Skip to main content

Example Evidence for Not Monitored Controls (ISO 27001) - Revised (Following 5/7/2024 Updates)

Updated over a week ago

Following the ISO 27001:2022 updates as of 5/7/2024, this is the updated guidance for controls that are not automatically monitored in Drata. If you began your ISO 27001 compliance efforts prior to this update, you can still refer to the legacy help article here for additional context – or use both resources as needed.

Note: The examples below are illustrative only. Auditors may request additional or alternative forms of evidence based on your scope, risk posture, and implementation details.

Code

Name

Example Evidence

DCF-7

Separate Environments

Upload evidence showing separate environments exist for development, testing, staging, and production, as applicable.

Example: Screenshots of web environments showing different URLs; screenshots showing separate infrastructure such as different servers, databases, or networks for production and lower environments, etc.

DCF-9

Internal Communication Channels

Upload examples of internal communication channels for employees to report failures, events, incidents, concerns, and other issues.

Example: Screenshots of internal channels dedicated to security event reporting in messaging apps (e.g., Slack, MS Teams), whistleblower channels, etc.

DCF-11

Periodic Access Reviews

Upload documentation of the most recent user access and permissions review.

Example: Screenshots of the user lists and permissions reviewed; evidence of sign-offs or approvals by at least two individuals (segregation of duties, or SoD); documentation of any changes requested; and evidence that the requested changes were implemented. The scope of the review should be discussed with your auditor, as different auditors may have different expectations (based on the scope of the assessment, relevant framework(s), etc.).

Auditors will generally require the following:

  • Evidence of the review inputs: What artifacts were reviewed? (e.g., screenshots of user lists with permissions).

  • Evidence that segregation of duties was maintained: For example, two individuals sign off on the review so no reviewer is approving their own access.

  • Confirmation that identified changes were implemented: For example, tickets documenting account removals, updated user lists showing modifications in permissions, etc.

Auditors generally expect these review activities to be done at least annually, with quarterly frequency being the most common. They may also expect the user access review to include a review of physical access rights, if applicable (e.g., reviews of active personnel in the badge system, etc.).

Note: For many controls, auditors may request a complete population of applicable items (e.g., users, assets, vendors) and select a sample for evidence review. One example may not be sufficient unless explicitly agreed upon in scope.

DCF-16, DCF-17

Risk Assessments Results (Periodic Risk Assessment, Risk Treatment Plan)

Upload documentation of the most recent risk assessment activities performed (e.g., risk register, risk treatment plan) in accordance with company policies and compliance requirements.

The risk assessment drives the selection of controls to be implemented; therefore, a thorough risk assessment is necessary to ensure the selection of controls is appropriate and sufficient to mitigate the risks that threaten the organization's ability to achieve its goals and objectives.

DCF-17

Risk Treatment Plan

Upload documented remediation plans for risks identified during the risk assessment.

DCF-19

Penetration Tests

Upload evidence of the most recent penetration testing activities.

Example: Report(s) of the most recent penetration test(s) performed by a third-party or internal resource, showing the scope and results of the assessment; evidence of the internal tracking and remediation of findings (e.g., internal tickets, change documentation), etc.

Auditors will generally evaluate the penetration testing activities against policy requirements (e.g., documentation of justification for vulnerabilities found by the pen testers accepted as risks or deemed non-exploitable, exploitable vulnerabilities resolved within company-defined SLAs, etc.).

Penetration tests should be conducted at least annually or after significant changes to the environment.

DCF-20

Asset Inventory

1. Formal, documented listing of all assets (workstations, mobile devices, servers, databases).

2. For cloud infrastructure, screenshots from cloud environments listing all infrastructure.

Note: For many controls, auditors may request a complete population of applicable items (e.g., users, assets, vendors) and select a sample for evidence review. One example may not be sufficient unless explicitly agreed upon in scope.

DCF-22

Network Diagram

Upload evidence of your current network diagram(s) and evidence of updates/reviews within the past year for accuracy (e.g., emails from responsible personnel confirming the accuracy and completeness of the network diagram(s), etc.).

A network diagram is defined as a representation of system components and boundaries, as well as connections within a networked environment.

DCF-26

BCP/DR Tests

Upload evidence of your most recent business continuity and/or disaster recovery test.

Example: Documentation of the activities performed, results, and lessons learned; calendar invites showing participants and dates, etc.

DCF-29

Incident Response Team

Upload evidence of your documented roles and responsibilities for incident response.

Example: Documentation of your internal incident response processes and procedures, outlining the roles and responsibilities for incident management, such as:

  • Incident managers

  • Incident handlers

  • Communication coordinators

  • Advisors

DCF-30

Incident Response Lessons Learned Documented

For example, a security event that is deemed an incident, you can provide the incident documentation including:

  • Evidence of internal tracking (such as internal ticket)

  • Root-cause analysis (RCA) or post-mortem

  • Lessons learned

DCF-46, DCF-179

Formal Screening Process

Upload evidence of the formal interview/recruitment process for a recently hired personnel.

