Skip to main content

Validation Process

Katie
Updated

Validation Process Overview

Validation is an independent review process carried out by the ProcessUnity Exchange to evaluate the accuracy of a Third Party's questionnaire answers. The purpose of validation is to evaluate the accuracy of assessment answers provided by Third Parties. Validation provides customers with confidence in the results of completed assessments and are an additional data point with which to analyze assessments. In addition, validation may satisfy certain regulatory requirements. 

Validation is conducted upon a customer initiating a validation request on a Third Party. All validation activities are completed by the ProcessUnity Exchange Assessment Operations Team or a validation partner organization, conducting validation following ProcessUnity standards.

The following is a high-level summary of the steps required by users to complete the validation process.

  1. Answer the required control questions
  2. Upload and link evidence documents to required controls
  3. Submit questionnaire and initiate initial validation round
  4. If needed, upload additional evidence to validate any remaining unvalidated controls
  5. Initiate second validation round
  6. Review final results of validation, once provided

Only two (2) rounds of evaluation are performed per assessment. Documents uploaded during the assessment process are securely stored on the GRX Platform. More details on the security of our storage solution can be found here.

Once validation has been conducted, validation data is acceptable by all customers in terms of recency for at a minimum 12 months post-completion date. As a result, if an additional customer requests validation and it is less than 12 months since you had last completed validation, you will not be required to undergo validation. Here is a video walkthrough of this process: Validation Process

 

Completing Validation

Step 1: Answer the required controls

The controls required for validation are a subset of the entire questionnaire, referred to as the 60 Critical Controls. This abbreviated questionnaire consists of 60 standard control questions that describe safeguards to prevent today’s most pervasive and dangerous cyber-attacks. This list of critical controls is reviewed and updated annually by the ProcessUnity Exchange security professionals. 

These specific controls can be accessed through the following methods:

  • On the Questionnaire Dashboard, enter into a "Validation Request" found within the Request and Shares table on the 'Questionnaire' tab. The controls you are limited to viewing and answering are the 60 Critical Controls. This is the recommended method when actively answering the controls. 
    Screenshot 2025-01-02 at 4.30.51 PM.png
  • From within an individual 60 Critical Control question, select 'Download Evidence Help Sheet'. This excel file contains a comprehensive list of all 60 Critical Controls along with information to assist you with evidence collection. 
    Screenshot 2025-01-02 at 4.19.34 PM.png

You must answer each 60 Critical Control question in order to proceed with validation of controls. 

Helpful Tip: It is highly recommended that while you are answering each control, you are simultaneously uploading and linking its associated evidence documentation per control (see Step 2 below). This action can be performed from directly within the control question through the 'Attachments' space.

Screenshot 2025-01-03 at 9.05.48 AM.png

 

Step 2: Upload and link evidence documents

Uploading and linking evidence documents can occur at any time throughout the questionnaire process, however it is highly recommended that you do so while answering each control. Within each critical control question and found on the Evidence Help Sheet is a list of guidance on the types of documents most likely to validate that control, and where you may be able to locate that information within your organization. Refer to this information while uploading documents to ensure the most applicable documents are provided. This file will update based on your progress through the validation process. For more information and support regarding evidence documents, refer to this article

Screenshot 2025-01-02 at 4.19.34 PM.png

You will not be asked to provide evidence for controls you indicated that you have not implemented or are not applicable (i.e. control is answered 'No' or 'NA'), so you only need to provide evidence for controls answered 'Yes'. Prior to initiating a validation round, each 'Yes' answered Critical Control should have at least one linked document. 

Document upload occurs on the 'Documents' tab of the Questionnaire Dashboard, by selecting the 'Upload Document' button within the Document Repository or you may do so within an individual control question itself within the 'Attachments' component. Document types accepted include: PDF, PNG, JPEG. Users retain complete control over their documents and what is added, removed or stored on the GRX platform. 

Screenshot 2025-01-03 at 8.54.03 AM.png

Once uploaded, users can see when the document was uploaded, who it was uploaded by, view the document itself, or delete the document from being stored on the GRX platform. There are also insights into how many controls and which controls have been linked to a given document. Once a validation round has completed, the used in validation data will populate indicating which controls were validated using the given document as well as the date it was validated. 

Linking of controls to a given document occurs within the control question itself by selecting the 'Attachments' drop-down and then 'Link Documents'. 

