later, which auditors will flag as a scope change.

Assign Admin Roles and User Permissions

Set up role-based access inside Vanta itself before inviting a wider group of employees. Admin access should go to the small group of people responsible for the overall implementation, typically someone from security or IT leadership plus whoever owns compliance operations. Contributor-level access, limited to specific controls or tasks, should go to control owners identified in the pre-implementation phase. Over-permissioned access inside your compliance tool is its own finding waiting to happen.

Set Your Audit Type and Reporting Period

Confirm inside Vanta whether you are configuring for Type I or Type II, and if Type II, enter the observation window dates you settled on in the pre-implementation stage. This setting drives which evidence collection cadence Vanta applies and when it starts flagging tests as failing versus simply not-yet-configured.

Step 2: Connect Integrations and Define Scope

Identify In-Scope Systems, Cloud Accounts, and Repositories

Before connecting anything, list every cloud account, code repository, identity provider, and SaaS tool that touches customer data or the infrastructure that processes it. Separate this list into in-scope and out-of-scope categories with a documented rationale for each exclusion. A dev sandbox with no production data flowing through it might reasonably sit outside scope. A staging environment that mirrors production data usually should not.

Connect Core Integrations (Cloud, Identity, MDM)

Connect your cloud provider, whether AWS, GCP, or Azure, your identity provider such as Okta, Google Workspace, or Azure AD, your HR system, your task tracker like Jira or Asana, and your mobile device management tool in that order. Cloud and identity integrations feed the largest share of automated tests, so getting those connected and syncing correctly early gives you the longest runway to catch and fix configuration issues before the observation window starts.

Pro Tip: Connect integrations in a dedicated Vanta

Connect integrations in a dedicated Vanta project or sandbox pass first if you have a complex multi-account cloud setup. Validate that Vanta is reading the correct accounts before committing to the observation window start date. A misconfigured integration that silently excludes a production AWS account from monitoring is far harder to catch after the fact than before.

Exclude Out-of-Scope Resources

Vanta will pull in every resource an integration can see by default. Use the scoping and exclusion settings to remove systems that fall outside your defined boundary from the pre-implementation stage. Skipping this step is one of the fastest ways to fail tests for systems that were never supposed to be in scope in the first place, which inflates your remediation backlog with work you do not actually need to do.

Validate Data Sync and Test Results

Give each integration 24 to 48 hours to fully sync, then review the initial test results. Do not assume a green checkmark means the integration is reading everything correctly. Spot-check a sample of resources against what you know exists in the underlying system. A common failure mode is an integration connecting with read permissions too narrow to see the full resource inventory, which produces a passing test on an incomplete dataset.

Step 3: Set Up Personnel and HR Sync

Import Your Employee Roster

Connect your HR system so Vanta has an authoritative source for who is employed, in what role, and since when. This roster underpins background check tracking, training completion, and access review scoping.

Map Roles, Groups, and Contractors

Distinguish full-time employees from contractors, since some frameworks apply different requirements to each. Group employees by department or access tier so that later steps, particularly access reviews and training assignment, can be scoped efficiently rather than applied as one flat list.

Configure Onboarding and Offboarding Workflows

This is one of the most heavily sampled control areas in any audit. Auditors routinely pull a sample of terminated employees and check whether access was revoked within the policy-defined window, often 24 hours. Configure Vanta’s offboarding workflow to actually trigger deprovisioning tasks, not just log that an employee left. A workflow that only notifies IT without enforcing a deadline will still show gaps when sampled.

Step 4: Deploy Endpoint Monitoring (MDM) Across Devices

Enroll Company-Owned and BYOD Devices

Every device that accesses in-scope systems needs to be enrolled in your MDM tool and connected to Vanta. This includes personal devices under a BYOD policy if those devices can reach production systems or customer data. Devices that fall outside monitoring but still have access represent an unmonitored path into your environment, and auditors will ask about exactly this gap.