Example: Calendar invites for interviews, documented feedback notes from interviewers, exports from the candidate's profile within the applicant tracking system, evidence of evaluation of resume and professional credentials, etc.

Note: For many controls, auditors may request a complete population of applicable items (e.g., users, assets, vendors) and select a sample for evidence review. One example may not be sufficient unless explicitly agreed upon in scope.

DCF-56,

DCF-132

Vendor Agreement

Upload an example of an executed agreement with a vendor or service provider.

DCF-57

Vendor Compliance Monitoring

1. Screenshots from the vendor directory showing that vendors are categorized based on impact/risk.

-and-

2. Review documents showing that vendors' SOC2 reports were reviewed (Drata can provide a review template for this).

DCF-60

Secure Password Storage

If username and password is required, screenshots from the database showing that password are stored using a salted hash.

DCF-62

Session Termination

Upload evidence of automated logoff for relevant systems/applications. For example:

1. Screenshots of users being logged out of the application when browser/tab is closed and being forced to re-authenticate upon next login.

2. Screenshots showing that a user is logged out after predefined inactivity timeout and being forced to authenticate upon next login (including application messages, parameters in the application code defining the inactivity period, etc.).

Relevant systems may include company-developed web applications and any system or application in use that allows for configuration of automated logoffs. If applicable, discuss scope with your chosen auditor.

DCF-69

Access Provisioning

Upload an example record of access request and approval for a user to be granted permission to a system.

Example: An access request ticket with documented approval from the system owner or manager, etc. A process to request and approve user accounts and permissions must be in place.

Auditors may request evidence of new hire access requests as well as request for changes in permissions to existing users (e.g., transfers, new administrative users, additional permissions to specific resources such as databases or repositories).

DCF-72

Root Access Control

Upload evidence showing that root password authentication to production resources (e.g., virtual machines, containers, etc.) is disabled.

Example: Screenshots of infrastructure as code configurations showing that password login has been disabled for root.

DCF-76

Critical Change Management

For a hot fix or emergency change, upload evidence to show that the change followed the standard change management process (reviews, testing and approval) or that it was reviewed and approved by an authorized individual after implementation.

Example: Screenshots or exports of pull requests/merge requests showing change control, documentation such as internal tickets or emails showing post-implementation review and approval, etc.

DCF-91

Intrusion Detection/Prevention System

1. Screenshots from AWS GuardDuty, Azure Sentinel, GCP Security Command Center, or equivalent monitoring tool showing that the service is enabled.

-and-

2. Screenshots from the mentioned applications/tools/services showing the types of threats that would be detected.

-and-

3. Screenshots from the mentioned applications/tools/services showing how personnel would be alerted and who would be alerted when threats are detected.

DCF-92

Encrypted Remote Production Access

Upload evidence that remote access to production resources is only available through an encrypted connection.

Example: Screenshot showing access to production servers or databases is not available if a user is not connected to the internal network via encrypted VPN.

DCF-100

Backup Restore Testing

Upload evidence of your most recent test restore of backed-up data completed within the past year.

Example: Documentation of the backup restoration process showing steps taken and associated evidence, results, date completed, etc. The evidence should include the steps taken to restore the data from a backup and validation of the completeness and accuracy of the restored data.

DCF-103

DCF-253

Customer Data Deletion Upon Termination

For a recently churned customer, upload evidence showing that customer data disposal was conducted in accordance with the contractual agreements with the customer.

Example: Screenshots of logs showing data was disposed of; screenshots from production resources such as storage buckets and databases showing customer-specific resources were decommissioned, etc.

Upload the agreement with the former customer to show the specific data disposal requirements and commitments.

Contractual agreements may specify a time window for data disposal (e.g., within 30 days of termination of services). Customer offboarding processes should include steps to ensure data disposal is conducted in accordance with the contractual agreements.

DCF-104

Test Data

Upload evidence showing that production data is not used in testing, staging or other lower environments.

Example: Screenshots from testing databases showing mock data is used, data anonymization or mock data generation scripts, etc.

DCF-105,

DCF-763

Personnel Non-Disclosure Agreements (NDA)

Upload an example executed agreement addressing confidentiality with recently hired employees (e.g., NDA, PIIA, employment agreement including confidentiality clauses, etc.).

DCF-106

Clean Desk and Clear Screen Policies and Procedures

1. Acceptable Use Policy.

-and-

2. Acknowledgement of the Acceptable Use Policy (if applicable).

DCF-107

Disposal of Sensitive Data on Paper

Observation of the disposal of hard copy material.

Note: This can be performed by auditors on-site, or via virtual meeting.

DCF-108

Secure Storage Mechanisms

Pictures of secure storage bins from office locations.

DCF-109

DCF-253

DCF-390

DCF-619

Disposal of Sensitive Data on Hardware

Upload evidence for one instance of data disposal on hardware showing that data was disposed securely.

