Following the ISO 27001:2022 updates as of 5/7/2024, this is the updated guidance for controls that are not automatically monitored in Drata. If you began your ISO 27001 compliance efforts prior to this update, you can still refer to the legacy help article here for additional context – or use both resources as needed.
Note: The examples below are illustrative only. Auditors may request additional or alternative forms of evidence based on your scope, risk posture, and implementation details.
Code | Name | Example Evidence |
DCF-7 | Separate Environments | Upload evidence showing separate environments exist for development, testing, staging, and production, as applicable.
Example: Screenshots of web environments showing different URLs; screenshots showing separate infrastructure such as different servers, databases, or networks for production and lower environments, etc. |
DCF-9 | Internal Communication Channels | Upload examples of internal communication channels for employees to report failures, events, incidents, concerns, and other issues.
Example: Screenshots of internal channels dedicated to security event reporting in messaging apps (e.g., Slack, MS Teams), whistleblower channels, etc. |
DCF-11 | Periodic Access Reviews | Upload documentation of the most recent user access and permissions review. Example: Screenshots of the user lists and permissions reviewed; evidence of sign-offs or approvals by at least two individuals (segregation of duties, or SoD); documentation of any changes requested; and evidence that the requested changes were implemented. The scope of the review should be discussed with your auditor, as different auditors may have different expectations (based on the scope of the assessment, relevant framework(s), etc.).
Auditors will generally require the following:
Auditors generally expect these review activities to be done at least annually, with quarterly frequency being the most common. They may also expect the user access review to include a review of physical access rights, if applicable (e.g., reviews of active personnel in the badge system, etc.).
Note: For many controls, auditors may request a complete population of applicable items (e.g., users, assets, vendors) and select a sample for evidence review. One example may not be sufficient unless explicitly agreed upon in scope. |
DCF-16, DCF-17 | Risk Assessments Results (Periodic Risk Assessment, Risk Treatment Plan) | Upload documentation of the most recent risk assessment activities performed (e.g., risk register, risk treatment plan) in accordance with company policies and compliance requirements.
The risk assessment drives the selection of controls to be implemented; therefore, a thorough risk assessment is necessary to ensure the selection of controls is appropriate and sufficient to mitigate the risks that threaten the organization's ability to achieve its goals and objectives. |
DCF-17 | Risk Treatment Plan | Upload documented remediation plans for risks identified during the risk assessment. |
DCF-19 | Penetration Tests | Upload evidence of the most recent penetration testing activities. Example: Report(s) of the most recent penetration test(s) performed by a third-party or internal resource, showing the scope and results of the assessment; evidence of the internal tracking and remediation of findings (e.g., internal tickets, change documentation), etc.
Auditors will generally evaluate the penetration testing activities against policy requirements (e.g., documentation of justification for vulnerabilities found by the pen testers accepted as risks or deemed non-exploitable, exploitable vulnerabilities resolved within company-defined SLAs, etc.).
Penetration tests should be conducted at least annually or after significant changes to the environment. |
DCF-20 | Asset Inventory | 1. Formal, documented listing of all assets (workstations, mobile devices, servers, databases).
2. For cloud infrastructure, screenshots from cloud environments listing all infrastructure.
Note: For many controls, auditors may request a complete population of applicable items (e.g., users, assets, vendors) and select a sample for evidence review. One example may not be sufficient unless explicitly agreed upon in scope. |
DCF-22 | Network Diagram | Upload evidence of your current network diagram(s) and evidence of updates/reviews within the past year for accuracy (e.g., emails from responsible personnel confirming the accuracy and completeness of the network diagram(s), etc.). A network diagram is defined as a representation of system components and boundaries, as well as connections within a networked environment. |
DCF-26 | BCP/DR Tests | Upload evidence of your most recent business continuity and/or disaster recovery test. Example: Documentation of the activities performed, results, and lessons learned; calendar invites showing participants and dates, etc. |
DCF-29 | Incident Response Team | Upload evidence of your documented roles and responsibilities for incident response. Example: Documentation of your internal incident response processes and procedures, outlining the roles and responsibilities for incident management, such as:
|
DCF-30 | Incident Response Lessons Learned Documented | For example, a security event that is deemed an incident, you can provide the incident documentation including:
|
DCF-46, DCF-179 | Formal Screening Process | Upload evidence of the formal interview/recruitment process for a recently hired personnel. Example: Calendar invites for interviews, documented feedback notes from interviewers, exports from the candidate's profile within the applicant tracking system, evidence of evaluation of resume and professional credentials, etc.