Confirm Encryption, Screen Lock, and Antivirus Checks Pass

Once devices are enrolled, Vanta checks disk encryption, screen lock timeout, and antivirus status automatically. Run this before the observation window opens, not during it, since fixing a non-compliant device mid-window still leaves a gap in the evidence trail for the days it was out of compliance.

Step 5: Upload and Customize Policies

Use Vanta’s Policy Templates as a Starting Point

Vanta’s template library covers the standard set: information security policy, access control policy, incident response plan, business continuity plan, and others tied to your selected framework. Start from these rather than drafting from scratch, but treat them as a first draft, not a final document. The NIST Cybersecurity Framework is a useful cross-reference when tailoring policy scope to real operational risks.

Tailor Policies to Your Business Operations

Generic templates describe generic companies. If your incident response policy references an escalation process your team does not actually follow, that mismatch becomes a finding the moment an auditor asks you to walk through a real incident. Edit every policy so it reflects what your team actually does, not what would look good on paper.

Insider Note: Auditors read policies and then interview staff to see if practice matches the document. A polished policy that nobody on the team can describe accurately is a worse outcome than a simpler policy everyone actually follows. Keep the language close to how your team really operates.

Publish Policies and Assign Employee Acknowledgments

Once finalized, publish policies through Vanta and assign acknowledgment tasks to all relevant employees. Track completion before the observation window starts, since unacknowledged policies at the start of the window suggest the policy was not actually in effect from day one.

Step 6: Complete Security Training Setup

Enable Vanta’s Built-in Training Modules

Vanta includes built-in security awareness training covering general security hygiene, and role-specific modules for engineers handling code and infrastructure. Enable the modules relevant to your framework and assign them by role or department.

Track Completion Across All Personnel

Set a completion deadline and monitor the dashboard rather than assuming reminder emails alone will drive completion. Training completion is a near-universal sampling target in audits, and a handful of stragglers at the end of the observation window is a common, easily avoidable finding. The Verizon Data Breach Investigations Report consistently ties a significant share of incidents to the human element, which is exactly why auditors weight this so heavily.

Step 7: Configure Access Reviews

Map Critical Systems Requiring Access Review

Identify every system where access grants matter, cloud infrastructure, code repositories, customer databases, and internal admin tools, and confirm each is connected so Vanta can pull current access lists automatically.

Set Review Cadence and Reviewers

Quarterly access reviews are the common baseline for most frameworks, though some organizations run them more frequently for highly sensitive systems. Assign a specific reviewer, generally the system owner or manager, rather than routing all reviews to a single security team member who lacks context on who should actually have access to each tool.

Step 8: Run a Risk Assessment

Complete Vanta’s Risk Assessment Workflow

Work through Vanta’s guided risk assessment to build out your risk register, identifying threats to confidentiality, integrity, and availability across your systems and rating likelihood and impact for each.

Document Risk Treatments and Mitigations

For every identified risk, document whether you are mitigating, accepting, transferring, or avoiding it, and what specific control addresses it. An unresolved risk with no documented treatment plan is one of the more common gaps auditors flag, since it suggests the assessment was completed as a checkbox exercise rather than an operational one.

Step 9: Set Up Vendor Management

Import Your Vendor Inventory

List every third-party vendor that has access to your systems or processes customer data on your behalf, from cloud infrastructure providers to smaller SaaS tools used by individual teams.

Categorize Vendors by Risk Tier

Not every vendor warrants the same scrutiny. A payroll processor handling employee financial data carries different risk than a project management tool with no access to customer data. Tier vendors by the sensitivity of what they access, and apply a proportionate level of due diligence to each tier.

Upload Vendor SOC 2 Reports and DPAs

For higher-tier vendors, collect their own SOC 2 reports and data processing agreements (DPAs) and upload them into Vanta. This is part of third-party risk management, often abbreviated TPRM, and demonstrates that your vendor oversight is not just a spreadsheet nobody revisits.

Step 10: Address Vulnerabilities and Infrastructure Monitoring

Review Automated Vulnerability Findings

Once your cloud and code repository integrations are connected, Vanta surfaces vulnerability findings automatically. Review these on a set cadence rather than letting them accumulate silently in the background. Cross-referencing findings against the National Vulnerability Database helps triage severity when Vanta’s default ratings feel too generic for your environment.

