Skip to main content
All CollectionsSupporting documentation
Everything you need to know about the supporting documentation
Everything you need to know about the supporting documentation

Types of documentation that are required for the assessment

Ana Nikolaeva avatar
Written by Ana Nikolaeva
Updated over a week ago

To ensure the most accurate and representative scores possible, it is essential to link evidence to each and every answer throughout the questionnaire. By doing so, you are providing concrete support for your responses, which will help to establish the validity and reliability of your results.

Documented information defines and communicates information security objectives, policy, guidelines, instructions, controls, processes, procedures, and what persons are expected to do and how they are expected to behave.

Examples of documented information that can be necessary for ensuring and improving the effectiveness of the information security framework are:

  • policies, rules and directives for directing and operating information security activities;

  • the roles, responsibilities and authorities;

  • reports of the different phases of the risk management;

  • plans and results of awareness activities;

  • processes and procedures used to implement, maintain and improve the IS framework;

  • action plans;

  • Evidence of the results of information security processes (e.g. incident management, access control, information security continuity, equipment maintenance, etc.).

Definition of Sensitive Information

Information is classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. e.g. in terms of confidentiality, integrity and availability.

Some common types of sensitive information are:

  • Personally identifiable information (e.g. health-related information, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data or biometric data)

  • Payment account information (debit card pin code, credit card primary account number, etc)

  • Payslips

  • Trade secrets / intellectual property

  • Financial information

  • Passwords

  • Customer information / Employee data

  • Contractual agreements / commercial figures

  • Operational & inventory information

  • Industry-specific data

Examples of masked evidence/documentation

  1. Extract from a risk register

We could conclude that there is a risk assessment/risk treatment procedure and the risk management process is effectively implemented and operational.

2. Extract from a personally identifiable information register

Personal data of individuals are not required, we just need to check that all personal data that are being stored, processed or transmitted are being inventoried and are meeting all the requirements of the applicable personal data protection law. (e.g GDPR, CNIL, CCPA, POPI, etc.)

3. Network diagram

CyberVadis do not need information on the IP addresses or ports. We need to check if your network is secured, e.g segmentation, strong encryption protocols, DMZ, Firewalls, IDS/IPS, robust authentication methods, etc.

4. Information security policy and other security policies

A policy represents the overall intentions and strategic direction of an organization, expressed formally by its management. The information security policy (or policies) lays out and confirms senior management’s commitment to

(a) the organization’s information security objectives and

(b) continuous improvement of the information security management system and often much more.

CyberVadis do not need confidential or detailed information on names, IDs, or IPs… but we need to understand the security practices defined and implemented at a company level.

Graphical user interface, text, application, email

Description automatically generated
Graphical user interface, text, application, email

Description automatically generated

Did this answer your question?