Examples: One example certificate of destruction of hardware; screenshots showing that hard drive data on an endpoint were wiped prior to reuse of the device, etc.

DCF-112

Notice and Acknowledgement of Privacy Practices

Upload screenshots of the account sign up process for your system or application(s) showing users are required to accept the privacy policy/notice prior to using the system.

DCF-120

Periodic Review of Privacy Policy

For any recent changes to the public privacy policy, upload evidence showing customers were notified of such changes (example: screenshots of email notifications sent to customers notifying them of changes to the privacy policy, etc.) and that the privacy policy includes the date it was last updated (example: screenshot or export of the public privacy policy showing the last update date).

DCF-123

DCF-253

Procedures for Information Disposal

Upload your documented procedures for the erasure or destruction of information that has been identified for disposal.

DCF-132

Privacy and Security Requirements in Third-Party Agreements

Upload executed agreements (such as Data Processing Agreements, Business Associate Agreements, Service Provider Agreements) with third parties and vendors that are provided access to personal data.

DCF-135

Notification of Incidents or Breaches

For one example security incident or breach, upload evidence showing that notification of the incident or breach was given to affected parties and authorities (as applicable) in accordance with company policies and procedures and contractual and legal obligations.

DCF-137

Data Entry Field Completion Automated

Upload screenshots of a user entering information into the application to confirm that edit checks are included in fields.

DCF-149

Removable Media Device Encryption

If removable media devices are issued by the company to employees, provide evidence that removable media devices are encrypted.

DCF-150

Data Loss Prevention (DLP) Mechanisms

Upload evidence of the data leakage prevention (DLP) measures implemented in the organization (e.g., screenshots of DLP rules implemented in corporate email service, configurations from DLP tools in place, etc.).

DCF-152

Automated Security Updates

Upload evidence showing that automated mechanisms have been implemented to install security upgrades to operating systems (e.g., screenshots showing unattended upgrades, apt-get-update / apt-get-upgrades within infrastructure as code configuration files, screenshots of management console for patch management tools such as Automox, etc.).

DCF-154

Incident Response Test

Upload evidence of your most recently completed incident response test. Incident response testing is typically expected annually or more frequently based on risk or regulatory requirements.

Example: Documentation of the activities performed, results, and lessons learned; calendar invites showing participants and dates, etc.

DCF-155

Testing of Changes

Upload screenshots from the ticketing system for a few changes showing that changes were tested.

DCF-156

Change Releases Approved

For an example change release, upload evidence showing that the release was approved by authorized personnel prior to deployment to production (e.g., screenshot of a pull request/ticket showing approval for a release candidate by authorized personnel).

DCF-161

Management System Scope

Upload your ISMS Plan showing the defined scope of the management system. The ISMS scope should include:

  • Boundaries (e.g., business units, technologies, locations)

  • Justifications for any exclusions

  • Alignment with the organization's context and stakeholder expectations (Clause 4.1 and 4.2)

DCF-162

Statement of Applicability

If not managed within Drata's Policy Center (we have a template for the SoA embedded in the ISMS plan template), upload your Statement of Applicability (SoA) in conformance with ISO requirements.

The Statement of Applicability defines the controls deemed necessary by the organization as a result of the risk assessment to implement the risk treatment plan. It is possible for an organization to design its own necessary controls or to select them from any source, including ISO standards.

The Statement of Applicability's version and date will be included in your certificate of registration.

Auditors will expect to see justification for any excluded Annex A controls. These decisions should align with your risk assessment results and the defined risk treatment plan.

DCF-163

Interested Parties and Legal Requirements

ISMS Plan (2022), AI Governance Policy.

DCF-164

Management System Management Review

Upload evidence of your most recent documented management review for your ISO management system(s).

As outlined in the management system standards, the organization must perform management reviews at periodic intervals. The reviews must address all requirements outlined in the ISO standard, and the inputs and outputs of the management review must be documented.

DCF-165

Periodic Independent Assessments

Upload evidence showing the organization performs internal audits at planned intervals as required by ISO to confirm that the management system(s) conforms to the organization's requirements and the referenced standards, and is effectively implemented and maintained (e.g., documentation of the most recent internal audit program(s) and report(s) of audit results for the management system(s), etc.). Internal audits must be performed at planned intervals, typically annually, and must cover the full scope of the ISMS.

DCF-166

Business Continuity Plan

Business Continuity Plan.

DCF-167

Business Impact Analysis

Business Impact Analysis (typically part of the business continuity plan).

DCF-168

Vendor Management Policy

Vendor Management Policy.

DCF-170

Management System Objectives

Information Security Policy, ISMS Plan (2022).

DCF-171

Documented Operating Procedures

This will be a part of your ISMS policy.

DCF-173

Employment Terms & Conditions

For one example personnel, provide executed employment contracts/agreements outlining the terms and conditions of employment as well as responsibilities during and after employment (e.g., duty of confidentiality, return of assets, protection of intellectual property, etc.).