Note: For many controls, auditors may request a complete population of applicable items (e.g., users, assets, vendors) and select a sample for evidence review. One example may not be sufficient unless explicitly agreed upon in scope. |
DCF-56, DCF-132 | Vendor Agreement | Upload an example of an executed agreement with a vendor or service provider. |
DCF-57 | Vendor Compliance Monitoring | 1. Screenshots from the vendor directory showing that vendors are categorized based on impact/risk.
-and-
2. Review documents showing that vendors' SOC2 reports were reviewed (Drata can provide a review template for this). |
DCF-60 | Secure Password Storage | If username and password is required, screenshots from the database showing that password are stored using a salted hash. |
DCF-62 | Session Termination | Upload evidence of automated logoff for relevant systems/applications. For example:
1. Screenshots of users being logged out of the application when browser/tab is closed and being forced to re-authenticate upon next login.
2. Screenshots showing that a user is logged out after predefined inactivity timeout and being forced to authenticate upon next login (including application messages, parameters in the application code defining the inactivity period, etc.). Relevant systems may include company-developed web applications and any system or application in use that allows for configuration of automated logoffs. If applicable, discuss scope with your chosen auditor. |
DCF-69 | Access Provisioning | Upload an example record of access request and approval for a user to be granted permission to a system. Example: An access request ticket with documented approval from the system owner or manager, etc. A process to request and approve user accounts and permissions must be in place. Auditors may request evidence of new hire access requests as well as request for changes in permissions to existing users (e.g., transfers, new administrative users, additional permissions to specific resources such as databases or repositories). |
DCF-72 | Root Access Control | Upload evidence showing that root password authentication to production resources (e.g., virtual machines, containers, etc.) is disabled. Example: Screenshots of infrastructure as code configurations showing that password login has been disabled for root. |
DCF-76 | Critical Change Management | For a hot fix or emergency change, upload evidence to show that the change followed the standard change management process (reviews, testing and approval) or that it was reviewed and approved by an authorized individual after implementation. Example: Screenshots or exports of pull requests/merge requests showing change control, documentation such as internal tickets or emails showing post-implementation review and approval, etc. |
DCF-91 | Intrusion Detection/Prevention System | 1. Screenshots from AWS GuardDuty, Azure Sentinel, GCP Security Command Center, or equivalent monitoring tool showing that the service is enabled.
-and-
2. Screenshots from the mentioned applications/tools/services showing the types of threats that would be detected.
-and-
3. Screenshots from the mentioned applications/tools/services showing how personnel would be alerted and who would be alerted when threats are detected. |
DCF-92 | Encrypted Remote Production Access | Upload evidence that remote access to production resources is only available through an encrypted connection. Example: Screenshot showing access to production servers or databases is not available if a user is not connected to the internal network via encrypted VPN. |
DCF-100 | Backup Restore Testing | Upload evidence of your most recent test restore of backed-up data completed within the past year. Example: Documentation of the backup restoration process showing steps taken and associated evidence, results, date completed, etc. The evidence should include the steps taken to restore the data from a backup and validation of the completeness and accuracy of the restored data. |
DCF-103
DCF-253 | Customer Data Deletion Upon Termination | For a recently churned customer, upload evidence showing that customer data disposal was conducted in accordance with the contractual agreements with the customer. Example: Screenshots of logs showing data was disposed of; screenshots from production resources such as storage buckets and databases showing customer-specific resources were decommissioned, etc. Upload the agreement with the former customer to show the specific data disposal requirements and commitments. Contractual agreements may specify a time window for data disposal (e.g., within 30 days of termination of services). Customer offboarding processes should include steps to ensure data disposal is conducted in accordance with the contractual agreements. |
DCF-104 | Test Data | Upload evidence showing that production data is not used in testing, staging or other lower environments. Example: Screenshots from testing databases showing mock data is used, data anonymization or mock data generation scripts, etc. |
DCF-105, DCF-763 | Personnel Non-Disclosure Agreements (NDA) | Upload an example executed agreement addressing confidentiality with recently hired employees (e.g., NDA, PIIA, employment agreement including confidentiality clauses, etc.). |
DCF-106 | Clean Desk and Clear Screen Policies and Procedures | 1. Acceptable Use Policy.
-and-
2. Acknowledgement of the Acceptable Use Policy (if applicable). |
DCF-107 | Disposal of Sensitive Data on Paper | Observation of the disposal of hard copy material.
