Frequently Asked Questions
Compliance & Frameworks
How do I resolve failing or 'needs evidence' compliance checks?
Click on the failing control to open its detail view and review what evidence is required. Either upload evidence manually or verify the relevant integration is connected and has the correct permissions. If a check fails due to an integration access error (like a 403), contact your vCISO — it may be a permissions issue rather than an actual compliance gap.
Why do new compliance checks keep appearing over time?
Bastion continuously monitors your environment. New checks appear when you connect new integrations, your infrastructure changes, Bastion updates its control library, or periodic checks come due. Filter the Frameworks view by status to focus on what needs attention now.
What is the gap between SOC 2 and ISO 27001?
SOC 2 and ISO 27001 share roughly 60–70% control overlap. The main additional work for ISO 27001 involves establishing a formal ISMS, conducting a risk assessment aligned to ISO methodology, and addressing Annex A controls not covered by SOC 2 Trust Services Criteria. Your vCISO can assess the specific delta for your organization.
What are the next steps to finalize my certification?
Resolve all checks with "todo" or "fail" status. Ensure all required policies are reviewed and approved. Confirm employee security training is complete. Then notify your vCISO that you believe you are audit-ready. Your vCISO will review readiness, coordinate with the auditor, and guide you through fieldwork.
How should I handle a check that does not apply to my setup?
Mark the control as "Not Applicable" if it is genuinely out of scope. For compensating controls (like SSO replacing a separate 2FA requirement), provide manual evidence explaining the alternative and work with your vCISO. If a check appears incorrect due to an integration issue, contact your vCISO for review.
Do I get a certificate after passing an audit?
For SOC 2, the deliverable is a SOC 2 Report (not a certificate), typically shared under NDA. For ISO 27001, you receive an actual certificate valid for three years with annual surveillance audits. Your vCISO will coordinate the delivery of the final report or certificate.
Integrations
Why are new employees not appearing after adding them to Google Workspace?
Google Workspace sync can stop working if service account credentials expire, domain-wide delegation is revoked, or Google changes its OAuth consent requirements. Check the integration status under Integrations > Installed. If it shows "Warning" or "Error," disconnect and reconnect the Google Workspace integration by re-uploading your service account credentials and re-enabling domain-wide delegation.
Can I manage employees without an identity provider?
Yes. Import employees manually via CSV or add them individually through Employees > People. If a previous identity provider integration is still configured, disconnect it first to avoid conflicts. Note that manual import means you will not benefit from automatic sync, onboarding, or offboarding workflows.
What permissions does the Google Workspace integration need?
Core read-only scopes (admin.directory.user.readonly, admin.directory.group.readonly, admin.directory.orgunit.readonly) are sufficient for user and group sync. The admin.directory.user.security scope is optional and used for verifying MFA enrollment. Basic user sync works without the security scope, but some compliance checks may be unavailable.
How do I fix a failing GitHub status checks compliance test?
Go to your repository Settings > Branches > Branch protection rules for your default branch. Enable "Require status checks to pass before merging" and select at least one status check. After configuring this, Bastion will detect the change on the next sync cycle.
I get an authentication error connecting an integration. How do I fix it?
Verify the API key or secret is correct and has not expired. Ensure the credentials have the required permissions or scopes. Check for trailing whitespace when pasting. Try disconnecting and reconnecting the integration. If the error persists, contact support with the error details.
Devices & MDM
Disk encryption shows as failed even though it is enabled — why?
After enabling FileVault (macOS) or BitLocker (Windows), the device must sync with Bastion, which can take up to 48–72 hours. If the status remains "failed" after that, try re-enrolling the device or contact support — there may be a reporting delay or profile conflict.
Windows enrollment is not starting or gives an error
Windows enrollment uses the built-in MDM client via Settings > Accounts > Access work or school. Common issues include: (1) a prior MDM enrollment not fully removed (stale registry keys), (2) the device must run Windows 10 or later, (3) the firewall must allow outbound connections to mdm.bastion.tech.
Does Bastion MDM support Linux devices?
Bastion supports Linux with a partial agent that provides inventory and vulnerability scanning. Linux enrollment uses a DEB or RPM installer via the user portal. If certain MDM tasks are not applicable to Linux users, admins can dismiss or exclude those tasks. Full MDM parity for Linux is on the roadmap.
How do I re-enroll users after an MDM migration?
Employees need to re-enroll via the Bastion user portal under the Laptop tab. If the old MDM profile is still present, it must be removed first. On macOS, remove the old profile via System Settings > General > Device Management. Then follow the standard enrollment flow.
Does the MDM give Bastion access to personal data?
Bastion MDM collects device hardware and software inventory, security posture data, and compliance status. It does not access personal files, browsing history, photos, or geolocation. The USB storage lock applies only to removable storage devices, not peripherals like keyboards or mice.
What happens when I unenroll or wipe a device?
Unenrolling removes the management profile but does not wipe data. Remote wipe is a separate explicit action. If a device was marked for wipe and is being reassigned, contact support to cancel the pending wipe command before the new user enrolls.
