Ensuring compliance and audit readiness depends on the strong connection between controls, policies, and evidence:
Controls define the compliance requirements.
Policies document the rules and guidelines that enforce these controls.
Evidence proves that controls are implemented and effective.
For a control to be audit-ready, it must be mapped to approved policies AND valid evidence (e.g., passing test results, up-to-date documentation). Missing or invalid evidence can lead to audit failures or delays. Keeping controls, policies, and evidence aligned ensures a smooth and successful audit process.
This article explains how these elements work together and what is required to ensure a control is considered "Ready."
What Makes a Control "Ready"?
A control is considered "Ready" when it meets the following criteria:
All mapped evidence is valid.
The control is not linked to any invalid evidence.
What Qualifies as Valid Evidence?
For evidence to be considered valid, it must meet one of the following conditions:
A test is in a PASSING state.
All mapped policies have an approved version.
A mapped Evidence Library item has not exceeded its renewal date.
A mapped Miscellaneous Evidence file or URL has not exceeded its renewal date.
What Constitutes Invalid Evidence?
Evidence is considered invalid if it meets any of the following conditions:
A test is in a FAILING state.
A mapped policy is not approved.
A mapped Evidence Library item has exceeded its renewal date.
A mapped Miscellaneous Evidence file or URL has exceeded its renewal date.
What to Do When a Control Is Not Ready
If a control is not ready, take the following steps:
Review and Approve Policies β Ensure that all mapped policies have been reviewed and approved, including pending/current contractor review and acknowledgement of policies.
Upload Manual Evidence β If needed, provide additional documentation to support the control.
Verify Mapped Evidence β Check that all linked evidence is valid and up to date.
Ensure Controls Are Mapped to Evidence β If a control lacks any mapped evidence, it is not considered ready.
DCFs That Require Additional Evidence
Here is a list of DCFs which are common controls that may need both a linked policy AND supporting evidence.
These DCFs can appear as READY once a policy is attached, but they still require additional evidence to be fully compliant with auditor expectations.
Code | Name | Manual Evidence Required: |
DCF-16 | Periodic Risk Assessment | Upload the latest documentation of completed risk assessment activities, e.g. risk register, risk treatment plan. |
DCF-17 | Risk Treatment Plan | Upload the latest documentation of completed risk assessment activities, e.g. risk register, risk treatment plan. |
DCF-18 | Vulnerability Scans | If you have not set up the integration for Drata to run an automated test to verify Vulnerability Scanning, you will need to upload copies of your vulnerability scan results. |
DCF-19 | Penetration Tests | Upload evidence of the most recent penetration testing activities, e.g. test reports, vulnerability assessments, or remediation plans. |
DCF-21 | Architectural Diagram | Upload your current architecture diagram(s) along with evidence of updates or reviews within the past year. Acceptable documentation may include emails from responsible personnel confirming accuracy or any other records verifying that the diagrams are up to date. |
DCF-22 | Network Diagram | Upload your current network diagram(s) along with evidence of updates or reviews within the past year. |
DCF-26 | BCP/DR Tests | Upload evidence of your most recent business continuity and/or disaster recovery test. |
DCF-154 | Incident Response Test | Upload evidence of your most recently completed incident response test. |
By following these steps, you can ensure that your controls remain in a ready state, helping to streamline audits and maintain compliance.