The remaining audit checklist to complete your audit in Drata
Overview
By this stage of our Drata Playbook, you should have connected your systems, generated and uploaded your policies, completed the risk assessment and vendor governance activities, and if you're doing a Type 2 audit, uploaded the few population items. Now it's time to complete the remaining audit checklist!
Samples
Type I: If you are conducting a Type I audit, you can provide any one example of the control, or a template or mock-up if a live example has not been performed before.
Type II: If you are conducting a Type II audit, AssuranceLab will provide you the sample selections from the populations in Drata, as well as the additional populations uploaded from the previous step in our Drata Playbook. For each of the selected samples, provide the evidence listed below in the table. Where this is too onerous based on sample size, get in touch with our team; Drata's Audit V3, our Pillar software, or other arrangements can be made to accomodate accordingly.
Audit checklist
The remaining items for the audit are described in the table below in alphabetical order to follow the order of their listing in Drata's Controls menu. The requirement column explains the expected audit evidence. You can click the control title to read more and see an example (where applicable).
These items require manually adding evidence into Drata, either of two actions. As long as the evidence is linked to the control ID, either action is acceptable.
1. Evidence Library: In Drata's Evidence Library menu, click "Add Evidence", fill in the required details and link to the relevant control(s) IDs in Drata.
2. Map external evidence: When you click into each control, you can add files or URLs with the relevant documentation.
Screen shots for both methods are included below the table.
| Title | Ref | Requirement |
| DCF-63 | Evidence of standard terms of service (website) or a contract template that's used to agree terms with customers and users. | |
|
Annual Incident Response Test |
DCF-154 | Meeting minutes or documented test results from the incident response test. |
| Annual Penetration Tests | DCF-19 | The latest penetration test report or SOW for planned penetration test (Type I only) |
| Annual Performance Evaluations | DCF-38 | The completed performance evaluation evidence for the Sampled Employees. |
|
Annual Risk Assessment & Remediation Plan |
DCF-16 | The latest completed risk assessment in the form of the risk register, meeting minutes, and/or a risk report. |
| DCF-17 | Risk remediation plan with risk mitigation actions in the risk register, corrective actions plan, or other documented plan. | |
| Architectural Diagram | DCF-21 | Network or architectural diagram showing high-level system components, connections, data flows. |
| Background Checks | DCF-39 | The background checks conducted for the Sampled New Hires. |
| Backup Integrity and Completeness | DCF-100 | Evidence of a restoration test conducted in the DR test or separately confirming effective database recovery. |
| BCP/DR Tests Conducted Annually | DCF-26 | Documented tests conducted and results for the business continuity and disaster recovery review exercises. |
| Board Charter Documented | DCF-144 | Documented Board of Director terms of reference, responsibilities and/or scope. |
| Board Meetings Conducted | DCF-146 | The latest Board meeting agenda and minutes, with evidence of briefing on information security. |
| Board Oversight Briefings Conducted | DCF-143 | |
| Conduct Control Self-Assessments | DCF-153 | Records of review of the controls in Drata by the control owners, including any corrective actions or modifications identified. |
| Cybersecurity Insurance Maintained | DCF-157 | The certificate of currency or cyber insurance policy details. |
| Disposal of Sensitive Data on Hardware | DCF-109 | Confirmation of secure erasure and disposal for the Sampled Asset Disposals. |
| Employee Non-Disclosure Agreement (NDA) | DCF-105 | The employment contract for the Sampled New Joiners. |
| Follow-Ups Tracked | DCF-28 | Evidence of incident logging, classification, resolution and lessons learned devised for the Sampled Incidents. |
| Job Descriptions | DCF-47 | The documented job descriptions for the Sampled Employees. |
| Organizational Chart Maintained | DCF-14 | The documented organization chart with roles and reporting lines. |
| Quarterly Access Control Review | DCF-11 | The latest access control review that confirms user access to critical systems is appropriate, or modified accordingly. |
| Quarterly Vulnerability Scan | DCF-18 | The latest vulnerability scan report(s) or system record showing when they were conducted and the results. |
| Security Issues are Prioritized | DCF-23 | The vulnerability register or log tracking material vulnerabilities, their ratings and status working towards resolution. |
| Security Training | DCF-36 | Confirm security training is tracked in Drata, or manually upload evidence for the Sampled New Joiners. |
| System Access Granted | DCF-69 | The completed onboarding checklist or access approval for the Sampled New Joiners. |
| Termination/Off-boarding Checklist | DCF-43 | The completed exit checklist or other confirmation of access removal for the Sampled Terminated Employees. |
Added Processing Integrity or Privacy to you audit scope? Refer to this page for these controls and evidence required.
Adding Evidence to the Evidence Library menu:
1. Go to the Evidence Library menu in Drata
2. Select "Add evidence" in the top right corner of the screen
3. Populate the details and link to the relevant controls with the guidance above
Mapping external evidence to specific controls:
1. Go to the Controls menu in Drata
2. Click on the relevant control name in accordance with the guidance above
3. Scroll down the pop out menu to the Control Evidence section and click Add for the "Map external evidence option"
4. Complete the details of the file(s) to be added