Note: This can be performed by auditors on-site, or via virtual meeting. |
DCF-108 | Secure Storage Mechanisms | Pictures of secure storage bins from office locations. |
DCF-109
DCF-253
DCF-390
DCF-619 | Disposal of Sensitive Data on Hardware | Upload evidence for one instance of data disposal on hardware showing that data was disposed securely. Examples: One example certificate of destruction of hardware; screenshots showing that hard drive data on an endpoint were wiped prior to reuse of the device, etc. |
DCF-112 | Notice and Acknowledgement of Privacy Practices | Upload screenshots of the account sign up process for your system or application(s) showing users are required to accept the privacy policy/notice prior to using the system. |
DCF-120 | Periodic Review of Privacy Policy | For any recent changes to the public privacy policy, upload evidence showing customers were notified of such changes (example: screenshots of email notifications sent to customers notifying them of changes to the privacy policy, etc.) and that the privacy policy includes the date it was last updated (example: screenshot or export of the public privacy policy showing the last update date). |
DCF-123
DCF-253 | Procedures for Information Disposal | Upload your documented procedures for the erasure or destruction of information that has been identified for disposal. |
DCF-132 | Privacy and Security Requirements in Third-Party Agreements | Upload executed agreements (such as Data Processing Agreements, Business Associate Agreements, Service Provider Agreements) with third parties and vendors that are provided access to personal data. |
DCF-135 | Notification of Incidents or Breaches | For one example security incident or breach, upload evidence showing that notification of the incident or breach was given to affected parties and authorities (as applicable) in accordance with company policies and procedures and contractual and legal obligations. |
DCF-137 | Data Entry Field Completion Automated | Upload screenshots of a user entering information into the application to confirm that edit checks are included in fields. |
DCF-149 | Removable Media Device Encryption | If removable media devices are issued by the company to employees, provide evidence that removable media devices are encrypted. |
DCF-150 | Data Loss Prevention (DLP) Mechanisms | Upload evidence of the data leakage prevention (DLP) measures implemented in the organization (e.g., screenshots of DLP rules implemented in corporate email service, configurations from DLP tools in place, etc.). |
DCF-152 | Automated Security Updates | Upload evidence showing that automated mechanisms have been implemented to install security upgrades to operating systems (e.g., screenshots showing unattended upgrades, apt-get-update / apt-get-upgrades within infrastructure as code configuration files, screenshots of management console for patch management tools such as Automox, etc.). |
DCF-154 | Incident Response Test | Upload evidence of your most recently completed incident response test. Incident response testing is typically expected annually or more frequently based on risk or regulatory requirements. Example: Documentation of the activities performed, results, and lessons learned; calendar invites showing participants and dates, etc. |
DCF-155 | Testing of Changes | Upload screenshots from the ticketing system for a few changes showing that changes were tested. |
DCF-156 | Change Releases Approved | For an example change release, upload evidence showing that the release was approved by authorized personnel prior to deployment to production (e.g., screenshot of a pull request/ticket showing approval for a release candidate by authorized personnel). |
DCF-161 | Management System Scope | Upload your ISMS Plan showing the defined scope of the management system. The ISMS scope should include:
|
DCF-162 | Statement of Applicability | If not managed within Drata's Policy Center (we have a template for the SoA embedded in the ISMS plan template), upload your Statement of Applicability (SoA) in conformance with ISO requirements. The Statement of Applicability defines the controls deemed necessary by the organization as a result of the risk assessment to implement the risk treatment plan. It is possible for an organization to design its own necessary controls or to select them from any source, including ISO standards. The Statement of Applicability's version and date will be included in your certificate of registration.
Auditors will expect to see justification for any excluded Annex A controls. These decisions should align with your risk assessment results and the defined risk treatment plan. |
DCF-163 | Interested Parties and Legal Requirements | ISMS Plan (2022), AI Governance Policy. |
DCF-164 | Management System Management Review | Upload evidence of your most recent documented management review for your ISO management system(s). As outlined in the management system standards, the organization must perform management reviews at periodic intervals. The reviews must address all requirements outlined in the ISO standard, and the inputs and outputs of the management review must be documented. |
DCF-165 | Periodic Independent Assessments | Upload evidence showing the organization performs internal audits at planned intervals as required by ISO to confirm that the management system(s) conforms to the organization's requirements and the referenced standards, and is effectively implemented and maintained (e.g., documentation of the most recent internal audit program(s) and report(s) of audit results for the management system(s), etc.). Internal audits must be performed at planned intervals, typically annually, and must cover the full scope of the ISMS. |
DCF-166 | Business Continuity Plan | Business Continuity Plan. |
DCF-167 | Business Impact Analysis | Business Impact Analysis (typically part of the business continuity plan). |
DCF-168 | Vendor Management Policy | Vendor Management Policy. |
DCF-170 | Management System Objectives | Information Security Policy, ISMS Plan (2022). |
DCF-171 | Documented Operating Procedures | This will be a part of your ISMS policy. |
DCF-173 | Employment Terms & Conditions | For one example personnel, provide executed employment contracts/agreements outlining the terms and conditions of employment as well as responsibilities during and after employment (e.g., duty of confidentiality, return of assets, protection of intellectual property, etc.). |
DCF-175 | Communications Plan | ISMS Plan (2022) |
DCF-176 | Measurement and Monitoring Plan | This will be a part of your ISMS policy. |
DCF-178 | Record Management and Control | 1. Evidence showing that policy documents are versioned control.