DCF-175

Communications Plan

ISMS Plan (2022)

DCF-176

Measurement and Monitoring Plan

This will be a part of your ISMS policy.

DCF-178

Record Management and Control

1. Evidence showing that policy documents are versioned control.

-and-

2. Change log from the ISMS policy for the ISMS document.

DCF-179

Competence Records

1. Upload documented job descriptions for both a recently hired personnel and an existing personnel.

-and-

2. Upload evidence of the formal interview/recruitment process for a recently hired personnel (such as calendar invites for interviews, documented feedback notes from interviewers, exports from the candidate's profile within the applicant tracking system, evidence of evaluation of resume and professional credentials).

-and-

3. Upload an example of a completed performance evaluation for a sample personnel performed within the past year showing components of the evaluation process (such as self-reviews, peer-reviews, manager-reviews).

-and-

4. Upload evidence for an example staff member with assigned roles within the management system(s) showing that they have the necessary competence to fulfill their duties on the basis of appropriate education, training, or experience.

Note: Example evidence may include, but is not limited to:

- records of education, certifications, and professional credentials

- records of training programs, courses and educational activities

- records of actions taken to acquire and retain the necessary competence as it relates to the management system

DCF-180

Secure Information Transfer

Data Protection Policy.

DCF-182

Asset Management Policy

Asset Management Policy.

DCF-184

Management System Plan

ISMS Plan (2022).

DCF-185

Threat Intelligence

1. Completed Threat Assessment Plan contained within Appendix A of the Security version of the Risk Assessment Policy and Appendix C in the Privacy version of Risk Assessment Policy.

- and -

2. Screenshots showing that your organization is subscribed to a service or mailing list that provides information on new/developing security issues.

- and -

3. Evidence demonstrating that threats are being assessed according to the defined Threat Assessment Plan.

DCF-186

Data De-identification

1. Data Classification Policy

- and -

2. Data Protection Policy

DCF-188

Communication with Advisories and Special Interest Groups

Upload evidence showing that the organization and members of management maintain contact with special interest groups (e.g., security groups, privacy groups, etc.). For example, screenshots or exports showing members of management receive newsletters and updates from professional association groups, email alerts from security advisories such as CISA, participation in conferences, threat advisories, etc.

DCF-229

Vendor Default Accounts Disabled, Removed or Changed

1. Any policy or procedures documenting a requirement stating that ALL vendor supplied default account information must be changed.

-and-

2. Screenshots showing that vendor default accounts have been removed, had their default configurations changed, or are disabled.

DCF-253

Data Secure Disposal

Policies and procedures for data disposal.

DCF-271

Key Storage Locations Limited

Upload evidence of where your organization stores cryptographic keys.

Example: Screenshot from the console of your infrastructure provider's key management service.

DCF-273

Strong Key Generation Policies and Procedures

1. Documented key management procedures which specify how to generate strong cryptographic keys.

2. Screenshots showing the strong cryptographic key generation process.

DCF-284

Key and Certificate Validation

1. Documented policies and procedures which specify processes for accepting only trusted keys and certificates (Encryption Policy).

2. Screenshots showing that keys and certificates used in the environment are trusted.

DCF-293

Anti-Malware Capabilities and Automatic Updates

Upload evidence showing that the deployed anti-malware solution is kept up-to-date through automatic updates and is configured to detect, and then remove, block, or contain, all known types of malware.

Example: Screenshots from the anti-malware solution console showing configurations for automated updates and detection and containment actions.

DCF-294

Anti-Malware Tools Behavior

Upload screenshots from your anti-malware console showing that it is configured to perform both periodic scans and active real-time scans (e.g., scanning files from external sources as they are downloaded, opened, or executed). Alternatively, show that it performs continuous behavioral analysis of systems or processes.

DCF-305

Production Components Change Control Procedures

For a non-software development change, upload documentation showing that the change was implemented in accordance with your formal change management policies and procedures. For example, documentation of change description, justification, evaluation of security requirements and impact, approval by authorized parties, rollback procedures, etc., and records of testing (for example, acceptance and security impact testing).

Examples of changes include: infrastructure, network, configuration changes, etc.

DCF-312

Secure Code Development Training

Upload evidence of secure code development training completed by a member of personnel within the past year.

Example: Training materials (e.g., videos, presentations, agendas) outlining the topics covered, along with a record of completion for one personnel.

The secure code development training program may be implemented through a third party or conducted internally (e.g., a team session led by engineering leadership).

DCF-350

Password History Enforcement

Upload evidence showing that system configuration settings are in place to prevent password reuse, in alignment with company policy and applicable compliance requirements for relevant systems.

Example: Screenshots demonstrating password history enforcement settings for relevant systems. Note that not all systems may support this as a configurable feature.

Relevant systems may include your cloud infrastructure provider, code repositories, identity provider, password vaults, VPN clients, or systems storing customer data (e.g., database-as-a-service). Scope may vary – discuss scoping with your chosen auditor.

