The Self-Attested Compliance panel allows you to proactively communicate some of the key frameworks your company maintains compliance with right on your Bitsight profile. This feature also allows you to direct stakeholders to your company’s compliance program web page where they can view your program in depth and request additional documentation for independent verification.
Organizations using this feature have self-attested that they are certified in the following frameworks and/or compliant with the following regulations, as indicated. Bitsight has not independently verified any certifications or validated the organization's compliance with these regulations.
Setup
Setting up this feature takes 5-10 minutes. Once saved and published, Bitsight will show the compliance claim on your Vendor Overview and Company Details pages immediately.
Navigation Options
SPM App: Settings ➔ Manage Compliance Claim
You must be an Admin, Group Admin, or Portfolio Manager with your MyCompany entity in your portfolio. Saving your compliance claim with at least one framework selected will show the card to subscribed stakeholders who can see your self-attested compliance data on your Vendor Overview page. The compliance frameworks will be visible on your Vendor Overview page in the order that you specify during set up.
For further setup instructions, see Setting Up the Self-Attested Compliance Panel.
Available Compliance Frameworks
Below are the currently available compliance frameworks you can attest to within Bitsight.
| Compliance Framework | Description |
|---|---|
| SOC 2 Type 2 | Service Organizations Controls 2, Type 2 reports are the result of a year-long assessment meant to give assurance over the operation of control environments as they relate to the retrieval, storage, processing, and transfer of customer data. |
| SOC 2 Type 1 | Service Organizations Controls 2, Type 1 reports are the result of a point-in-time audit meant to give assurance over the design of control environments as they relate to the retrieval, storage, processing, and transfer of customer data. |
| ISO 22301 | International Organization for Standardization 22301 is the standard for Business Continuity Management (BCM) and is designed to help organizations prevent, prepare for, respond to and recover from unexpected and disruptive incidents. |
| ISO 27001 | International Organization for Standardization 27001 is the international information security standard for demonstrating secure management of data centers, development centers, support centers, and office sites. |
| ISO 9001 | International Organization for Standardization 9001 is the international standard for a quality management system (QMS) used to demonstrate the ability to consistently provide products/services that meet stakeholder needs within statutory and regulatory requirements. |
| FedRAMP | Federal Risk and Authorization Management Program promotes the adoption of secure cloud services across the United States government and provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud service offerings. |
| GDPR | General Data Protection Regulation is a European Union law that requires organizations to safeguard personal data and uphold the privacy rights of anyone in EU territory. |
| HIPAA | Health Insurance Portability and Accountability Act sets the standards for protecting sensitive patient health information from being disclosed without the patient’s consent or knowledge. |
| PCI DSS | Payment Card Industry Data Security Standard is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment to reduce credit card fraud. |
| CSA STAR Level 1 | Cloud Security Alliance Security, Trust, Assurance, and Risk Level 1 is achieved by submitting self-assessments to document compliance with the CSA Cloud Controls Matrix and enables members to demonstrate their security and compliance posture. |
| CSA STAR Level 2 | Cloud Security Alliance Security, Trust, Assurance, and Risk Level 2 is achieved by successfully completing an audit using criteria from other standard frameworks and the CSA Cloud Controls Matrix and provides another layer of assurance for cloud security and privacy. |
| HITRUST | HITRUST provides a framework that helps companies safeguard sensitive information and manage risk throughout the third-party supply chain. |
| NIST CSF | The National Institute of Standards and Technology Cybersecurity Framework promotes the protection of critical infrastructure and helps practitioners manage cybersecurity-related risk. |
Frequently Asked Questions
Does Bitsight charge for this feature?
This feature is free.
Who can set up this feature?
Admins, Group Admins, and Portfolio Managers with the MyCompany entity in their portfolio can set up this feature.
Are there plans to add additional frameworks to this feature?
If there are additional frameworks that you believe should be added, please submit this as feedback to Bitsight Support or your account manager.