The remaining items to complete your audit readiness
Overview
By this stage of our Drata Starter: Compliance Accelerator, you should have connected your systems, generated and uploaded your policies, completed the risk assessment and vendor governance activities. Now this remaining list of items will complete your audit readiness!
Type I vs. Type II
Type I: If you are conducting a Type I audit, you can provide any one example of the control, or a template, mock-up or in some cases a plan to complete, if a live example has not been performed.
Type II: If you are conducting a Type II audit, AssuranceLab will select a sample of items to see the evidence of the control for each sampled item.
Document checklist
The remaining items are described in the table below in alphabetical order to follow the order of their listing in Drata's Controls menu. The requirement column explains the expected audit evidence. Click into each item to read more about what the control is, why the control is important, and how it can be implemented. We provide guidance on the "do less" approach to satisfy the minimum requirements without overworking your compliance.
These items require manually adding evidence into Drata, either of two actions. As long as the evidence is linked to the control ID, either action is acceptable.
1. Evidence Library: In Drata's Evidence Library menu, click "Add Evidence", fill in the required details and link to the relevant control(s) IDs in Drata.
2. Map external evidence: When you click into each control, you can add files or URLs with the relevant documentation.
Screen shots for both methods are included below the table.
| Title | Ref | Requirement |
| DCF-63 | Evidence of standard terms of service (website) or a contract template that's used to agree terms with customers and users. | |
|
Annual Incident Response Test |
DCF-154 | Meeting minutes or documented test results from the incident response test. |
| Annual Penetration Tests | DCF-19 | The latest penetration test report or SOW for planned penetration test (Type I only) |
| Annual Performance Evaluations | DCF-38 | The completed performance evaluation evidence for the Sampled Employees. |
|
Annual Risk Assessment & Remediation Plan |
DCF-16 | The latest completed risk assessment in the form of the risk register, meeting minutes, and/or a risk report. |
| DCF-17 | Risk remediation plan with risk mitigation actions in the risk register, corrective actions plan, or other documented plan. | |
| Architectural Diagram | DCF-21 | Network or architectural diagram showing high-level system components, connections, data flows. |
| Background Checks | DCF-39 | The background checks conducted for the Sampled New Hires. |
| Backup Integrity and Completeness | DCF-100 | Evidence of a restoration test conducted in the DR test or separately confirming effective database recovery. |
| BCP/DR Tests Conducted Annually | DCF-26 | Documented tests conducted and results for the business continuity and disaster recovery review exercises. |
| Board Charter Documented | DCF-144 | Documented Board of Director terms of reference, responsibilities and/or scope. |
| Board Meetings Conducted | DCF-146 | The latest Board meeting agenda and minutes, with evidence of briefing on information security. |
| Board Oversight Briefings Conducted | DCF-143 | |
| Code Changes are Tested | DCF-155 | Evidence of testing code changes prior to release into production through CI/CD screen shots or documented testing. |
| Conduct Control Self-Assessments | DCF-153 | Records of review of the controls in Drata by the control owners, including any corrective actions or modifications identified. |
| Cybersecurity Insurance Maintained | DCF-157 | The certificate of currency or cyber insurance policy details. |
| Employee Non-Disclosure Agreement (NDA) | DCF-105 | The employment contract for the Sampled New Joiners. |
| Follow-Ups Tracked | DCF-28 | Evidence of incident logging, classification, resolution and lessons learned devised for the Sampled Incidents. |
| Job Descriptions | DCF-47 | The documented job descriptions for the Sampled Employees. |
| Organizational Chart Maintained | DCF-14 | The documented organization chart with roles and reporting lines. |
| Quarterly Access Control Review | DCF-11 | The latest access control review that confirms user access to critical systems is appropriate, or modified accordingly. |
| Quarterly Vulnerability Scan | DCF-18 | The latest vulnerability scan report(s) or system record showing when they were conducted and the results. |
| Security Issues are Prioritized | DCF-23 | The vulnerability register or log tracking material vulnerabilities, their ratings and status working towards resolution. |
| Security Training | DCF-36 | Confirm security training is tracked in Drata, or manually upload evidence for the Sampled New Joiners. |
| Separate Testing and Production Environments | DCF-7 | Screen shots to show separate testing and production environments used. |
| System Access Granted | DCF-69 | The completed onboarding checklist or access approval for the Sampled New Joiners. |
| Termination/Off-boarding Checklist | DCF-43 | The completed exit checklist or other confirmation of access removal for the Sampled Terminated Employees. |
| Vendor Agreements Maintained | DCF-56 | Evidence of terms of service or contractual agreements for high and critical vendors. |
| Vendor Compliance Reports | DCF-57 | Evidence of review of the attestation/compliance reports or security reviews for high and critical vendors. |
Added Processing Integrity or Privacy to you audit scope? Refer to this page for these controls and evidence required.
Adding Evidence to the Evidence Library menu:
1. Go to the Evidence Library menu in Drata
2. Select "Add evidence" in the top right corner of the screen
3. Populate the details and link to the relevant controls with the guidance above
Mapping external evidence to specific controls:
1. Go to the Controls menu in Drata
2. Click on the relevant control name in accordance with the guidance above
3. Scroll down the pop out menu to the Control Evidence section and click Add for the "Map external evidence option"
4. Complete the details of the file(s) to be added