Remediate or Document Exceptions

Fix what you can fix. For findings that cannot be resolved immediately, whether due to a vendor patch not being available or a business dependency on a legacy configuration, document a formal exception with a rationale and a target remediation date. An undocumented, unaddressed critical vulnerability sitting in the account when the observation window opens is one of the more damaging findings an auditor can surface.

Step 11: Map Frameworks and Controls

Select Your Framework(s) in Vanta

With the foundational work done, formally select your framework or frameworks inside Vanta’s control mapping interface. This activates the specific control set your tests, policies, and evidence will be evaluated against.

Review Auto-Mapped Controls

Vanta auto-maps your connected integrations and completed tasks to relevant controls, but the mapping is not always perfect for edge cases specific to your environment. Review the full control list rather than assuming automation caught everything correctly.

Assign Control Owners

Every control needs a named owner responsible for keeping the underlying evidence current. This should map back to the stakeholder list built during pre-implementation, not be assigned arbitrarily at this later stage.

Step 12: Upload Supporting Documents and Manual Evidence

Identify Controls Requiring Manual Evidence

Some controls cannot be automatically monitored through an integration, board meeting minutes demonstrating security oversight, for example, or a signed business associate agreement. Identify these early rather than discovering them during the audit itself.

Upload Historical Documentation

If you have documentation predating your Vanta implementation that demonstrates a control was already in place, upload it. This can extend your effective evidence trail backward and, in some cases, support starting your observation window earlier than the date you connected Vanta.

Step 13: Add Your Auditor to Vanta

Send an Auditor Invitation

Once your account is substantially configured and tests are passing, invite your chosen auditor into Vanta with the appropriate access level. This gives them direct visibility into evidence rather than requiring manual exports.

Preview What Your Auditor Will See

Before sending the invitation, review the account from an outside perspective. Check that the system description is accurate, that excluded resources have documented rationale, and that no stale test failures are sitting unaddressed.

Confirm the Audit Workflow

Align with your auditor on how they intend to work inside Vanta versus requesting documents outside it, and confirm the expected timeline for fieldwork once your observation window closes or, for Type I, once your tests are passing.

Ready for your first audit?

Get audit-ready with expert Vanta implementation support.

Final Pre-Audit Readiness Checklist

Verify All Tests Are Passing (or Documented Exceptions)

A test failure with no documented exception looks like negligence to an auditor. A test failure with a documented exception, a remediation plan, and a target date looks like an organization that understands its own risk posture. Close this gap before the audit starts, not during it.

Confirm Observation Window Start Date

Double-check that the observation window dates configured in Vanta match what you agreed with your auditor. A mismatch here creates confusion during fieldwork that is entirely avoidable with a five-minute check beforehand.

Freeze Scope Changes Before the Window Opens

Avoid adding major new systems, vendors, or infrastructure changes right before the observation window opens. Scope changes reset evidence history for the affected controls and can undermine the continuity an auditor is looking for.

Common Setup Mistakes to Avoid Before Your First Audit

The mistake that costs the most time is starting the observation window before policies are published and acknowledged. The second most common is connecting every available integration without excluding out-of-scope resources, which inflates the remediation backlog with irrelevant work. A close third is assigning control ownership to departments instead of named individuals, which leaves nobody accountable when evidence goes stale. Each of these is avoidable with the sequencing outlined above: decisions before configuration, configuration before scope, scope before the observation window.

Getting the Vanta implementation right before your first audit is less about mastering every setting in the platform and more about making the right decisions in the right order. Frameworks, timelines, and ownership come first. Integrations, policies, and evidence collection follow. The observation window opens only once the underlying controls are actually operating, not just configured. Companies that follow this sequence walk into their first audit with a clean test suite and a clear story, instead of a scramble to explain gaps that a different order of operations would have prevented.

Frequently Asked Questions

How long does a Vanta implementation take before the first audit?

