Skip to content
English
Ask our team
Go to sensiba.com
  • There are no suggestions because the search field is empty.

Drata Starter Quick Start Guide

Get Audit Ready in 5 Steps with Sensiba

Connecting your Key Systems

Start with the Quick Start button in the top left corner of Drata — this walks you through your first connections.

Systems to connect:

  • Cloud Providers

  • Identity Providers (IDP)

  • Version Control (GitHub, GitLab, Bitbucket, etc.)

  • HRIS (Human Resource Information Systems)

  • Datastores

  • Mobile Device Management (MDM)

👉 In-scope = production systems, sensitive information, or user data
👉 Out-of-scope = test, sandbox, or non-production systems

Connections use the principle of least privilege — Drata only pulls configuration data needed for evidence.

💡 Tip: You’ll need admin credentials for each system. Loop in IT, app owners, or stakeholders as needed.
📖 For step-by-step instructions, view more about the Quick Start in Drata here.

Getting Your Drata Instance Audit-Ready

Once your initial connections and system description are set up, there are a few core areas in Drata that need attention to ensure you’re ready for audit. The focus areas differ slightly between SOC 2 Type 1 and SOC 2 Type 2, outlined below.

SOC 2 Type 1: The Essentials to Get Started

A Type 1 audit represents a point-in-time review, so the setup required is lighter. At a minimum, in addition to connecting your key systems outlined above, we need you to complete the following areas so we can begin the audit process:

  • Personnel in Scope - Make sure all relevant employees are added to Drata — and that only those required are included. Contractors are typically excluded unless they have access to critical systems.
  • Policy Management - Upload your required policies, assign them to the appropriate staff, and track acknowledgements and approvals.

    • You can use either:

      • Drata-provided policies, or

      • PolicyTree (our Policy Generator) to create tailored, control-aligned policies. If using PolicyTree, simply upload the generated policies into Drata. You can create them here.

  • Monitoring Basics - Enable key monitoring tests to validate the most important controls for your environment.
  • Drata Agent - Install the Drata Agent for all applicable personnel to track device compliance (e.g., disk encryption, antivirus).

These items represent the minimum required to get your Type 1 audit underway, and they help build a strong foundation for your Type 2.

SOC 2 Type 2: Build on the Foundation

A Type 2 audit assesses controls over time to confirm operating effectiveness, so you’ll need everything listed above plus a more complete operational picture. This includes:

  • Risk Management - Document your risks, assign owners, and outline mitigation plans — especially for high or critical risks.
  • Vendor Management - Add your critical vendors, set risk ratings, and complete reviews for any vendor rated high or critical. 

📖 For a detailed step-by-step walkthrough, check out Drata’s SOC 2 Checklist.

💡 Tip: Think of these areas as the “readiness foundation” — the stronger they are, the smoother your audit will go.

Scoping your Controls

Drata comes with a broad set of default controls, but you don’t need all of them for your audit.

  • Your audit with us only requires a subset of controls.

  • There are approximately 50 controls relevant for Security, Availability, and Confidentiality Trust Service Criteria. We've included Processing Integrity & Privacy, however these are not tested by default.

  • You can safely descope/exclude any controls that aren’t relevant to your audit, as per our control listing provided below.

  • Depending on the date your organization signed up to Drata, you may see either the previous or the updated version of the framework within your instance. For more context, you can view the article here.

If you were using Drata prior to 7th May 2024:

📖 Download and View the full list here

If you were using Drata after 7th May 2024:

📖 Download and View the full list here

💡 Tip: Focus on quality over quantity — only keep controls that truly apply to your environment.

Create Audit Package

Set up your audit so we can join you in Drata.

  1. Go to the Audit Hub tab → select Create Audit

  2. Enter your audit details:

    • Audit type (e.g. SOC 2)

    • Audit period → use past dates up to the current date. 

      • If you're unsure, don't worry! we can always adjust the dates for you at a later stage.

  3. Add your auditors from the dropdown or by inviting new ones

📖 Learn more about audit periods here

Provide Sensiba Auditor Access

Once your audit is created, give our team access:

  1. Go to Audit HubOpen Audit

  2. Select the edit icon under Assigned auditors.

3. Add our audit team addresses:

4. Toggle on:
  • Read only access
  • Download for Controls, Tests and Requirements

💡 Note: Your dedicated audit team member will be assigned after your Kick-Off call. 

Complete your System Description

This is a key step for your audit:

  • It forms the basis of your final SOC 2 report

  • It tells your auditor exactly which systems are in scope

You can complete it by following the instructions linked here.

💡 Tip: Do this early to give your auditor full context from the start.

Need Help?

We’re here for you! If you have questions or something feels unclear, reach out anytime at csplatform@sensiba.com.