Manual evidence uploads in Drata

The remaining audit checklist to complete your audit in Drata


By this stage of our Drata Playbook, you should have connected your systems, generated and uploaded your policies, completed the risk assessment and vendor governance activities, and if you're doing a Type 2 audit, uploaded the few population items. Now it's time to complete the remaining audit checklist!


Type I: If you are conducting a Type I audit, you can provide any one example of the control, or a template or mock-up if a live example has not been performed before.

Type II: If you are conducting a Type II audit, AssuranceLab will provide you the sample selections from the populations in Drata, as well as the additional populations uploaded from the previous step in our Drata Playbook. For each of the selected samples, provide the evidence listed below in the table. Where this is too onerous based on sample size, get in touch with our team; Drata's Audit V3, our Pillar software, or other arrangements can be made to accomodate accordingly.


Audit checklist

The remaining items for the audit are described in the table below in alphabetical order to follow the order of their listing in Drata's Controls menu. The requirement column explains the expected audit evidence. You can click the control title to read more and see an example (where applicable).

These items require manually adding evidence into Drata, either of two actions. As long as the evidence is linked to the control ID, either action is acceptable.

1. Evidence Library: In Drata's Evidence Library menu, click "Add Evidence", fill in the required details and link to the relevant control(s) IDs in Drata. 

2. Map external evidence: When you click into each control, you can add files or URLs with the relevant documentation.

Screen shots for both methods are included below the table.

Title Ref Requirement

Accepting The Terms of Service

DCF-63 Evidence of standard terms of service (website) or a contract template that's used to agree terms with customers and users.

Annual Incident Response Test

DCF-154 Meeting minutes or documented test results from the incident response test.
Annual Penetration Tests DCF-19 The latest penetration test report or SOW for planned penetration test (Type I only)
Annual Performance Evaluations DCF-38 The completed performance evaluation evidence for the Sampled Employees.

Annual Risk Assessment & Remediation Plan

DCF-16 The latest completed risk assessment in the form of the risk register, meeting minutes, and/or a risk report.
DCF-17 Risk remediation plan with risk mitigation actions in the risk register, corrective actions plan, or other documented plan.
Architectural Diagram DCF-21 Network or architectural diagram showing high-level system components, connections, data flows.
Background Checks DCF-39 The background checks conducted for the Sampled New Hires.
Backup Integrity and Completeness DCF-100 Evidence of a restoration test conducted in the DR test or separately confirming effective database recovery.
BCP/DR Tests Conducted Annually DCF-26 Documented tests conducted and results for the business continuity and disaster recovery review exercises.
Board Charter Documented DCF-144 Documented Board of Director terms of reference, responsibilities and/or scope.
Board Meetings Conducted DCF-146 The latest Board meeting agenda and minutes, with evidence of briefing on information security.
Board Oversight Briefings Conducted DCF-143
Conduct Control Self-Assessments DCF-153 Records of review of the controls in Drata by the control owners, including any corrective actions or modifications identified.
Cybersecurity Insurance Maintained DCF-157 The certificate of currency or cyber insurance policy details.
Disposal of Sensitive Data on Hardware DCF-109 Confirmation of secure erasure and disposal for the Sampled Asset Disposals. 
Employee Non-Disclosure Agreement (NDA) DCF-105 The employment contract for the Sampled New Joiners.
Follow-Ups Tracked DCF-28 Evidence of incident logging, classification, resolution and lessons learned devised for the Sampled Incidents.
Job Descriptions DCF-47 The documented job descriptions for the Sampled Employees.
Organizational Chart Maintained DCF-14 The documented organization chart with roles and reporting lines. 
Quarterly Access Control Review DCF-11 The latest access control review that confirms user access to critical systems is appropriate, or modified accordingly.
Quarterly Vulnerability Scan DCF-18 The latest vulnerability scan report(s) or system record showing when they were conducted and the results.
Security Issues are Prioritized DCF-23 The vulnerability register or log tracking material vulnerabilities, their ratings and status working towards resolution.
Security Training DCF-36 Confirm security training is tracked in Drata, or manually upload evidence for the Sampled New Joiners.
System Access Granted DCF-69 The completed onboarding checklist or access approval for the Sampled New Joiners.
Termination/Off-boarding Checklist DCF-43 The completed exit checklist or other confirmation of access removal for the Sampled Terminated Employees.

Added Processing Integrity or Privacy to you audit scope? Refer to this page for these controls and evidence required.


Adding Evidence to the Evidence Library menu:

1. Go to the Evidence Library menu in Drata

2. Select "Add evidence" in the top right corner of the screen

3. Populate the details and link to the relevant controls with the guidance above

Screenshot 2024-01-24 at 6.36.05 pm

Mapping external evidence to specific controls: 

1. Go to the Controls menu in Drata

2. Click on the relevant control name in accordance with the guidance above

3. Scroll down the pop out menu to the Control Evidence section and click Add for the "Map external evidence option"

4. Complete the details of the file(s) to be added

Screen Shot 2022-11-30 at 8.01.22 pm