Drata Sample Tests

The sample tests and related controls conducted for our Drata Playbook


For Type II audits, we select samples from the populations of event occurrences during the audit period. For your reference, we've included these populations below, including whether they are tracked in Drata automatically or manually added, and the respective controls we test for each of the samples.



Samples Population Source Control Tests
New Hires Drata - Personnel

DCF-39: Background checks

DCF-105: Employment contracts (NDA)

DCF-69: System access granted

DCF-32: Security policies

DCF-36: Security training

Employees Drata - Personnel

DCF-38: Annual performance evaluations

DCF-47: Job descriptions

DCF-36: Security training

Terminated Employees Drata - Personnel  DCF-43: Termination
High-risk Vendors Drata - Vendors  DCF-57: Vendor compliance reports
Asset Disposals Manual Upload DCF-109: Disposal of Sensitive Data
Vulnerabilities Manual Upload DCF-23: Security Issues are Prioritized
Incidents  Manual Upload

 DCF-28: Follow-Ups Tracked

 DCF-30: Lessons Learned

Changes Manual Upload

 DCF-155: Code changes are tested 

 DCF-156: Production code released



From your populations - in Drata or manually provided where necessary - we will communicate the sample selections to you. As a heads up on what to expect, below are our sample sizes based on the size of the population. 

Population size Sample size
< 5 Test all samples
6-50 5
51-250 10% rounded up
> 250 25