Most first-time implementations take six to twelve weeks to get from initial configuration to a fully passing test suite, not counting the observation window itself for a Type II audit. Organizations with an existing, mature control environment can move faster; those building controls from scratch should expect the longer end of that range.

Technically yes, but it is not advisable. Any test failing at the start of the window represents a control gap the auditor can sample against for the full duration. Most organizations wait until the test suite is fully green, or has only documented exceptions, before starting the clock.

Axipro Author

Picture of Pedro Dias

Pedro Dias

Pedro has been writing online for over 10 years. With experience in all things programming, cyber security, and compliance, he is our editor-in-chief at Axipro.

Blog Highlights

Explore More Articles

Vanta Implementation Checklist

Most companies configure Vanta backwards. They connect integrations first, watch tests turn green, and only then ask which framework they are actually being audited against. By the time the auditor asks for the observation window start date, half the account needs to be rebuilt. The order you set things up in Vanta matters almost as much as what you set up, and getting it wrong costs weeks you do not have before a first audit. This checklist walks through the sequence that actually holds up under audit: the decisions to make before you touch the platform, the sequence of configuration inside it, and the final readiness checks before you hand the account to an auditor. Why a Vanta Implementation Checklist Matters Before Your First Audit Vanta is compliance automation software, not a compliance program. It monitors, syncs, and flags. It does not decide your scope, pick your framework, or tell you when your observation window can safely begin. Those calls are yours, and if you make them after connecting integrations rather than before, you end up rescoping mid-implementation, which resets test history and pushes your audit timeline back by weeks. A first-time implementation typically runs six to twelve weeks from account creation to a fully passing test suite, depending on how much of the underlying control environment already existed. Companies that skip the pre-implementation planning stage and jump straight into connecting AWS and Okta tend to discover, three weeks in, that half their integrations are out of scope, their policies do not match their actual operations, and their observation window needs to restart. Ready for your first audit? Get audit-ready with expert Vanta implementation support. Schedule Pre-Implementation: Foundational Decisions to Make First Define Your Target Framework (e.g., SOC 2, ISO 27001, HIPAA) Every downstream Vanta setting, from which integrations you connect to which policies you publish, depends on the framework you are pursuing. SOC 2 Type II evaluates your controls against the AICPA’s five Trust Services Criteria, security, availability, processing integrity, confidentiality, and privacy, with security as the only mandatory category. ISO 27001 asks you to build a full Information Security Management System (ISMS) under a structured set of clauses, backed by a broader set of technical, physical, and organizational controls in Annex A. HIPAA and PCI DSS bring their own control sets tied to specific data types, protected health information and cardholder data, respectively. If your customers are asking for a specific report, let that drive the decision rather than defaulting to whichever framework has the most templates in Vanta’s library. A fintech company with enterprise