How to complete your assessment controls
OVERVIEW
Risk Assessments: The risk assessment considers the identified risks, including new and existing. It populates, updates or confirms each risk into the risk register with the appropriate risk ratings based on the risk assessment criteria. Risk assessment activities should be governed by the Risk and Control Management Policy that sets a formal methodology for identifying, assessing, treating, monitoring and reporting the risks that threaten company objectives and the control activities that mitigate those risks.
Control Self Assessments: The control framework sets out the internal control activities that manage identified risks and support compliance with SOC 2 and customer requirements. The control activities should be assigned to control owners who are responsible for ensuring these controls are accurate, applied effectively and consistently in practice, and revised and updated when needed. The control framework should be reviewed for appropriateness at least annually. Your control self-assessments should have some level of formality to demonstrate a review of the controls (i.e. who did it, when and what were the results) to confirm they are accurate and effective. If inaccuracies or control weaknesses were identified, they should be logged along with a plan or actions to address them.
CONTROLS AND EVIDENCE
Risks: We will review your Risk Assessment Policy (DCF-15) for key components like roles and responsibilities, a defined process for assessing risks, a risk rating criteria and a guideline for how risk mitigation/treatment actions should be devised. As a part of our review, we'll also need to see your latest risk assessment (DCF-16) and the remediation plan (DCF-17) for any findings noted from your risk assessment exercise.
Controls: We'll inspect the information security policies to confirm they've been reviewed and updated/approved within the last 12 to 15 months (DCF-33). This revision history may be in the policy document or in the document history in Drata's Policy Center.
We will need to review your control self-assessments (DCF-153) and the action plan for any inaccuracies or control weaknesses identified.The continuous monitoring of controls (DCF-160) is implicit in your use of Drata but remember to actively investigate and fix any failed tests or issues in your controls.
Other resources
- You can find an example control self-assessment in our knowledge base