-and-
2. Change log from the ISMS policy for the ISMS document. |
DCF-179 | Competence Records | 1. Upload documented job descriptions for both a recently hired personnel and an existing personnel. -and-
2. Upload evidence of the formal interview/recruitment process for a recently hired personnel (such as calendar invites for interviews, documented feedback notes from interviewers, exports from the candidate's profile within the applicant tracking system, evidence of evaluation of resume and professional credentials).
-and-
3. Upload an example of a completed performance evaluation for a sample personnel performed within the past year showing components of the evaluation process (such as self-reviews, peer-reviews, manager-reviews).
-and-
4. Upload evidence for an example staff member with assigned roles within the management system(s) showing that they have the necessary competence to fulfill their duties on the basis of appropriate education, training, or experience.
Note: Example evidence may include, but is not limited to: - records of education, certifications, and professional credentials - records of training programs, courses and educational activities - records of actions taken to acquire and retain the necessary competence as it relates to the management system |
DCF-180 | Secure Information Transfer | Data Protection Policy. |
DCF-182 | Asset Management Policy | Asset Management Policy. |
DCF-184 | Management System Plan | ISMS Plan (2022). |
DCF-185 | Threat Intelligence | 1. Completed Threat Assessment Plan contained within Appendix A of the Security version of the Risk Assessment Policy and Appendix C in the Privacy version of Risk Assessment Policy.
- and -
2. Screenshots showing that your organization is subscribed to a service or mailing list that provides information on new/developing security issues.
- and -
3. Evidence demonstrating that threats are being assessed according to the defined Threat Assessment Plan. |
DCF-186 | Data De-identification | 1. Data Classification Policy
- and -
2. Data Protection Policy |
DCF-188 | Communication with Advisories and Special Interest Groups | Upload evidence showing that the organization and members of management maintain contact with special interest groups (e.g., security groups, privacy groups, etc.). For example, screenshots or exports showing members of management receive newsletters and updates from professional association groups, email alerts from security advisories such as CISA, participation in conferences, threat advisories, etc. |
DCF-229 | Vendor Default Accounts Disabled, Removed or Changed | 1. Any policy or procedures documenting a requirement stating that ALL vendor supplied default account information must be changed.
-and-
2. Screenshots showing that vendor default accounts have been removed, had their default configurations changed, or are disabled. |
DCF-253 | Data Secure Disposal | Policies and procedures for data disposal. |
DCF-271 | Key Storage Locations Limited | Upload evidence of where your organization stores cryptographic keys. Example: Screenshot from the console of your infrastructure provider's key management service. |
DCF-273 | Strong Key Generation Policies and Procedures | 1. Documented key management procedures which specify how to generate strong cryptographic keys.
2. Screenshots showing the strong cryptographic key generation process. |
DCF-284 | Key and Certificate Validation | 1. Documented policies and procedures which specify processes for accepting only trusted keys and certificates (Encryption Policy). 2. Screenshots showing that keys and certificates used in the environment are trusted. |
DCF-293 | Anti-Malware Capabilities and Automatic Updates | Upload evidence showing that the deployed anti-malware solution is kept up-to-date through automatic updates and is configured to detect, and then remove, block, or contain, all known types of malware. Example: Screenshots from the anti-malware solution console showing configurations for automated updates and detection and containment actions. |
DCF-294 | Anti-Malware Tools Behavior | Upload screenshots from your anti-malware console showing that it is configured to perform both periodic scans and active real-time scans (e.g., scanning files from external sources as they are downloaded, opened, or executed). Alternatively, show that it performs continuous behavioral analysis of systems or processes. |
DCF-305 | Production Components Change Control Procedures | For a non-software development change, upload documentation showing that the change was implemented in accordance with your formal change management policies and procedures. For example, documentation of change description, justification, evaluation of security requirements and impact, approval by authorized parties, rollback procedures, etc., and records of testing (for example, acceptance and security impact testing). Examples of changes include: infrastructure, network, configuration changes, etc. |
DCF-312 | Secure Code Development Training | Upload evidence of secure code development training completed by a member of personnel within the past year. Example: Training materials (e.g., videos, presentations, agendas) outlining the topics covered, along with a record of completion for one personnel. The secure code development training program may be implemented through a third party or conducted internally (e.g., a team session led by engineering leadership). |
DCF-350 | Password History Enforcement | Upload evidence showing that system configuration settings are in place to prevent password reuse, in alignment with company policy and applicable compliance requirements for relevant systems. Example: Screenshots demonstrating password history enforcement settings for relevant systems. Note that not all systems may support this as a configurable feature.