Screenshot 2025-01-03 at 9.05.48 AM.png

Once selected a drawer opens containing a list of all your uploaded documents. Select each relevant document that is associated with validating the given control. You may also upload more documents here or entirely delete a document from within this drawer. Once you have completed your linking of documents to the control, select the 'Update Links' button which will result in the selected documents now appearing in the 'Attachments'. At any time documents can be unlinked from a control within this same space. 

 

Step 3: Submit questionnaire and initiate validation round

After linking at least one document to each of the 60 critical controls answered 'yes', you are ready to submit your questionnaire and initiate the initial validation round. You may do so by selecting the 'Review and Submit' button found on the Questionnaire Dashboard within the 'Questionnaire' tab or from directly within an individual control question. 

Screenshot 2025-01-03 at 9.40.11 AM.png

On the 'Submit Questionnaire' page there is a table enclosing all controls in the entire questionnaire for comprehensive review purposes prior to proceeding with submission and initiating a validation round. By selecting the quick filter chip 'Missing Documents' at the top of this table, it will filter the table to only show those 60 Critical Controls answered 'Yes' that do not have any linked documents indicated through the 'attachments' column. 

You can also adjust your table view to display the 60 Critical Controls at the top of the table by sorting on the 'Validation Requested' column. Only those controls with a checkmark indicated in this column are the 60 Critical Controls. 

Once you have reviewed the 60 Critical Controls and are ready to proceed with the review process, ensure to click 'Submit With Validation' at the bottom of the Submit page. 

 

The assessors will be notified at this time that you have completed evidence upload and they can begin validating controls. You will have the ability to continue uploading documents after doing so. However once under review, the 'ready for validation' checkbox will be disabled until the validation round is completed. 

Note: If you are unable to upload documentation, click submit with validation. A pop up window will appear asking for confirmation to submit. Check the box acknowledging that you have not linked any evidence, then click the submit for validation button to confirm. This will notify our Assessor team, who will reach out to you directly to schedule a Web Conference.

 

Step 4: Upload additional evidence for any remaining unvalidated controls

Once the assessor has completed the initial validation round you will receive an email notification informing you of this so you can begin follow-up evidence collection. It is possible that you will successfully validate all controls in the initial round. If this occurs you will alternatively receive an email notifying you that validation is complete and results are now available (proceed to Reviewing Validation Results). 

At this time, upon re-entering the Validation Request in the Request and Shares table on the Questionnaire Dashboard, you will be automatically directed to only those 'Yes' answered critical controls that were unable to validated. Feedback from the Assessors on which controls they were unable to validate based on the documents previously uploaded will be listed in the Comments card of each control or the Evidence Help Sheet. The updated Evidence Help Sheet can be downloaded for review from within the platform. Feedback will also be available in platform via comments per control, displayed as an 'Assessor' comment. Refer to the Evidence Help Sheet and any Assessor Comments for best insights regarding what additional evidence is required in order to validate a given control. 

You may also review on the 'Documents' tab of the Questionnaire Dashboard what documents you provided in the initial round were used by the assessor. By opening the drawer you can see the specific controls that each document was used to validate. 

 

Step 5: Initiate second and final validation round

Once you have completed uploading additional evidence documents for the remaining unvalidated controls, you will proceed back to the Submit Questionnaire page and follow the same steps outlined in Step 3 in order to initiate a second and final validation round.

Upon completion of assessor review of additional evidence documents you will be notified by email that validation is complete and you may now access the results. 

 

Reviewing Validation Results

Validation results can be viewed within the Risk Navigator feature on the "Risk Profile" tab on your Company Profile Page. This page can be accessed either by selecting the 'My Company' icon in the left hand navigation or by selecting your initials in the top right, then 'Manage my company profile'. 

Screenshot 2025-01-03 at 11.01.08 AM.png      OR      Screenshot 2024-08-06 at 2.06.49 PM.png 

 

Found within the Risk Navigator feature is a 'Validation Status' and 'Evidence Type' column which will reflect the final validation state per control and a high-level description of what type of evidence you provided in order to validate the given control. 

Screenshot 2024-08-06 at 2.10.30 PM.png

 

Validation data is acceptable by all customers in terms of recency for at a minimum 12 months post-completion date. As a result, if an additional customer requests validation and it is less than 12 months since you had last completed validation, you will not be required to undergo validation. 

 

Note: You can continue to upload and store relevant documents in your ProcessUnity GRX account after the validation process is completed. 

 

 

 

Was this article helpful?

1 out of 3 found this helpful
Return to top

Related articles