DCF-352

Unique First-time Passwords With One-Time Use

Upload evidence showing that for organization systems passwords are set to a unique value for first-time use and upon reset and temporary initial passwords are forced to be changed immediately after the first use.

Example: Screenshots of system configurations or a walkthrough of the password reset process demonstrating this behavior.

DCF-356

Communication of Authentication Best Practices

1. Screenshots showing where employees can access policies and procedures related to authentication.

2. Documented authentication policies and procedures that include the following:

  1. Guidance on selecting strong authentication credentials

  2. Guidance on how users should protect their authentication credentials

  3. Instructions not to reuse previously used passwords

  4. Instructions to change passwords if they are suspected to be compromised

DCF-363

Entry Controls in Place

For each computer room, data center, and other physical areas which contain systems:

  • Pictures showing that access is controlled through badge readers, physical locks, or other access control mechanisms (e.g., authorized badges, lock and key).

  • Screenshots or a video showing an administrator’s attempt to log into system consoles, confirming that the systems are “locked” to prevent unauthorized access.

DCF-365

Secure Physical Access Control Mechanisms

Pictures showing how video cameras and/or access control mechanisms are physically protected from tampering or being disabled.

DCF-369

Restricted Physical Access to Network Components

Evidence showing that physical access to wireless access points, gateways, networking/communications hardware, and telecommunication lines within company facilities is restricted.

DCF-374

Visitors Authorized and Escorted

Observation of a visitor being escorted when entering company facilities

Note: This observation should be conducted by the auditor either during an on-site visit or via a live virtual meeting.

DCF-375

Personnel and Visitor Badges

Observation of a visitor obtaining a visitor badge, along with an example of the badge issued.

Note: This observation should be conducted by the auditor either on-site or via a live virtual meeting.

DCF-378

Visitor Log

Upload evidence demonstrating that a visitor log is maintained to track visitor activity in company facilities, computer rooms, or data centers where sensitive data may be stored or transmitted.

Example: A scan or photo of the visitor log from a typical day.

DCF-381

Media Physically Secured or Encrypted

Upload documented policies and procedures related to the physical security of all media, including computers, removable media, paper receipts, paper records, and faxes.

DCF-384

Media Classification

Screenshots and/or pictures showing how media is classified including labels showing data sensitivity.

DCF-385

Media Transferred Securely

1. Documented procedures for media transfer that define acceptable methods for transferring information, including the use of authorized couriers and requirements for tracking media transfers.

-and-

2. Screenshots or documentation showing how media transfers are logged.

-and-

3. Evidence of a recent media transfer, showing that tracking information was recorded in accordance with the documented procedures.

DCF-386

Management Approval for Media Transfer

Documentation from a recent media transfer (including media distribution to individuals) showing that the transfer was approved by an authorized member of management.

DCF-388

Media Inventory Logs

If your organization manages electronic media containing sensitive data, upload evidence of your media inventory.

Maintaining an up-to-date inventory and proper storage controls is essential – without them, lost or stolen media could go undetected indefinitely.

DCF-390

Media Destruction

Documented policies and procedures for secure media destruction.

AND, where possible, evidence of implementation (e.g., disposal logs, certificates of destruction from vendors, or screenshots of decommissioning processes).

DCF-406

Audit Logging

Screenshots showing that audit trails are enabled and active for in-scope systems.

DCF-407

Audit Logs Data Points

Upload evidence showing that audit logs are configured to capture: user or identity, type of event, date and time, success or failure indication, origination of event, affected data, and system component, resource, or service.

Example: Screenshot or export of a sample log showing the relevant attributes.

By recording these details for the auditable events, a potential compromise can be quickly identified, with sufficient detail to facilitate follow- up on suspicious activities.

DCF-409

Audit Trail for Privileged Access

Upload evidence showing that audit trails or logs are implemented for system components to capture all actions taken by any identities with administrative access, including execution of privileged functions and any interactive use of application or system accounts.

Example: Screenshot or export of a sample log showing the relevant log contents.

Because accounts with elevated privileges (e.g., “administrator” or “root”) can significantly impact system security and operations, maintaining detailed logs is critical. Without them, it's difficult to trace issues back to specific actions or users in the event of error or misuse.

DCF-411

Audit Trail for Invalid Access Attempts

Upload evidence showing that audit trails or logs are implemented for system components to capture invalid access attempts.

Example: Screenshot or export of a sample log showing the relevant log contents.

Malicious individuals will often perform multiple access attempts on targeted systems. Repeated failed attempts may indicate brute-force activity or other malicious behavior targeting your systems.

DCF-412

Audit Trail for Identification and Authentication Mechanism Changes

Upload evidence showing that audit trails or logs are implemented for system components to capture changes to identification and authentication credentials (e.g., creation of new accounts, elevation of privileges, changes, additions, or deletions to accounts with administrative access, etc.,).

Example: Screenshot or export of a sample log showing the relevant log contents.

