Managing your Drata Starter audit

How Drata + AssuranceLab audit works

OVERVIEW

Continuous audit progressively completes your audits over the industry standard 12 month reporting cycle. In contrast to traditional audits conducted at the end of the period:

You get feedback when it's relevant;
Increased confidence your compliance is on track year-round; and
It proves your compliance has been maintained with clear audit progress for your customers peace of mind.

It also reduces the disruption of audits, speeds up reporting when period end rolls around, and has inherent efficiencies where audits are put on autopilot with your continuous monitoring in Drata.

AUDIT PLAN

Initial setup: Create your audit package and ensure we have auditor read only access to your environment. Go to Audit Hub, create audit and select the applicable date rate. Here's more on how to do this.

Monthly topical focus: about ~30% of your controls are based on periodic reviews and event-driven sample testing. We've aligned a calendar of topical focus areas to complete these areas so you know exactly what's required, and we can provide feedback as the controls are performed.

Remaining controls: Your remaining controls are on autopilot. They are continuously monitored, or otherwise documented in Drata. We will progressively work through these items during the audit period in the background, and just let you know if there's any issues with them. All you need to do, is maintain oversight of those controls; if tests fail, evidence expires, or other alerts are raised by Drata for the scope of Drata Starter controls, address those accordingly.

Control Topic	Control Area
Managing Risk and Controls	Risk Assessments: DCF-15 - Risk Assessment Policy DCF-16 - Annual Risk Assessment DCF-17 - Remediation Plan Controls Assessments: DCF-33 - Oversight of Security Controls DCF-153 - Conduct Control Self-Assessments DCF-160 - Continuous Control Monitoring
Managing Employees New Joiners and Current Employees	New joiners: DCF-39 - Background Checks DCF-37 - Acceptable Use Policy DCF-44 - Code of Conduct DCF-69 - System Access Granted DCF-105 - Employee NDA Current employees: DCF-38 - Annual Performance Evaluations DCF-48 - Session Lock DCF-49 - Password Manager DCF-50 - Malware Detection Software Installed DCF-51 - Security Patches Automatically Applied DCF-52 - Hard-Disk Encryption DCF-67 - MFA on Accounts DCF-47 - Job Descriptions DCF-36 - Security Training
Managing Vulnerabilities and Vendors	Vulnerabilities: DCF-24 - SLA for Security Bugs DCF-19 - Annual Penetration Tests DCF-18 - Quarterly Vulnerability Scan DCF-23 - Security Issues are Prioritised Vendors: DCF-168 - Vendor Management Policy DCF-56 - Vendor Agreements Maintained DCF-57 - Vendor Compliance Reports
Managing Access and Assets	Access Control: DCF-11 - Quarterly Access Control Review DCF-43 - Termination/Offboarding Checklist Asset Management: DCF-20 - Maintains Asset Inventory DCF-109 - Disposal of Sensitive Data on Hardware
Managing Incidents and Changes	Incidents: DCF-9 - Employee Disclosure Process DCF-29 - Incident Response Team DCF-28 - Follow-Ups Tracked DCF-30 - Lessons Learned DCF-154 - Annual Incident Response Test DCF-159 - Incident Response Plan Changes: DCF-31 - Software Development Lifecycle Policy DCF-5 - Code Review Process DCF-155 - Code Changes are Tested DCF-156 - Code Released by Appropriate Personnel
Managing Governance & BCDR Tests	Board/Management: DCF-143 - Board Oversight Briefings Conducted DCF-144 - Board Charter Documented DCF-146 - Board Meetings Conducted Business Continuity and Disaster Recovery: DCF-25 - Disaster Recovery Plans DCF-26 - BCP/DR Tests Conducted Annually DCF-100 - Backup Integrity and Completeness DCF-166 - Business Continuity Plan