banking customers may need SOC 2 first and PCI DSS second. A healthcare SaaS vendor almost always needs HIPAA regardless of what else it pursues. Mapping frameworks to actual customer and contractual requirements before configuration saves you from scoping controls you will never use. Important: Choosing multiple frameworks at once is common, but sequencing them wrong creates duplicate work. Configure your primary framework fully, get through a full observation cycle if pursuing Type II, and add secondary frameworks once your evidence collection habits are established. Vanta will map shared controls across frameworks automatically, but only once both are active in the account. Set Your Audit Timeline and Observation Window If you are pursuing SOC 2 Type I, there is no observation window. The audit evaluates whether your controls are designed correctly as of a single point in time, and you can move to audit as soon as your tests pass. SOC 2 Type II is different: the observation window, also called the audit window or monitoring period, is the span during which the auditor samples evidence to confirm your controls actually operated, not just that they existed on paper. For a first Type II audit, a three to six month window is standard. Mature organizations settling into an annual cadence typically move to a full twelve-month window once they have proven consistent operation. Do not start the observation window until you are confident your controls are actually running as designed. Auditors can sample any event from the first day of the window forward, and a control failure in week two of a six-month window is just as damaging to your report as one in week twenty. This is the single most common timeline mistake first-time customers make in Vanta: they start the clock the day they finish connecting integrations, before policies are published, before HR sync is confirmed, and before access reviews have actually happened once. Identify Internal Owners and Stakeholders Every control needs a named owner inside Vanta, not a department. “Engineering” is not a control owner. The engineering manager who reviews production access quarterly is. Before you start configuring, map out who owns identity and access management, who owns vendor risk, who owns HR onboarding and offboarding, and who owns policy publication and employee acknowledgment. If your organization is small enough that one person wears several of these hats, that is fine, but it needs to be explicit in the tool, because Vanta’s task assignments and reminder emails route based on these ownership fields. Choose Your Auditor Before You Configure Vanta Auditor selection affects configuration choices that are expensive to reverse. Different CPA firms and ISO certification bodies have different tolerances for exceptions, different expectations around evidence formatting, and different preferences on how granular your control mapping should be. Get your auditor engaged, or at minimum shortlisted, before you finalize your framework scope and observation window in Vanta. Some firms will do a pre-audit readiness call that surfaces scoping issues Vanta’s automated checks will not catch, like whether a particular subprocessor needs to be in scope. Step 1: Configure Company Settings in Vanta Add Company Details and Business Information Start with the basics: legal entity name, headquarters address, description of the service you provide, and the systems that process customer data. This becomes the backbone of your system description, the narrative document that accompanies your SOC 2 report and explains what your company does and how the in-scope systems support