Logging changes to authentication credentials (including elevation of privileges, additions, and deletions of accounts with administrative access) provides residual evidence of activities. Malicious users may attempt to manipulate authentication credentials to bypass them or impersonate a valid account.

DCF-414

Audit Trail of System-Level Object Changes

Upload evidence showing that audit trails or logs are implemented for system components to capture all creation and deletion of system-level objects.

Example: Screenshot or export of a sample log showing the relevant log contents.

Malicious software, such as malware, often creates or replaces system-level objects on the target system to control a particular function or operation on that system. By logging when system-level objects are created or deleted, it will be easier to determine whether such modifications were authorized.

DCF-421

Clock Synchronization

Upload evidence showing that the organization synchronizes clocks and system time across all critical systems using time-synchronization technology, such as Network Time Protocol (NTP).

DCF-422 DCF-423

DCF-424

System Time Source

Upload evidence showing that internal systems receive time information only from designated central time server(s), which are configured to sync with industry-accepted external sources based on International Atomic Time or Coordinated Universal Time (UTC).

If there is more than one designated time server, upload evidence showing that the time servers peer with one another to keep accurate time.

DCF-429

Limited Access to Audit Trails

Upload evidence of the users with elevated access to log systems and log data.

Example: Screenshots of the users with administrative or privileged access to log systems and log data.

DCF-430

Audit Trail Files Protected

Screenshots or pictures showing that audit trails are protected from unauthorized access, modification, or deletion.

Protection methods may include access control mechanisms, physical segregation, and/or logical network segregation.

DCF-434

Policies and Procedures for Logging

Logging and Monitoring Policy.

DCF-441

Audit Log Retention Period

Upload evidence of your configured retention periods for audit logs.

Example: Screenshots from logging systems that display the log retention settings.

DCF-478

Change Detection Mechanism

1. Screenshots from the change detection solution (e.g., File Integrity Monitoring) and relevant change detection system configurations showing what is monitored.

2. Documented list of files which are monitored by the change detection solution.

DCF-503

Multiple Methods for Security Awareness

Upload evidence showing that periodic security updates are provided to personnel through different mechanisms (e.g., screenshots of internal newsletters or intranet with security reminders, security updates sent out via Slack or other internal communication channels, etc.)

DCF-507

Vendor Due Diligence

Before engaging with any new service provider or vendor, you must perform due diligence to evaluate their security posture. This may include reviewing completed security questionnaires or verifying the presence of relevant compliance certifications (e.g., SOC 2).

You should document the results of the due diligence process, including the date it was completed.

DCF-527

Designated Data Protection Officer

Upload evidence showing that a data protection officer has been officially appointed (e.g., internal privacy policies, RACI matrix, job descriptions, etc. identifying the data protection officer, etc.).

Additionally, upload evidence showing that a mechanism to contact the data protection officer is communicated to users/data subjects (e.g., screenshots of the online privacy/policy showing that an email address of the data protection officer is provided, etc.).

DCF-557

Shared Account Management

For any highly privileged shared accounts, upload evidence of the business justification and evidence of how these shared accounts are securely managed.

Example: Documentation of the business purpose of the shared account(s) with management approval, and screenshots showing how the shared accounts are securely managed (e.g., use of password vaults with access restricted to authorized personnel, etc.).

DCF-558

Restrictions on Software Installation

Upload evidence showing that the organization has implemented mechanisms to prevent the installation and execution of unauthorized software in company-managed assets.

Example: Screenshots from MDM or endpoint management tools showing enforced rules that block unauthorized software installation, or access controls that restrict the ability to run executables on company devices, etc.

DCF-562

Management of Utility Programs

1. Any documented procedures covering who can access utility programs (e.g., admin consoles for antivirus tools, MDM solutions, and logging systems).

- and -

2. A current list of users with access to those utility programs.

DCF-566

Management of Nonconformities

Upload evidence showing that your organization is managing nonconformities in accordance with ISO requirements.

Examples: A nonconformity tracker, internal tickets used to track issues to resolution, or other documentation showing corrective actions taken, etc.

ISO defines nonconformities as the "non-fulfillment of a requirement.” ​These requirements may stem from ISO standards, internal policies, or procedures. Nonconformities can be identified through various sources, including internal or external audits, personnel reports, or continuous monitoring.

In accordance with Clause 10 of ISO management system standards, when a nonconformity is identified, your organization must:

  • Review the nonconformity

  • Perform a root cause analysis

  • Implement necessary corrective actions

  • Evaluate the effectiveness of those actions

You must also retain documented evidence of:

  • The nature of the nonconformity

  • Actions taken

  • The results of corrective actions

DCF-567

Change Management Policy

Change Management Policy.

DCF-569

Information Labeling

Data Protection Policy and Data Classification Policy.

DCF-570

Disciplinary Process

Upload your company's documented disciplinary process. The disciplinary process may be an HR-owned process available and communicated to employees through an employee handbook, code of conduct, or included within an information security policy documentation.

Note: This evidence should not be confused with disciplinary procedures for general performance issues or misconduct such as harassment. This specifically pertains to disciplinary actions for breaches of information security policies or violations of security requirements.

