ISO Security Review

Security Review workflow chart

The ISO Security Review leverages evidence-based documentation and is designed to guide each unit/project team to implement technology solutions in a secure manner.

Our ISO team is ready to engage with your team to ensure your launch of each new initiative is reviewed and configured to utilize necessary risk-reducing measures

We now accept completed HECVAT Full and HECVAT Lite self-assessments from ASU vendors.

If you would like to start the process yourself, please:

  1. Download and fill out the ISO Security Risk Assessment form.
  2. Attach Risk Assessment form to your ServiceNow request to complete the review.

ISO Security Report FAQ

We will need any of the documents below from the vendor, if they have them:

  • HECVAT Lite
  • Any Industry standard security certifications
    • SOC 2 Type 2 or SOC 3 report or executive summary
    • ISO 27001 or 27002
    • NIST 800-53
    • CIS controls
    • FedRAMP
    • CMMC
  • HIPAA certification (if HIPAA data is in scope)
  • PCI DSS certification (if PCI data is in scope)
  • ioXt Alliance certification (if IoT devices are in scope)
  • Vulnerability scanning report or an executive summary listing findings
  • Penetration testing report or an executive summary listing findings
  • Data flow diagram (as required)
  • Architecture diagram (as required, especially for security reviews that integrate with Canvas LMS)

Some vendors will require a NDA before they will release sensitive security documentation and in these cases ASU’s Research Administration can assist you. You will need to complete an Internal Request Form (IRF) and send it to

Once Industry Agreements receives the request, a Contracts Officer will cooperate with you and the vendor to negotiate an agreement. 

Please include our team in any communications with Industry Agreements and the vendor by including our distribution list as a copy.

Yes. Even with limited documentation or lack of a 3rd party audit we can still complete the security review, however the lack of documentation in itself is a risk as we cannot verify the vendor’s security posture. It would then be up to Risk Management Services (which includes the Accountable Administrator) whether they are comfortable with the project moving forward or would require a re-review of the product with the missing documentation included.

Not necessarily. We do not approve or deny products; however, we identify risks to provide information for that decision to be made by an Accountable Administrator. We cannot speak for what each Accountable Administrator is willing to accept responsibility for. If at the moment, documentation is unavailable but will be available later, that is something that can be noted in the review for the Accountable Administrator to take into consideration, but again, that would still be their decision.


Security reviews are an iterative process, so a re-review can be requested as new documentation is provided, risks are corrected or mitigated, or when changes are made to configurations or integrations.