Drata Starter

AssuranceLab's Drata-exclusive audit program to be SOC 2 Type 1 ready in as little as 20 hours

There are 9 steps to complete your SOC 2 audit in Drata with AssuranceLab:

  1. QuickStart Set-up (~15 mins): Log in, connect your infrastructure, import your custom framework and give us auditor access.
  2. System Description Automation (~15 mins): Input the important details to confirm your SOC 2 reporting scope and generate the description that forms the final report.
  3. Policy Automation (~2 hours): Generate your information security policies, upload and configure the sign-off workflows in the Drata Policy Centre.
  4. Vendor management (~4 hours): Add your material vendors, complete the vendor risk assessments, and review the attestation reports for high risk vendors.
  5. Risk assessment and tracking (~4 hours): Complete and upload your information security risk assessment and risk mitigation plans.
  6. Add control populations (~1 hour): Add populations for incidents and vulnerabilities that aren't tracked directly in Drata. (Type 2 only)
  7. Remaining evidence uploads (~10 hours): Upload the remaining evidence requirements outlined in the table enclosed, to complete your audit.
  8. AI Review and Audit (~1-2 weeks): Opt in to our AI review program for faster feedback and a streamlined audit process (removes step 9 below). We share feedback in a dynamic Google Sheet for easy collaboration to complete the audit.
  9. Traditional Audit (~2-3 weeks): We review your full evidence package and complete the audit. We'll raise any queries in Audit Hub, Slack or another preferred channel.
  10. Continuous Audit: Roll straight into our continuous audit program to maintain your compliance with confidence.


Additional Guidance:

  • Frequently Asked Questions (FAQ): These are the questions we're often asked by clients working through the Drata Starter program.
  • Sample tests: The samples we select and the controls we test for Type II audits following the Drata Playbook.
  • Drata Starter Plus: Have you added more criteria to your scope like Processing Integrity or Privacy? Here's a how to understand what is required.