ISO 27001 Business Continuity Plan

Two controls decide whether your ISO 27001 business continuity plan survives an audit: Annex A 5.29 and Annex A 5.30. One keeps your security controls working while everything else is failing. The other gets your systems back online before the damage becomes permanent. Plenty of teams write a continuity policy that satisfies neither in the way a certification auditor expects, and they discover the gap during the Stage 2 audit, when it is expensive to fix. This article covers what ISO 27001:2022 actually requires for business continuity, the components an auditor will ask to see, the step-by-step build, and the mistakes that turn a continuity plan into a non-conformity. What Is an ISO 27001 Business Continuity Plan? An ISO 27001 business continuity plan is the documented set of procedures that keeps information security effective and critical ICT services available during a disruption. It is not a generic “keep the lights on” binder. Under ISO 27001, the plan protects the confidentiality, integrity, and availability of information when normal operations break down: a ransomware event, a cloud outage, a data center failure, or a supplier collapse. The plan lives inside your Information Security Management System (ISMS). It draws on your risk assessment, your asset register, and your Business Impact Analysis (BIA), and it feeds your disaster recovery procedures. Scope is the part people get wrong. ISO 27001 cares about the information security aspects of continuity, not every operational hiccup a full business continuity program might cover.   Why You Need a Business Continuity Plan for ISO 27001 Compliance Downtime is expensive, and the bill arrives fast. For most organizations, the question is not whether a disruption will happen, but how quickly they recover when it does. There is also a hard compliance reason. You cannot certify to ISO 27001 while ignoring continuity. The standard requires you to maintain information security during disruption and to keep ICT able to support recovery, and an auditor will ask for the evidence. A continuity plan is where availability stops being a promise and becomes a tested capability. Let Axipro help you build a business continuity plan that’s practical, compliant, and audit-ready. Strengthen Your Business Continuity Strategy Schedule A Consultation ISO 27001 Requirements Related to Business Continuity Planning ISO/IEC 27001:2022 carries 93 Annex A controls across four categories: organizational, people, physical, and technological. Continuity sits in the organizational set, and two controls do the heavy lifting, supported by two more on the technical side. Annex A 5.29 – Information Security During Disruption A.5.29 requires you to maintain information security at an appropriate level when a disruption hits. The point is that security controls have a habit of degrading under pressure. People disable multi-factor authentication to “speed things up,” logging stops on a failover system, or access controls loosen while everyone scrambles. A.5.29 says the confidentiality and integrity of your information must be maintained even while availability is under threat. It is classed as both a preventive and a corrective control, meaning it should reduce the chance of an incident and also help resolve one already underway. Annex A 5.30 – ICT Readiness for Business Continuity A.5.30 is the technical engine. It requires that your ICT readiness is planned, implemented, maintained, and tested against business continuity objectives and ICT continuity requirements. In plain terms, your servers, networks, applications, and cloud services need a defined recovery path, each with a Recovery Time Objective (RTO) and Recovery Point Objective (RPO), and you need to prove the path works. This control is entirely new in the 2022 revision. It has no precedent in ISO 27001:2013, which is exactly why teams migrating from the older version so often have a gap here. Important: A.5.30 did not exist in ISO 27001:2013. If your continuity documentation was written against the old Annex A 17 cluster and never updated, you are missing a control the auditor will specifically test. Treat ICT readiness as a fresh requirement, not a relabel. Two technological controls back these up. Annex A 8.13 (Information Backup) requires backups to be taken and tested in line with an agreed policy, and Annex A 8.14 (Redundancy of Information Processing Facilities) covers the failover and redundancy that let critical systems keep running when a component dies. Relationship Between ISO 27001 and ISO 22301 This is where confusion is common. ISO 27001 requires the information security aspects of continuity. ISO 22301 is the dedicated standard for a full Business Continuity Management System (BCMS), covering people, facilities, supply chain, and operations far beyond information security. An ISO 27001 certificate does not certify your wider continuity program. The good news: both standards share the Annex SL high-level structure, so risk assessment, internal audit, management review, and document control carry across. Teams that already run ISO 27001 can layer ISO 22301 on top with far less effort than starting from scratch. Key Components of an ISO 27001 Business Continuity Plan Business Impact Analysis (BIA) The BIA is the foundation. It identifies your critical business processes, the ICT systems they depend on, and the cost of losing each one over time. It is where your recovery objectives come from, not from a vendor datasheet. A BIA also sets the Maximum Tolerable Period of Disruption (MTPD): the point beyond which an activity’s failure causes unacceptable damage. Risk and Disruption Scenario Assessment Your risk assessment identifies what could cause a disruption and how likely it is, feeding the Risk Treatment Plan and the Statement of Applicability (SoA) that records which controls apply. Continuity planning then runs concrete scenarios: ransomware, a regional outage, a key supplier failure, the loss of a data center. Response and Recovery Strategies For each critical system, you define how you will respond and recover: failover to a secondary site, restore from backup, or switch to a manual workaround. This links incident response to crisis management, the executive-level decision-making that kicks in when an incident escalates beyond a routine fix. Roles and Responsibilities Name real people, not departments. “IT will handle it” is the single most common