Relevant systems may include your cloud infrastructure provider, code repositories, identity provider, password vaults, VPN clients, or systems storing customer data (e.g., database-as-a-service). Scope may vary – discuss scoping with your chosen auditor.
|
DCF-352 | Unique First-time Passwords With One-Time Use | Upload evidence showing that for organization systems passwords are set to a unique value for first-time use and upon reset and temporary initial passwords are forced to be changed immediately after the first use. Example: Screenshots of system configurations or a walkthrough of the password reset process demonstrating this behavior. |
DCF-356 | Communication of Authentication Best Practices | 1. Screenshots showing where employees can access policies and procedures related to authentication.
2. Documented authentication policies and procedures that include the following:
|
DCF-363 | Entry Controls in Place | For each computer room, data center, and other physical areas which contain systems:
|
DCF-365 | Secure Physical Access Control Mechanisms | Pictures showing how video cameras and/or access control mechanisms are physically protected from tampering or being disabled. |
DCF-369 | Restricted Physical Access to Network Components | Evidence showing that physical access to wireless access points, gateways, networking/communications hardware, and telecommunication lines within company facilities is restricted. |
DCF-374 | Visitors Authorized and Escorted | Observation of a visitor being escorted when entering company facilities
Note: This observation should be conducted by the auditor either during an on-site visit or via a live virtual meeting.
|
DCF-375 | Personnel and Visitor Badges | Observation of a visitor obtaining a visitor badge, along with an example of the badge issued.
Note: This observation should be conducted by the auditor either on-site or via a live virtual meeting. |
DCF-378 | Visitor Log | Upload evidence demonstrating that a visitor log is maintained to track visitor activity in company facilities, computer rooms, or data centers where sensitive data may be stored or transmitted.
Example: A scan or photo of the visitor log from a typical day.
|
DCF-381 | Media Physically Secured or Encrypted |
Upload documented policies and procedures related to the physical security of all media, including computers, removable media, paper receipts, paper records, and faxes. |
DCF-384 | Media Classification | Screenshots and/or pictures showing how media is classified including labels showing data sensitivity. |
DCF-385 | Media Transferred Securely | 1. Documented procedures for media transfer that define acceptable methods for transferring information, including the use of authorized couriers and requirements for tracking media transfers.
-and-
2. Screenshots or documentation showing how media transfers are logged.
-and-
3. Evidence of a recent media transfer, showing that tracking information was recorded in accordance with the documented procedures. |
DCF-386 | Management Approval for Media Transfer | Documentation from a recent media transfer (including media distribution to individuals) showing that the transfer was approved by an authorized member of management. |
DCF-388 | Media Inventory Logs | If your organization manages electronic media containing sensitive data, upload evidence of your media inventory.
Maintaining an up-to-date inventory and proper storage controls is essential – without them, lost or stolen media could go undetected indefinitely. |
DCF-390 | Media Destruction | Documented policies and procedures for secure media destruction.
AND, where possible, evidence of implementation (e.g., disposal logs, certificates of destruction from vendors, or screenshots of decommissioning processes). |
DCF-406 | Audit Logging | Screenshots showing that audit trails are enabled and active for in-scope systems. |
DCF-407 | Audit Logs Data Points | Upload evidence showing that audit logs are configured to capture: user or identity, type of event, date and time, success or failure indication, origination of event, affected data, and system component, resource, or service. Example: Screenshot or export of a sample log showing the relevant attributes. By recording these details for the auditable events, a potential compromise can be quickly identified, with sufficient detail to facilitate follow- up on suspicious activities. |
DCF-409 | Audit Trail for Privileged Access | Upload evidence showing that audit trails or logs are implemented for system components to capture all actions taken by any identities with administrative access, including execution of privileged functions and any interactive use of application or system accounts. Example: Screenshot or export of a sample log showing the relevant log contents. Because accounts with elevated privileges (e.g., “administrator” or “root”) can significantly impact system security and operations, maintaining detailed logs is critical. Without them, it's difficult to trace issues back to specific actions or users in the event of error or misuse. |
DCF-411 | Audit Trail for Invalid Access Attempts |
Upload evidence showing that audit trails or logs are implemented for system components to capture invalid access attempts. Example: Screenshot or export of a sample log showing the relevant log contents. Malicious individuals will often perform multiple access attempts on targeted systems. Repeated failed attempts may indicate brute-force activity or other malicious behavior targeting your systems. |
