We recognize that population requests can be challenging to complete. This document provides a general overview and detailed guidance for each request type.
Please submit all Population Evidence Requests (ERs) before your scheduled Population Gathering Call.
A) Overview
Population requests require two core pieces of evidence.
List of the complete population
Upload the complete, unfiltered dataset for each requested population.
Best practice: Avoid using filters when pulling the data. If filters are necessary, please provide screenshots of the filters so we can understand what was filtered to get to the provided population (see point #2 below for more details).
Supporting evidence that the population is complete & accurate
Completeness & accuracy evidence is important as your auditor needs to gain comfort that the list is “complete” for the review period and “accurate” meaning data within the list is correct, relevant to the ask, and was not modified.
Upload evidence demonstrating how the list was generated. This includes:
Evidence showing the source of the list.
All steps taken to extract or compile the data.
Screenshots or logs of any tools, queries, or filters used in the process.
Note on Thoropass Integrations
Thoropass provides integrations with numerous widely-used vendors to simplify the process of completing population requests. For assistance with enabling integrations or resolving integration issues, please contact your Thoropass CSM.
Below are some of the integrations available:
|
|
|
|
B) Guidance By Request Type
[Population] Employee Lists
If employee list can be generated by an HR system:
List: Upload spreadsheet export.
Supporting Evidence:
Upload screenshots of the full list as it appears in the HR tool.
Upload screenshots of any filters or queries used (e.g., employee status, location, hire/termination dates).
If employee list is tracked manually:
List: Upload manual spreadsheet. The auditor will need to perform additional procedures to validate the population.
Supporting Evidence:
Upload an employee contract signed within the observation period. The auditor will validate that the hire date in the contract matches the hire date in the list. If no employees were hired during the observation period, upload an employee contract from any active employee.
For terminated employee population requests, upload a signed termination or resignation letter if there were any terminations during the observation period.
[Population] Critical Vendors
List: Attach from the Thoropass Vendor module or upload manual spreadsheet All vendors must have a criticality rating (low, medium, high, or critical).
Supporting Evidence
If the list is maintained in the Thoropass Vendor module, no further evidence is required.
Otherwise, upload screenshots/logs of the data source, steps to extract data, and tools, queries, or filters used in the process.
[Population] Software and Infrastructure Changes
List: Upload full list of software and infrastructure changes completed during the observation period.
Note: By ‘software’ changes we mean changes to any in-scope proprietary software/platforms that support your service (e.g production environment impacting releases, features, bug fixes, changes to data processing, and UI changes). ‘Infrastructure’ changes typically include changes to configurations in your CSP hosted environment, servers/virtual instances, networks, operating systems (OS), or firewall rules.
Supporting Evidence:
Upload screenshots/logs of the data source, steps to extract data, and tools, queries, or filters used in the process.
Alternatively, upload screenshots demonstrating that the total count of the provided population aligns with the total count displayed in your change management tool or code repository.
Example: CSV export with 200 rows matches code repository screenshot showing 200 changes in the period.
[Population] Security Incidents
List: Upload spreadsheet of all incidents during the observation period. This could be from a system such as Jira, SharePoint, etc.
Supporting Evidence:
Upload screenshots/logs of the data source, steps to extract data, and tools, queries, or filters used in the process.
If no incidents occurred during the observation period, please provide a screenshot of the incident tracking system confirming that no entries are present.
[Population] Customer Data Deletions (Only applicable for Confidentiality TSC)
List: Upload spreadsheet of all customer data deletions during the observation period.
Supporting Evidence:
Upload screenshots/logs of the data source, steps to extract data, and tools, queries, or filters used in the process.
Explain how customer data is deleted in your organization (i.e. when customer leaves, upon request, or when retention periods are reached).
C) Final Notes
The guidance above is intended to illustrate the types of documentation and evidence we’ll review during the Population Call. This list is not exhaustive, and additional population requests may be required depending on the Trust Services Criteria included in your report.
Preparing this information in advance will help ensure a smooth and efficient review. Please feel free to reach out with any questions or if you need clarification on any specific request. Thank you and looking forward to working with you on your audit!