Drata Starter: FAQs

Frequently asked questions by our clients working through the Drata Starter: Compliance Accelerator

Do I need to implement all 200+ controls in Drata?

No. The Drata platform is designed to provide comprehensive for companies of all sizes and stages. AssuranceLab's Drata Starter program focuses on the 79 most important controls that generally meet the expectations of enterprise, audit firms, and the practical needs of hundreds of clients that have worked through this program before. This focus helps achieve faster compliance outcomes, makes best use of your limited resources and time, and provides a strong foundation that you can build on over time.

 

What's included in the 79 Drata Stater controls?

The Drata Starter QuickStart guide has the full list of controls. These are categorised in three types:

  1. Automated tests: By connecting your infrastructure and tools, these controls will be automatically verified by Drata's autopilot continuous monitoring. 
  2. Policies: By using Drata policy templates or our PolicyTree tool and loading policies into the Drata Policy Centre, these policy controls will be addressed automatically.
  3. Documents: The remaining items require document uploads or set up of the risk and vendor functions in Drata.

 

Will this Drata Starter program work if I choose to use a different audit firm?

Yes. All audit firms will have nuances in the way they conduct audits, and the controls they recommend or expect from their clients. However, there is general consensus in the industry on the most important controls. Drata Starter is designed to focus on these. Working with AssuranceLab, or any other audit firm, you will still receive some audit queries as you work towards completion of your audit. The purpose of this clear path and focus, the tools and guides, and our expert support, is to ensure you are well placed to address the audit requirements whichever firm you choose to work with.

 

What should I put as my audit period?

For Type 2 engagements, you will select an audit period that the SOC 2 report covers. We recommend this commences from the end of the last Type 2 period or the Type 1 report date; depending on which report was last issued. If it's a first time report going straight to Type 2; you should generally start the period from the earliest date you had completed implementation of your controls. The length of the period can be between 3-12 months; we typically recommend 6 months minimum based on enterprise preferences. Annual recurring Type 2 reports becomes the norm after your first Type 2 report.

 

When does AssuranceLab start the audit?

We can get started whenever you are ready. We recommend working through the full Drata Starter program first to give feedback across all areas and reduce the noise of unnecessary audit queries. With our AI-powered assessments, we can provide fast feedback to help you narrow focus on the areas that need further work. Get in touch with your AssuranceLab contact if you are unsure on the best timing.

 

How long does the audit take?

We're working towards an SLA of completing your audit and reporting in a 2-4 week timeframe. This is dependent on whether you've completed all items, the quality of evidence provided, and your team providing timely responses to any audit queries we have. Our AI audit offering fast-tracks the audit results and provides greater insight to assist with clearer audit queries and marking off the controls. We maintain the same SLA timeframe based on the dependency on your team, but we recommend opting into AI audit if timing is critical.

 

What if some of the controls are not applicable or different in our context?

The intent of our Drata Starter program is to focus on controls that should apply to all companies. We apply generic control descriptions that are flexible to various ways you might actually operate the controls. If you do come across controls you believe are not applicable, or that do not accurately reflect how you operate, it's best to add a note to the controls for our audit team. This is ideally an attached Word or TXT file with a brief explanation of the circumstances, with a screen shot or other supporting information where applicable. Attaching this will automatically mark the control as "Ready" in Drata for us to review.

 

What are examples of where the controls may vary?

A common example we see is there's no Board of Directors. The same type of governance and oversight is expected, but it may instead be performed by your Senior Management Team, or co-founders. We see clients have varying ways of defining incidents, the scope of third-party vendors they monitor, or how they assess and manage risks. These types of variances generally do not require adjusting the controls as the purpose of the control is still satisfied in each case.

 

Do I need to have performed all controls before a Type 1 report?

For a Type 1 report, there is some flexibility in the timing of when controls are conducted. This is particularly relevant for DR/BCP testing, and penetration testing that can be costly and time-consuming exercises. A Type 1 report can be achieved by proving you have plans in place for those, before they are actually conducted. For a BCP/DR test that should include proving its been scheduled, and for a penetration test an executed statement of work that shows the scope, timing and approach agreed with a third-party provider. Other common examples we see are with new joiner and exit checklists, new incident management tracking and employee performance reviews; where they may have new processes setup that haven't been conducted yet.

 

How do we address failing auto-tests? 

It's best to investigate and resolve the cause of the failure in Drata that has guidance for each monitor. In some cases you may find the failure to be appropriate based on the context or nature of your environment. You can adjust the scope of the auto-tests to align to your reporting scope. For example, you may have databases that are public, without encryption, where they do not hold any sensitive data. These can be excluded from the tests with commentary added accordingly, in the Monitoring section of Drata. This may apply to databases, users access, employees, for whatever circumstances apply - please capture comments accordingly so we can understand why they're excluded and sign off the respective controls accordingly with reduced back and forth.

 

I use a third-party to manage my infrastructure. How does this impact the audit and the evidence I need to provide?

Our audit procedures typically only cover the controls you own or are involved in managing. Where you rely on a third-party to manage your infrastructure, like full service database-as-a-service platforms, we will reference those as sub-service organisation controls. There's no additional evidence required from you unless you play a part in managing controls.

 

I've added Privacy trust services criteria to my scope. How do I understand some of the terms used in Privacy?

The Privacy trust services criteria refers to specific terms that can be confusing the first time around. Here are some helpful definitions. When in doubt, reach out to your audit team for additional support.

  • Data controller: An entity that (alone or jointly with others) determines the purposes for and the means by which personal data is processed. So, if your company/organisation decides ‘why’ and ‘how’ the personal data should be processed it is the data controller.
  • Data processor: An entity that processes personal data at the direction of a data controller. In many cases, a service organization may process personal data for its business-to-business (B2B) customers (user entities), which in turn may function as data controllers. In other cases, a service organization may function as a data controller, depending on the facts and circumstances.
  • Data subject: The individual about whom personal information is collected.
  • Example: 

    A private company provides software to process healthcare data for patient assessments. Using the software, the company provides tracking and reporting to their healthcare provider customers.

    The company’s sole purpose in processing healthcare data is to provide this service to the healthcare providers. The providers set the purpose – to process data for assessments and reporting. The company does not determine the purposes of the processing, it merely provides the processing service. This company is likely to be a processor. The healthcare provider is the data controller. The healthcare provider's patients are the data subjects.

 

How do I know which policies to prioritise finalising for the audit?

This varies based on which specific policies you document the procedures, requirements or topics in. The policies we typically reference for Drata Starter audits are:

  1. Access Control Policy
  2. Incident Management Policy
  3. Information Security Policy
  4. Risk Assessment Policy
  5. Vulnerable Management Policy
  6. Disaster Recovery Plan
  7. Change Management Policy
  8. Acceptable Use Policy
  9. Code of Conduct
  10. Network Security Policy
  11. Password Policy
  12. Data Classification, Handling, and Retention Policy
  13. Business Continuity Policy
  14. Vendor Management Policy
  15. Backup Policy
  16. Asset Management Policy

How are the AI Audits impacting the continuous audit model?

As of 2024, our continuous audit model has continued to evolve with the introduction of our AI audits, now becoming the preferred method for conducting continuous audit practices. We can run the AI-assessment up to once per quarter to give you that continuous assurance feedback that helps ensure you've stayed on track and if you need to provide updates to enterprise customers.