DCF-412 | Audit Trail for Identification and Authentication Mechanism Changes | Upload evidence showing that audit trails or logs are implemented for system components to capture changes to identification and authentication credentials (e.g., creation of new accounts, elevation of privileges, changes, additions, or deletions to accounts with administrative access, etc.,). Example: Screenshot or export of a sample log showing the relevant log contents. Logging changes to authentication credentials (including elevation of privileges, additions, and deletions of accounts with administrative access) provides residual evidence of activities. Malicious users may attempt to manipulate authentication credentials to bypass them or impersonate a valid account. |
DCF-414 | Audit Trail of System-Level Object Changes | Upload evidence showing that audit trails or logs are implemented for system components to capture all creation and deletion of system-level objects. Example: Screenshot or export of a sample log showing the relevant log contents. Malicious software, such as malware, often creates or replaces system-level objects on the target system to control a particular function or operation on that system. By logging when system-level objects are created or deleted, it will be easier to determine whether such modifications were authorized. |
DCF-421 | Clock Synchronization | Upload evidence showing that the organization synchronizes clocks and system time across all critical systems using time-synchronization technology, such as Network Time Protocol (NTP). |
DCF-422 DCF-423 DCF-424 | System Time Source | Upload evidence showing that internal systems receive time information only from designated central time server(s), which are configured to sync with industry-accepted external sources based on International Atomic Time or Coordinated Universal Time (UTC). If there is more than one designated time server, upload evidence showing that the time servers peer with one another to keep accurate time. |
DCF-429 | Limited Access to Audit Trails | Upload evidence of the users with elevated access to log systems and log data. Example: Screenshots of the users with administrative or privileged access to log systems and log data. |
DCF-430 | Audit Trail Files Protected | Screenshots or pictures showing that audit trails are protected from unauthorized access, modification, or deletion.
Protection methods may include access control mechanisms, physical segregation, and/or logical network segregation.
|
DCF-434 | Policies and Procedures for Logging | Logging and Monitoring Policy. |
DCF-441 | Audit Log Retention Period | Upload evidence of your configured retention periods for audit logs. Example: Screenshots from logging systems that display the log retention settings. |
DCF-478 | Change Detection Mechanism | 1. Screenshots from the change detection solution (e.g., File Integrity Monitoring) and relevant change detection system configurations showing what is monitored. 2. Documented list of files which are monitored by the change detection solution. |
DCF-503 | Multiple Methods for Security Awareness | Upload evidence showing that periodic security updates are provided to personnel through different mechanisms (e.g., screenshots of internal newsletters or intranet with security reminders, security updates sent out via Slack or other internal communication channels, etc.) |
DCF-507 | Vendor Due Diligence | Before engaging with any new service provider or vendor, you must perform due diligence to evaluate their security posture. This may include reviewing completed security questionnaires or verifying the presence of relevant compliance certifications (e.g., SOC 2).
You should document the results of the due diligence process, including the date it was completed. |
DCF-527 | Designated Data Protection Officer | Upload evidence showing that a data protection officer has been officially appointed (e.g., internal privacy policies, RACI matrix, job descriptions, etc. identifying the data protection officer, etc.).
Additionally, upload evidence showing that a mechanism to contact the data protection officer is communicated to users/data subjects (e.g., screenshots of the online privacy/policy showing that an email address of the data protection officer is provided, etc.). |
DCF-557 | Shared Account Management | For any highly privileged shared accounts, upload evidence of the business justification and evidence of how these shared accounts are securely managed. Example: Documentation of the business purpose of the shared account(s) with management approval, and screenshots showing how the shared accounts are securely managed (e.g., use of password vaults with access restricted to authorized personnel, etc.). |
DCF-558 | Restrictions on Software Installation | Upload evidence showing that the organization has implemented mechanisms to prevent the installation and execution of unauthorized software in company-managed assets.
Example: Screenshots from MDM or endpoint management tools showing enforced rules that block unauthorized software installation, or access controls that restrict the ability to run executables on company devices, etc.
|
DCF-562 | Management of Utility Programs | 1. Any documented procedures covering who can access utility programs (e.g., admin consoles for antivirus tools, MDM solutions, and logging systems).
- and -
2. A current list of users with access to those utility programs.
|
DCF-566 | Management of Nonconformities | Upload evidence showing that your organization is managing nonconformities in accordance with ISO requirements. Examples: A nonconformity tracker, internal tickets used to track issues to resolution, or other documentation showing corrective actions taken, etc. ISO defines nonconformities as the "non-fulfillment of a requirement.” These requirements may stem from ISO standards, internal policies, or procedures. Nonconformities can be identified through various sources, including internal or external audits, personnel reports, or continuous monitoring.
