Drata Starter Quick Start Guide

Get Audit Ready in 5 Steps with Sensiba

Connecting your Key Systems

Start with the Quick Start button in the top left corner of Drata — this walks you through your first connections.

Systems to connect:

Cloud Providers
Identity Providers (IDP)
Version Control (GitHub, GitLab, Bitbucket, etc.)
HRIS (Human Resource Information Systems)
Datastores
Mobile Device Management (MDM)

👉 In-scope = production systems, sensitive information, or user data
👉 Out-of-scope = test, sandbox, or non-production systems

Connections use the principle of least privilege — Drata only pulls configuration data needed for evidence.

💡 Tip: You’ll need admin credentials for each system. Loop in IT, app owners, or stakeholders as needed.
📖 For step-by-step instructions, view more about the Quick Start in Drata here.

Get Your Drata Instance Audit-Ready

Beyond your initial connections and system description, there are a few key areas in Drata that help ensure you’re truly audit ready. Taking the time to configure these properly now will save time later.

Focus areas to review in Drata:

Personnel in scope: Confirm all employees who should be part of the audit are added — and that only relevant people are included. (For example, contractors are generally excluded unless they have access to critical systems.)
Policy management: Upload your required policies, assign them to the right staff, and track acknowledgements.
- We also offer a Policy Generator (PolicyTree) that creates robust, tailor-fit policies aligned with your controls. This is optional — you can use Drata’s policies instead — but if you choose PolicyTree, you’ll need to upload those policies into Drata. You can create them here.
Risk management: Document your risks, define mitigation plans, and assign ownership — especially for critical or high risks.
Vendor management: Add your critical vendors, assign risk ratings, and complete reviews for those rated high or critical.
Monitoring tests: Configure key monitoring checks so controls are continuously validated within Drata.

📖 For a detailed step-by-step walkthrough, check out Drata’s SOC 2 Checklist.

💡 Tip: Think of these areas as the “readiness foundation” — the stronger they are, the smoother your audit will go.

Scoping your Controls

Drata comes with a broad set of default controls, but you don’t need all of them for your audit.

Your audit with us only requires a subset of controls.
There are approximately 50 controls relevant for Security, Availability, and Confidentiality Trust Service Criteria. We've included Processing Integrity & Privacy, however these are not tested by default.
You can safely descope/exclude any controls that aren’t relevant to your audit, as per our control listing provided below.
Depending on the date your organization signed up to Drata, you may see either the previous or the updated version of the framework within your instance. For more context, you can view the article here.

If you were using Drata prior to 7th May 2024:

📖 Download and View the full list here

If you were using Drata after 7th May 2024:

📖 Download and View the full list here

💡 Tip: Focus on quality over quantity — only keep controls that truly apply to your environment.

Create Audit Package

Set up your audit so we can join you in Drata.

Go to the Audit Hub tab → select Create Audit
Enter your audit details:
- Audit type (e.g. SOC 2)
- Audit period → use past dates up to the current date.
  - If you're unsure, don't worry! we can always adjust the dates for you at a later stage.
Add your auditors from the dropdown or by inviting new ones