The sample tests and related controls conducted for our Drata Playbook
OVERVIEW
For Type II audits, we select samples from the populations of event occurrences during the audit period. For your reference, we've included these populations below, including whether they are tracked in Drata automatically or manually added, and the respective controls we test for each of the samples.
SAMPLE TESTS
| Samples | Population Source | Control Tests |
| New Hires | Drata - Personnel |
DCF-39: Background checks DCF-105: Employment contracts (NDA) DCF-69: System access granted DCF-32: Security policies DCF-36: Security training |
| Employees | Drata - Personnel |
DCF-38: Annual performance evaluations DCF-47: Job descriptions DCF-36: Security training |
| Terminated Employees | Drata - Personnel | DCF-43: Termination |
| High-risk Vendors | Drata - Vendors | DCF-57: Vendor compliance reports |
| Asset Disposals | Manual Upload | DCF-109: Disposal of Sensitive Data |
| Vulnerabilities | Manual Upload | DCF-23: Security Issues are Prioritized |
| Incidents | Manual Upload |
DCF-28: Follow-Ups Tracked DCF-30: Lessons Learned |
| Changes | Manual Upload |
DCF-155: Code changes are tested DCF-156: Production code released |
SAMPLE SIZE
From your populations - in Drata or manually provided where necessary - we will communicate the sample selections to you. As a heads up on what to expect, below are our sample sizes based on the size of the population.
| Population size | Sample size |
| < 5 | Test all samples |
| 6-50 | 5 |
| 51-250 | 10% rounded up |
| > 250 | 25 |