Policies
How do I create a new version of a policy?
Open the policy, navigate to the Versions tab, and click Create New Version. You can choose to start from the current version or a template. Note: the current version must be in "Approved" status before a new version can be created from it.
Why does policy acknowledgment show as incomplete even though the policy is approved?
Policy approval (by the policy owner or CISO) and policy acknowledgment (by individual employees) are two separate steps. An "Approved" policy with a red acknowledgment status means some employees have not yet personally acknowledged the latest version. Check the Tracking Acknowledgments section in the policy detail view.
Do employees receive automatic emails to acknowledge policies?
Yes. When policies are distributed, employees automatically receive email notifications from [email protected]. Communicate to your team that these emails are legitimate. If a new employee does not see policies, ensure they are added to the correct compliance group.
Which policies should I make public on the Trust Center?
Common practice is to share high-level policies (Information Security, Acceptable Use, Privacy) publicly and keep operational details (Incident Response, Access Control procedures) gated behind NDA or approval. Configure visibility per document in Customer Trust > Trust Center > Settings using the access levels: Public, Registered, NDA Required, or Approved Only.
Framework tests reference policies that don't exist in my list — what do I do?
Framework controls reference policy names based on the standard's requirements, which may not match your exact titles. Your vCISO can create missing policies or map existing ones via Compliance Mapping. For naming mismatches, your vCISO can update the references to point to the correct policy.
Penetration Testing
Do I need to fix all pentest findings before an audit?
No, but critical findings should be remediated or have a documented remediation plan. Auditors want to see that you have a vulnerability management process: findings triaged, assigned, tracked with SLAs, and either fixed or accepted with justification. Work with your vCISO to prioritize.
How do I prove to a customer that we fixed a pentest finding?
The strongest evidence is a formal retest producing a "Verified Fixed" status. Alternatively, provide screenshots or code evidence of the fix with a remediation verification letter from your vCISO. Mark the finding as "Fixed" in Bastion, request a retest, and once the pentester validates, export the result as compliance evidence.
Can we share our pentest report with customers?
Yes. Bastion generates reports in Executive, Technical, and Compliance formats. The Compliance format is designed for external sharing. You can also share reports via the Trust Center with appropriate access controls. Coordinate with your vCISO to determine the appropriate version to share.
Is penetration testing required for ISO 27001?
ISO 27001 does not explicitly mandate penetration testing by name, but Annex A control A.12.6.1 requires regular technical vulnerability assessments, and pentesting is the most widely accepted method. Most certification bodies expect to see it as part of your security program.
What type of pentest does Bastion perform?
Bastion's standard engagement is a gray box test — pentesters receive user credentials and application URLs but simulate an external attacker's perspective. Supported campaign types include Web Application, Network, Mobile, Cloud, and Full. This is not a Threat-Led Penetration Test (TLPT).
Employees & Training
Why are training completions not showing as done?
Training completion status may take time to sync between the admin dashboard and the user portal. Verify the employee is in the correct compliance group under Employees > People. If the discrepancy persists, ask the employee to clear their browser cache and retry, or contact support.
How do I send training or task reminders?
Send reminders from Employees > People > Users tab. Configure automatic reminders under Settings > Reminders. Reminder emails are sent from [email protected] — if employees report not receiving them, check spam/junk folders and verify email addresses are correct.
What trainings are mandatory for compliance?
SOC 2 and ISO 27001 both require at minimum one general security awareness training annually for all employees. Secure code training is additionally required for development teams. Use compliance groups to assign role-specific training programs.
How does employee offboarding work?
Deactivating an employee in Bastion stops training assignments, reminders, and compliance tracking. However, deactivation in Bastion does not revoke access to external systems. For full offboarding, also revoke access in your identity provider and connected tools. If using an IdP integration, disabling the user in your IdP automatically marks them for offboarding in Bastion.
Customer Trust
How does the Security Questionnaire AI work?
Upload a questionnaire in Excel, CSV, Word, or PDF format. Bastion parses the questions and the AI suggests answers by searching your answer library and compliance documentation. The AI relies on your uploaded data, not a generic knowledge base. Review suggested answers, refine them, and assign complex questions to subject matter experts.
How do I customize the Trust Center?
Navigate to Customer Trust > Trust Center > Settings to update your company name, logo, colors, and tagline. For public access, configure a custom domain via CNAME record. Set document visibility per item: Public, Registered, NDA Required, or Approved Only.
When are DPAs required for vendors?
A Data Processing Agreement (DPA) is required under GDPR whenever a third party processes personal data on your behalf. Infrastructure providers that only provide physical hosting without accessing data may not need one. For your Trust Center sub-processors list, include only vendors that process your customers' personal data.
How do I manage user access and roles in Bastion?
Manage team access from Workspace Settings > Admin Team. Invite new users, assign roles, and control module access. For policy distribution, ensure employees are added to the relevant compliance groups under Employees > People.