Get started with Drata Starter: Compliance Accelerator
Steps
- Step 1: Getting into your Drata Tenant
- Step 2: Connecting your systems
- Step 3: Scoping your controls
- Step 4: Create Audit Package
- Step 5: Provide AssuranceLab Auditor Access
- Step 6: Tell us about your systems
Step 1: Getting into your Drata Tenant
Visit app.drata.com, enter the email address you provided. You will then receive the following notification (on right) to check the email inbox of the email you just entered.
Note: This email should be have the same domain as your
organization/company. (Eg. org name is “wowindustries”. Email is “person@wowindustries.org”) It should not be a personal email address.
Step 1.1: Log in to your email account in the same browser that you provided in Step 1 and click on the email from Drata.
Note: check your spam inbox in case you did not receive the email in your inbox. If this does not work, retry inputting your email in Step 1 again.
Click the link “Get Started”, as shown below. You will then be redirected to your Drata dashboard.
Step 2: Connecting your systems
Begin with the Quick Start at the top left corner in Drata. This will guide you through making your first connections to Drata.
Step 2.1: You will want to begin with Identity Provider connections (you can continue with other connections, but this is a good place to start in order to get sign-on working for other users). Connections are API connections that utilize the principle of least privilege to only view configuration data for attestation/evidence collection in the audit process.
For detailed instructions of supported connections click the Question Mark in the top right corner
From the Help Center, search through instructions on any connections you wish to make.
Note: For any connection you’re making, you will need to involve or have Administrator credentials for that account. Please involve any IT/Admin/stakeholder/application owner in this process as necessary to make these connections.
Step 2.2: Once you have brought in employees via Identity connections, it’s a good idea to set up some other admins beyond yourself. You will then want to invite other admins in your organization who will be driving the software, making connections, and/or evaluating the system.
Under your name, click on the org name (in this case, it’s “Acme Company”) and then select “Role Administration”.
From here you will be able to select employees brought in from your Identity Provider to be Drata Account Administrators. They will also follow Step 1 to gain access.
There are three types of Privileged Roles in Drata:
- Account Administrators: These users have read and edit rights to everything across the account.
- Tech Governance Team (Information Security Engineers): these users have all of the same rights and access as Account Administrators EXCEPT for access to the Role Administration page. They cannot set other Admin rights
- Risk Manager: These users have access to a suite of risk management tools that let them build a risk register, score risks, assign risk owners, and complete other tasks related to threat-based risks.
Step 3: Scoping your Controls
We recommend focusing on a subset of the controls in Drata, to make best use of your efforts and fast track your compliance outcomes. The Drata Starter framework includes 79 controls with guidance, tips and examples to give a clear view of what's required to pass the audits. View the full list here. Click into the 'controls that can be descoped' tab to see the full list of which controls can be descoped from your SOC 2 Framework in Drata.
Note: These 79 controls are covered in the respective steps in the Drata Starter program. Ie. connecting your systems, generating your policies, completing vendor and risk assessments, then loading the remaining documents will address all 79 controls.
If you are planning for an audit with SOC 2 Privacy or Processing Integrity, or additional frameworks like HIPAA, GDPR, or ISO 27001, visit the Drata Starter Plus page for further details.
Step 4: Create Audit Package
Go to the Audit Hub section of Drata on the left side menu. Click “Create Audit” on the right side of the screen. Select the relevant framework (e.g. “Drata Starter”) and select the date range of your SOC audit.
Note: Please ensure the date range starts in the past and continues beyond the time period we'll be working through the audit. It can be changed later, but this ensures all required evidence is available.
Note: It’s key to select a date range rather than a single date. A single date means we will only be able to receive test evidence for that date.
Step 5: Provide AssuranceLab Auditor Access
Now that you’ve created your Drata Starter Audit, click “Open Audit”. Click the “+” in the right of the “Auditors” box to create a new auditor or select an existing auditor profile. To create a new auditor, add the three personnel’s details below for our audit team and toggle on “Read only access to the entire app” and “Download for Controls, Tests and Requirements” for each of those. For existing profiles, select the auditor name in the “Previous auditors” drop down menu and click “Confirm”.
Note: If you have any concerns with this access, get in touch with us. The purpose of this access is to support you through the process.
AssuranceLab Team
Please add your assigned audit team members only to your Drata instance and the audit package. Your audit team will typically be assigned. In addition to your team, please ensure you are adding our universal email address: drata@drata.assurancelab.cpa as an auditor.
Note: Our PillarGRC email domain is used for most of our team as we have our own Drata instance with Assurancelab.com.au. PillarGRC is our audit platform domain.
| First Name | Last Name | Firm Name | |
| Paul | Wenham | paul@drata.assurancelab.cpa | AssuranceLab |
| Patrick | Hegarty | patrick@drata.assurancelab.cpa | |
| Davor | Lovric | davor@drata.assurancelab.cpa | |
| Lachlan | Pound | lachlan@drata.assurancelab.cpa | |
| Patrick | O'Keeffe | patrick.o@drata.assurancelab.cpa | |
| Vlora | Ramadani | vlora.ramadani@drata.assurancelab.cpa | |
| Claire | McInally | claire.mcinally@drata.assurancelab.cpa | |
| Dara | O'Sullivan | dara.osullivan@drata.assurancelab.cpa | |
| Emily | Jenkins | emily.jenkins@drata.assurancelab.cpa | |
| Jesse | Britto | jesse.britto@drata.assurancelab.cpa | |
| Jessica | Murphy | jessica.murphy@drata.assurancelab.cpa | |
| Sanjana | Rugdam | sanjana.rugdam@drata.assurancelab.cpa | |
| Shane | Donegan | shane.donegan@drata.assurancelab.cpa | |
| Thomas | Faithfull | thomas.faithfull@drata.assurancelab.cpa |
Step 6: Complete your System Description
The System Description serves two main purposes:
a) It forms the basis of your final SOC 2 report.
b) By completing it early, it ensures your auditor knows which systems to test and what is in scope for your engagement.
Completing it is a prerequisite to testing. It takes about ~10 minutes to complete.
Please click the appropriate link below to get started:
Drata Starter SOC 2 Audit: Click here and use the access code "MzXERyDF28"
Drata Starter SOC 2 + HIPAA and/or GDPR: Click here and use the access code "t8gKSNVxjD"
The link will lead you to Policy Tree after completing the System Description. Policy Tree is an optional exercise which generates tailored policies for your business. If you already have policies, you do not need to complete Policy Tree.