A formal disciplinary process should outline a graduated response based on factors such as:

  • The nature and severity of the breach (who, what, when, how, and consequences)

  • Whether the violation was intentional (malicious) or unintentional (accidental)

  • Whether it was a first-time or repeated offense

  • Whether the individual received adequate training on the relevant policies

The disciplinary response must also account for legal, regulatory, contractual, and business obligations. It should serve not only to address violations but also as a preventive and deterrent measure to discourage future breaches by personnel or other relevant parties.

In cases of deliberate violations, immediate actions may be warranted.

DCF-571

Fire Detection and Suppression

1. Observation of fire detection and suppression systems installed in critical locations (e.g., data centers, server rooms).

Note: This observation should be conducted by the auditor either on-site or via a live virtual meeting.

2. Upload evidence of ongoing maintenance for fire detection and suppression systems, such as maintenance logs, inspection reports, or service agreements with vendors.

DCF-572

Temperature Monitoring Systems

1. ​Observation of systems in place to monitor and control air temperature and humidity at appropriate levels in critical areas (e.g., server rooms, data centers).

Note: This observation should be conducted by the auditor either on-site or via a live virtual meeting.

2. Upload evidence of ongoing maintenance for environmental control systems, such as maintenance logs, calibration records, or service reports.

DCF-573

Uninterruptible Power Supply

1. ​Observation of uninterruptible power supply (UPS) systems installed in data centers or server rooms to ensure continuity of power.

Note: This observation should be conducted by the auditor either on-site or via a live virtual meeting.

2. Upload evidence of ongoing maintenance for UPS systems, such as maintenance logs, inspection reports, or service records from vendors.

DCF-574

Mobile Device Management Software

Upload evidence to show that a Mobile Device Management (MDM) solution has been implemented to enforce security controls on mobile devices.

Examples: Screenshots from the MDM’s centralized management console, baseline configuration settings, or enforced security policies/blueprints by device OS type.

DCF-611

Obscured Authentication Feedback

Upload a screenshot of the user interface during the authentication process to show that authentication feedback is hidden. For example, password entry fields should display masked characters (e.g., asterisks or dots) to prevent visible disclosure.

DCF-619

Media Sanitization

For a sample of media sanitization and disposal actions, upload evidence showing that each sample was reviewed, approved, tracked, and documented in accordance with company policies and procedures.

DCF-637

Secure Development Process

Upload documentation of your organization's secure development processes.

Example: Internal wikis, process documents, or guidelines that reference industry standards and best practices for secure development. Documentation should include security requirements (e.g., secure authentication, logging), and demonstrate how information security is considered at each stage of the software development life cycle (SDLC).

DCF-678

Network Security Policy

Network Security Policy.

DCF-681

Phishing Simulations

Upload evidence showing phishing simulations are conducted as part of the organization's security awareness initiatives.

Example: Screenshots of phishing simulation campaign configurations, dashboards displaying campaign results, or examples of simulated phishing emails used during the exercises, etc.

DCF-684

Redundancy of Processing

Upload evidence demonstrating that redundancy strategies have been implemented for equipment, systems, and processes, as defined in the organization's business continuity plans.

DCF-687

Email Protection Mechanisms

Upload evidence showing that phishing and spam detection mechanisms have been implemented in your organization.

Example: Screenshots of email authentication settings such as SPF, DKIM, and DMARC configurations.

DCF-688

Return of Assets

For one recently terminated personnel, upload evidence showing that assets were returned to the company.

Examples: Screenshots of offboarding checklists or internal tickets tracking the return of devices, badges, tokens, etc., upon termination, as well as evidence of pre-paid return labels and tracking details for remote personnel.

DCF-689

On-Call Team

Upload evidence of your organization’s on-call rotation schedule.

Example: Screenshots from tools like PagerDuty or equivalent tool showing on-call schedule and assigned team members.

DCF-694

Use of Unencrypted Portable Storage

For any unencrypted physical media and/or portable devices in use, upload evidence of a documented business justification and formal approval from management.

DCF-698

Automated Mechanisms for Audit Log Reviews

Screenshot of the configuration from your audit log review solution, such as a centralized log management system, event log analyzer, or Security Information and Event Management (SIEM) platform, etc.

DCF-707

Credentials for System Accounts Not Hard-Coded

Upload evidence showing that the organization has implemented mechanisms to validate that authentication credentials for any application and system accounts are not hard coded in scripts, configuration/property files, or bespoke and custom source code.

Example: Screenshots from source code repositories showing secret scanning is integrated into the CI/CD pipeline.

DCF-708

Software and Third Party Libraries Inventory

Upload evidence of your organization's software and third-party libraries Inventory (i.e., Software Bill of Materials).

Example: Screenshots from software composition analysis tools displaying the SBOM, including identified components and dependencies.

DCF-712

Static Application Security Testing

Upload evidence that Static Application Security Testing (SAST) is performed as part of the software development process.