In accordance with Clause 10 of ISO management system standards, when a nonconformity is identified, your organization must:
You must also retain documented evidence of:
|
DCF-567 | Change Management Policy | Change Management Policy. |
DCF-569 | Information Labeling | Data Protection Policy and Data Classification Policy. |
DCF-570 | Disciplinary Process | Upload your company's documented disciplinary process. The disciplinary process may be an HR-owned process available and communicated to employees through an employee handbook, code of conduct, or included within an information security policy documentation. Note: This evidence should not be confused with disciplinary procedures for general performance issues or misconduct such as harassment. This specifically pertains to disciplinary actions for breaches of information security policies or violations of security requirements. A formal disciplinary process should outline a graduated response based on factors such as:
The disciplinary response must also account for legal, regulatory, contractual, and business obligations. It should serve not only to address violations but also as a preventive and deterrent measure to discourage future breaches by personnel or other relevant parties.
In cases of deliberate violations, immediate actions may be warranted.
|
DCF-571 | Fire Detection and Suppression | 1. Observation of fire detection and suppression systems installed in critical locations (e.g., data centers, server rooms). Note: This observation should be conducted by the auditor either on-site or via a live virtual meeting. 2. Upload evidence of ongoing maintenance for fire detection and suppression systems, such as maintenance logs, inspection reports, or service agreements with vendors. |
DCF-572 | Temperature Monitoring Systems | 1. Observation of systems in place to monitor and control air temperature and humidity at appropriate levels in critical areas (e.g., server rooms, data centers).
Note: This observation should be conducted by the auditor either on-site or via a live virtual meeting. 2. Upload evidence of ongoing maintenance for environmental control systems, such as maintenance logs, calibration records, or service reports. |
DCF-573 | Uninterruptible Power Supply | 1. Observation of uninterruptible power supply (UPS) systems installed in data centers or server rooms to ensure continuity of power.
Note: This observation should be conducted by the auditor either on-site or via a live virtual meeting. 2. Upload evidence of ongoing maintenance for UPS systems, such as maintenance logs, inspection reports, or service records from vendors. |
DCF-574 | Mobile Device Management Software | Upload evidence to show that a Mobile Device Management (MDM) solution has been implemented to enforce security controls on mobile devices.
Examples: Screenshots from the MDM’s centralized management console, baseline configuration settings, or enforced security policies/blueprints by device OS type. |
DCF-611 | Obscured Authentication Feedback | Upload a screenshot of the user interface during the authentication process to show that authentication feedback is hidden. For example, password entry fields should display masked characters (e.g., asterisks or dots) to prevent visible disclosure. |
DCF-619 | Media Sanitization | For a sample of media sanitization and disposal actions, upload evidence showing that each sample was reviewed, approved, tracked, and documented in accordance with company policies and procedures. |
DCF-637 | Secure Development Process | Upload documentation of your organization's secure development processes. Example: Internal wikis, process documents, or guidelines that reference industry standards and best practices for secure development. Documentation should include security requirements (e.g., secure authentication, logging), and demonstrate how information security is considered at each stage of the software development life cycle (SDLC). |
DCF-678 | Network Security Policy | Network Security Policy. |
DCF-681 | Phishing Simulations | Upload evidence showing phishing simulations are conducted as part of the organization's security awareness initiatives. Example: Screenshots of phishing simulation campaign configurations, dashboards displaying campaign results, or examples of simulated phishing emails used during the exercises, etc. |
DCF-684 | Redundancy of Processing | Upload evidence demonstrating that redundancy strategies have been implemented for equipment, systems, and processes, as defined in the organization's business continuity plans. |
DCF-687 |
Email Protection Mechanisms | Upload evidence showing that phishing and spam detection mechanisms have been implemented in your organization. Example: Screenshots of email authentication settings such as SPF, DKIM, and DMARC configurations. |
DCF-688 | Return of Assets | For one recently terminated personnel, upload evidence showing that assets were returned to the company.
Examples: Screenshots of offboarding checklists or internal tickets tracking the return of devices, badges, tokens, etc., upon termination, as well as evidence of pre-paid return labels and tracking details for remote personnel.