When researchers found that Microsoft 365 Copilot could be tricked into leaking corporate data from a single email, the flaw got a clean public identifier: CVE-2025-32711, severity 9.3. When a bug hunter coaxed ChatGPT into producing valid Windows product keys by framing the request as a guessing game, it got nothing.  Both were prompt injections. Only one is trackable. That Vulnerability Tracking Gap in AI Security, and what it costs defenders, is the subject of this article. What Is a CVE and Why Does It Matter for Software Security? A CVE (Common Vulnerabilities and Exposures) is a unique public identifier for a specific software flaw. It gives the whole industry one name for one bug, so a researcher in Berlin and an analyst in Bahrain know they mean the same thing. The Role of MITRE’s CVE Program in Traditional Vulnerability Management The CVE program is run by the MITRE Corporation, a US nonprofit. Since 1999 it has assigned hundreds of thousands of IDs, each tied to a discrete, reproducible defect in a defined product and version. A CVE is the connective tissue of coordinated disclosure: a researcher reports the flaw, the vendor patches it, the ID is published, and defenders map it to their own assets. Without that shared label, the same bug ends up with three names and no clear owner. The National Vulnerability Database (NVD) and CVSS Scoring The National Vulnerability Database, maintained by NIST, enriches each CVE with a CVSS (Common Vulnerability Scoring System) score from 0 to 10. That lets teams triage: a 9.3 jumps the queue, a 4.0 waits. Why Prompt Injection Breaks the Traditional CVE Model The CVE model assumes a bug lives in code, sits in a version, and can be fixed. Prompt injection violates all three. Prompt Injection as a Class of Attack, Not a Discrete Bug Prompt injection smuggles instructions into the data an LLM reads, so the model follows the attacker rather than the user. OWASP ranks it as LLM01, the top entry in its 2025 Top 10 for LLM Applications. It is a property of how language models work, not one line of faulty code, so you cannot file a CVE against it. A SQL injection either works or it does not. A prompt injection might succeed nine times in ten, fail on the eleventh, then stop working after a silent model update, which makes the “reproducible” part of reporting genuinely hard. Model Versioning vs. Software Versioning Software has clean version numbers. A weight update to a hosted model can ship silently, with no version a researcher can cite. Two calls to “gpt-4o” a week apart may not behave the same way, and there is no changelog to point at. Why “Patching” an LLM Differs From Patching Code Patching code closes a specific hole. A developer rewrites the faulty line, ships the diff, and the exploit path is gone for good. That clean, binary, auditable loop is the entire premise on which the CVE system rests. “Patching” a model offers none of it. There is no single line to fix, because the behavior the attacker abused is the same behavior that makes the model useful: it reads text and follows instructions. A vendor’s only levers, retraining, hardening the system prompt, or wrapping the model in input and output guardrails, all lower the odds of a successful attack rather than removing the possibility. The fix reduces the success rate from 80 percent to 5 percent and marks it as remediated. The hole is narrower, not closed. The recent record shows how thin that margin is. EchoLeak got past Microsoft’s dedicated cross-prompt-injection classifier by hiding its exfiltration channel in reference-style Markdown that the filter did not recognize, and the AgentFlayer exploit slipped through OpenAI’s URL safety check by routing stolen data through trusted Azure Blob Storage links. Each guardrail worked against the obvious version of the attack and fell to a rephrasing. There is a tuning tax on top of that: crank the filters too tight and the model starts refusing legitimate work, so vendors settle for a balance point rather than elimination.  The practical takeaway is to treat “we’ve addressed this” as risk reduction, not closure. SOC 2, ISO 27001 and HIPAA done for you. Fixed fee, 100% audit pass rate. Audit-ready in 6 weeks. Not 6 months. Schedule A Free ASSESSMENT The Current State of AI Vulnerability Tracking Several frameworks exist. None is a true registry of individual, citable prompt injection vulnerabilities. OWASP LLM Top 10 and the LLM01 Classification The OWASP GenAI Security Project’s LLM01:2025 entry is the most cited reference point. It is a category, not a catalog: it does not enumerate specific incidents with IDs. MITRE ATLAS for Adversarial AI Threats MITRE ATLAS is an ATT&CK-style knowledge base of adversarial tactics against AI systems, documenting 16 tactics and more than 80 techniques with real-world case studies as of late 2025. It maps how attacks work, but is not a per-vulnerability ledger with scores. AVID (AI Vulnerability Database) and Its Limitations AVID, run by a nonprofit, is the closest thing to a dedicated AI vulnerability database, cataloging failure modes with reproducible evidence. But it leans on community submissions, skews toward bias and broader failure modes, and notes that the definition of an “AI vulnerability” is itself still a working one. Vendor-Specific Disclosures vs. Industry-Wide Registries Disclosure happens vendor by vendor. OpenAI patched the Windows-key jailbreak server-side; Microsoft fixed EchoLeak and issued a CVE. There is no common venue where these land side by side.   The Consequences of No Shared Threat Registry for Prompt Injection Fragmented Disclosure Across AI Vendors Each lab discloses on its own terms, on its own blog, if at all. A defender protecting a multi-model stack has to monitor a dozen channels and hope nothing slips by. Duplicate Discovery and Wasted Research Effort Researchers rediscover the same attack repeatedly. The guessing-game jailbreak, the “dead grandma” trick, and other framing attacks are variations on one theme nobody numbered. No Standardized Severity Scoring for