Continuous Audit for Drata Starter

How Drata + AssuranceLab continuous audit works


Continuous audit progressively completes your audits over the industry standard 12 month reporting cycle. In contrast to traditional audits conducted at the end of the period:

  • You get feedback when it's relevant;
  • Increased confidence your compliance is on track year-round; and
  • It proves your compliance has been maintained with clear audit progress for your customers peace of mind.

It also reduces the disruption of audits, speeds up reporting when period end rolls around, and has inherent efficiencies where audits are put on autopilot with your continuous monitoring in Drata.



Initial setup: Create your audit package and ensure we have auditor read only access to your environment. Go to Audit Hub, create audit and select the applicable date rate. Here's more on how to do this.

Monthly topical focus: about ~30% of your controls are based on periodic reviews and event-driven sample testing. We've aligned a calendar of topical focus areas to complete these areas so you know exactly what's required, and we can provide feedback as the controls are performed.

Remaining controls: Your remaining controls are on autopilot. They are continuously monitored, or otherwise documented in Drata. We will progressively work through these items during the audit period in the background, and just let you know if there's any issues with them. All you need to do, is maintain oversight of those controls; if tests fail, evidence expires, or other alerts are raised by Drata for the scope of Drata Starter controls, address those accordingly.


Month Controls
January: Risk and Controls 

Risk Assessments:

  • DCF-15 - Risk Assessment Policy
  • DCF-16 - Annual Risk Assessment
  • DCF-17 - Remediation Plan

Controls Assessments:

  • DCF-33 - Oversight of Security Controls
  • DCF-153 - Conduct Control Self-Assessments
  • DCF-160 - Continuous Control Monitoring

February: Employees

New Joiners and Current Employees

New joiners:

  • DCF-39 - Background Checks
  • DCF-37 - Acceptable Use Policy
  • DCF-44 - Code of Conduct
  • DCF-69 - System Access Granted
  • DCF-105 - Employee NDA

Current employees:

  • DCF-38 - Annual Performance Evaluations
  • DCF-48 - Session Lock
  • DCF-49 - Password Manager
  • DCF-50 - Malware Detection Software Installed
  • DCF-51 - Security Patches Automatically Applied
  • DCF-52 - Hard-Disk Encryption
  • DCF-67 - MFA on Accounts
  • DCF-47 - Job Descriptions
  • DCF-36 - Security Training
March: Vulnerabilities and Vendors


  • DCF-24 - SLA for Security Bugs
  • DCF-19 - Annual Penetration Tests
  • DCF-18 - Quarterly Vulnerability Scan
  • DCF-23 - Security Issues are Prioritised


  • DCF-168 - Vendor Management Policy
  • DCF-56 - Vendor Agreements Maintained 
  • DCF-57 - Vendor Compliance Reports
April: Access and Assets

Access Control:

  • DCF-11 - Quarterly Access Control Review
  • DCF-43 - Termination/Offboarding Checklist

Asset Management: 

  • DCF-20 - Maintains Asset Inventory
  • DCF-109 - Disposal of Sensitive Data on Hardware
May: Incidents and Changes


  • DCF-9 - Employee Disclosure Process
  • DCF-29 - Incident Response Team
  • DCF-28 - Follow-Ups Tracked
  • DCF-30 - Lessons Learned
  • DCF-154 - Annual Incident Response Test
  • DCF-159 - Incident Response Plan


  • DCF-31 - Software Development Lifecycle Policy
  • DCF-5 - Code Review Process
  • DCF-155 - Code Changes are Tested
  • DCF-156 - Code Released by Appropriate Personnel
June: Governance & BCDR Tests


  • DCF-143 - Board Oversight Briefings Conducted
  • DCF-144 - Board Charter Documented
  • DCF-146 - Board Meetings Conducted

Business Continuity and Disaster Recovery:

  • DCF-25 - Disaster Recovery Plans
  • DCF-26 - BCP/DR Tests Conducted Annually
  • DCF-100 - Backup Integrity and Completeness
  • DCF-166 - Business Continuity Plan
July: Risk and Controls As above in January.
August: Employees As above in February.
September: Vulnerabilities and Vendors As above in March.
October: Access and Assets As above in April.
November: Incidents and Changes As above in May.
December: Board & BCDR Tests As above in June.