|
DCF-689 | On-Call Team | Upload evidence of your organization’s on-call rotation schedule. Example: Screenshots from tools like PagerDuty or equivalent tool showing on-call schedule and assigned team members. |
DCF-694 | Use of Unencrypted Portable Storage | For any unencrypted physical media and/or portable devices in use, upload evidence of a documented business justification and formal approval from management. |
DCF-698 | Automated Mechanisms for Audit Log Reviews | Screenshot of the configuration from your audit log review solution, such as a centralized log management system, event log analyzer, or Security Information and Event Management (SIEM) platform, etc. |
DCF-707 | Credentials for System Accounts Not Hard-Coded | Upload evidence showing that the organization has implemented mechanisms to validate that authentication credentials for any application and system accounts are not hard coded in scripts, configuration/property files, or bespoke and custom source code. Example: Screenshots from source code repositories showing secret scanning is integrated into the CI/CD pipeline. |
DCF-708 | Software and Third Party Libraries Inventory | Upload evidence of your organization's software and third-party libraries Inventory (i.e., Software Bill of Materials). Example: Screenshots from software composition analysis tools displaying the SBOM, including identified components and dependencies. |
DCF-712 | Static Application Security Testing | Upload evidence that Static Application Security Testing (SAST) is performed as part of the software development process. Example: Screenshots from the CI/CD pipeline showing that SAST scans automatically run on code commits, or screenshots of configurations and dashboards from SAST tools (e.g., SonarCloud, Checkmarx, Veracode). |
DCF-741 | Logging and Monitoring Policy | Logging and Monitoring Policy. |
DCF-744 | Contact with Authorities | Upload evidence of incident response procedures, playbooks, or documented communication plans demonstrating that your organization has:
Maintaining these contacts supports effective incident response, business continuity, and compliance with regulatory obligations. It also helps the organization stay informed about relevant legal or regulatory changes. |
DCF-745 | Segregation of Duties | Upload evidence showing that your organization has identified conflicting duties and areas of responsibility that require segregation, and has implemented mechanisms to enforce segregation of duties. Your organization should assess roles and responsibilities to reduce the risk of fraud, error, or circumvention of information security controls. Examples of duties that may require segregation include:
It is recommended that your organization’s approach to segregation of duties be formally documented. This should include:
|
DCF-748 | Segmentation of Networks | Upload evidence showing that network segmentation or other techniques are used to split the network in security boundaries and to control traffic between them based on business and security needs. |
DCF-749 | Leak Detection System | Observation of leak detection systems at critical facilities
Note: This observation should be conducted by the auditor either on-site or via a live virtual meeting. |
DCF-760 | Control of Audit Activities | Upload evidence showing that audit requirements and activities involving verification of operational systems are planned and agreed-upon by management to minimize disruptions to business processes and security risks. Examples: Screenshots or exports of communications and agreements with penetration tests vendors discussing and agreeing on the scope of the test, access requirements, availability considerations, etc. |
DCF-762 | Managing Changes to Supplier Services | For a change to the provision of services by a vendor, provide documentation to evidence that a review and due diligence activities were required and authorized by management
Note: Auditors may request a complete population and select samples to verify this control. |
DCF-763 | Requirements for Protection of Intellectual Property Rights | Acceptable Use Policy. |
DCF-775 | Cloud Deletion Protection | Screenshots of the configuration enabled for deletion protection for cloud resources. |
DCF-776 | Principle of Least Privilege | For each in-scope system or application, upload the user access listing including assigned roles and permissions to demonstrate that the principle of least privilege has been applied. |
DCF-777 | Cloud Resource Tagging | Inventory listing with tags assigned. |
DCF-779 | Cryptographic Key Rotation | Upload evidence of cryptographic key rotation processes implemented in accordance with your organization's defined procedures. Examples:
|
DCF-780 | Web Filtering | Upload evidence showing that the organization has implemented web filtering mechanisms to enforce the company's internet usage policies.
Examples:
|
DCF-781 | Secure Login Procedures | For internally-developed systems, upload evidence showing that access to the system is done through a secure login procedure. Examples: Screenshots showing successful and failed login attempts on internally-developed systems showing any or some of the following:
|
DCF-782 | Cloud Storage Lifecycle | Upload evidence of any cloud storage lifecycle rules in place to delete data automatically after expiration of specified retention periods (e.g., screenshots from cloud storage showing configured expiration actions, etc.). |
DCF-783 | Credentials Rotation | Upload evidence of secret rotation processes implemented in accordance with defined company procedures (e.g., screenshots of automated secrets rotation configurations in a secrets management systems, tickets or other documentation showing manual secrets rotation processes are carried out periodically, etc.). |
DCF-784 | Software Composition Analysis (SCA) | Upload evidence to show that your organization checks software components and libraries for policy and license compliance, security risks, and supported versions. Example: Screenshots showing that software composition analysis tools are used as part of your CI/CD pipeline to check for vulnerabilities in third-party libraries. |
DCF-785 | Secure Runtime Configurations | 1. Asset Management Policy.
- and -
2. Screenshots of run configuration standards for in-scope applications and platforms. |
DCF-789 | Expectations of Interested Parties | ISMS Plan (2022). |