Example: Screenshots from the CI/CD pipeline showing that SAST scans automatically run on code commits, or screenshots of configurations and dashboards from SAST tools (e.g., SonarCloud, Checkmarx, Veracode).

DCF-741

Logging and Monitoring Policy

Logging and Monitoring Policy.

DCF-744

Contact with Authorities

Upload evidence of incident response procedures, playbooks, or documented communication plans demonstrating that your organization has:

  • Identified and documented the authorities to be contacted (e.g., law enforcement, regulatory bodies, supervisory authorities)

  • Defined the events or circumstances that would trigger communication

  • Outlined the methods and responsibilities for communication with those authorities

Maintaining these contacts supports effective incident response, business continuity, and compliance with regulatory obligations. It also helps the organization stay informed about relevant legal or regulatory changes.

DCF-745

Segregation of Duties

Upload evidence showing that your organization has identified conflicting duties and areas of responsibility that require segregation, and has implemented mechanisms to enforce segregation of duties.

Your organization should assess roles and responsibilities to reduce the risk of fraud, error, or circumvention of information security controls. Examples of duties that may require segregation include:

  • Initiating, approving, and executing changes

  • Requesting, approving, and implementing access rights

  • Initiating and approving transactions

  • Using applications while also administering databases

It is recommended that your organization’s approach to segregation of duties be formally documented. This should include:

  • A list of activities or functions that require segregation

  • How segregation is achieved (e.g., through role-based access control, separate approval workflows, or assignment to different personnel)

  • Any compensating controls in place where full segregation is not feasible

DCF-748

Segmentation of Networks

Upload evidence showing that network segmentation or other techniques are used to split the network in security boundaries and to control traffic between them based on business and security needs.

DCF-749

Leak Detection System

Observation of leak detection systems at critical facilities

Note: This observation should be conducted by the auditor either on-site or via a live virtual meeting.

DCF-760

Control of Audit Activities

Upload evidence showing that audit requirements and activities involving verification of operational systems are planned and agreed-upon by management to minimize disruptions to business processes and security risks.

Examples: Screenshots or exports of communications and agreements with penetration tests vendors discussing and agreeing on the scope of the test, access requirements, availability considerations, etc.

DCF-762

Managing Changes to Supplier Services

For a change to the provision of services by a vendor, provide documentation to evidence that a review and due diligence activities were required and authorized by management

Note: Auditors may request a complete population and select samples to verify this control.

DCF-763

Requirements for Protection of Intellectual Property Rights

Acceptable Use Policy.

DCF-775

Cloud Deletion Protection

Screenshots of the configuration enabled for deletion protection for cloud resources.

DCF-776

Principle of Least Privilege

For each in-scope system or application, upload the user access listing including assigned roles and permissions to demonstrate that the principle of least privilege has been applied.

DCF-777

Cloud Resource Tagging

Inventory listing with tags assigned.

DCF-779

Cryptographic Key Rotation

Upload evidence of cryptographic key rotation processes implemented in accordance with your organization's defined procedures.

Examples:

  • Screenshots of automated key rotation settings within a key management system

  • Tickets or documentation showing that manual key rotations are performed on a periodic basis

DCF-780

Web Filtering

Upload evidence showing that the organization has implemented web filtering mechanisms to enforce the company's internet usage policies.

Examples:

  • Screenshots of web filtering configurations showing blocked access to known malicious sites

  • Settings that restrict access to prohibited web resources in accordance with the organization’s acceptable use policy

DCF-781

Secure Login Procedures

For internally-developed systems, upload evidence showing that access to the system is done through a secure login procedure.

Examples: Screenshots showing successful and failed login attempts on internally-developed systems showing any or some of the following:

  • No help messages are displayed that could assist an unauthorized user during login

  • Log-in credentials are validated only after all input fields are completed, with error messages that do not reveal which part of the data is correct or incorrect

  • Password input is masked (e.g., not displayed in plain text)

DCF-782

Cloud Storage Lifecycle

Upload evidence of any cloud storage lifecycle rules in place to delete data automatically after expiration of specified retention periods (e.g., screenshots from cloud storage showing configured expiration actions, etc.).

DCF-783

Credentials Rotation

Upload evidence of secret rotation processes implemented in accordance with defined company procedures (e.g., screenshots of automated secrets rotation configurations in a secrets management systems, tickets or other documentation showing manual secrets rotation processes are carried out periodically, etc.).

DCF-784

Software Composition Analysis (SCA)

Upload evidence to show that your organization checks software components and libraries for policy and license compliance, security risks, and supported versions.

Example: Screenshots showing that software composition analysis tools are used as part of your CI/CD pipeline to check for vulnerabilities in third-party libraries.

DCF-785

Secure Runtime Configurations

1. Asset Management Policy.

- and -

2. Screenshots of run configuration standards for in-scope applications and platforms.

DCF-789

Expectations of Interested Parties

ISMS Plan (2022).

Did this answer your question?