Selecting the right controls in Drata to achieve compliance
Drata's starting position is to include ~160-180 controls that support your compliance for SOC 2. These are not all required, allowing for some optionality and reducing your scope and focus accordingly.
The easiest way to narrow your focus is to upload our Drata Starter custom framework to your instance. We'll send you this and our Quickstart guide as part of the onboarding process. You can then filter to these controls in your Controls view of Drata, by selecting the Drata Starter framework filter on the left-hand side.
The below guidance is an alternate way of scoping your controls if you prefer.
Legacy Approach
In this step of the Drata Playbook, you can de-scope the controls that aren't nescessary and aren't implemented. You may choose to keep some of these, this won't impact your SOC 2 audit with AssuranceLab. Once you have a list of selected controls, assign control owners to all controls to track your internal control responsibilities.
De-Scope Controls
The below controls can be de-scoped as they are not required to achieve compliance with AssuranceLab's Drata Playbook.
| Control Code | Control Name |
| DCF-3 | Require Encryption of Web-Based Admin Access |
| DCF-60 | Password Storage |
| DCF-61 | Customer Data Segregation |
| DCF-62 | Inactivity and Browser Exit Logout |
| DCF-70 | Terminated Employee Access Revoked Within One Business Day |
| DCF-90 | Root Infrastructure Account Unused |
| DCF-99 | Failed Backup Alert and Action |
| DCF-103 | Customer Data Deletion Upon Termination |
| DCF-145 | Board Expertise Developed |
| DCF-150 | DLP (Data Loss Prevention) Software is Used |
| DCF-8 | Disclosure Process for Customers |
| DCF-22 | Network segmentation in place |
| DCF-35 | Security Team Communicates in a Timely Manner |
| DCF-63 | Accepting The Terms of Service |
| DCF-64 | Commitments Explained to Customers |
| DCF-72 | Unique SSH |
| DCF-73 | Denial of Public SSH |
| DCF-93 | Credential Keys Managed |
| DCF-95 | Monitoring Processing Capacity and Usage |
| DCF-152 | Virtual Machine OS are Patched Monthly |
| DCF-91 | Intrusion Detection System in Place |
| DCF-65 | Maintains a Privacy Policy |
| DCF-98 | Daily Backup Statuses Monitored |
| DCF-46 | Formal Recruiting Process |
| DCF-41 | Independent Board of Directors |
You can de-scope cards in the Controls page in Drata, by either clicking into the control and selecting "De-scope" in the top right corner of the window, or by selecting multiple control items together and selecting "Mark Out of Scope" at the top of the control list menu.
Assign Control Owners
The purpose of assigning control owners is to track internal control responsibilities. That demonstrates your governance over your compliance activities, and also helps practically ensure the controls are monitored and maintained effectively. You can click into each control to add a control owner, or select multiple together in the Controls view and "Add/Remove Control Owners" in bulk.
Check you have completely assigned control owners by using the filter on the left hand side for "No Owners Assigned" and check there are none left unassigned.
