The following is a list of example evidence for controls not monitored in Drata for ISO 42001.
Note: Auditors may request additional evidence for each control.
DCF Code | DCF Name | Example Evidence |
DCF-5 | Change Review Process | Upload evidence demonstrating peer review, approval, and automated enforcement of segregation of duties for production deployments.
Example: Change Management Policy, Software Development Policy (SDLC). |
DCF-8 | External Communication Channels | Upload evidence of customer-facing communication channels available to report issues, bugs, or suspected incidents.
Example: Screenshots of a customer support portal, help desk page, or embedded support/communication features in the web application.
|
DCF-9 | Internal Communication Channels | Upload examples of internal communication channels for employees to report failures, events, incidents, concerns, and other issues.
Example: Screenshots from communication tools (e.g., Slack, PagerDuty) showing the process for security events to be communicated to appropriate personnel.
|
DCF-14 | Organizational Chart | Upload your current organizational chart.
Example: Screenshot of organizational chart diagram or export from an HR system showing personnel, job titles, departments, and reporting lines. Screen shots
|
DCF-15 | Risk Assessment Policy | Upload your documented risk assessment policy. |
DCF-16 | Periodic Risk Assessment | Upload the most recently completed risk assessment report. |
DCF-17 | Risk Treatment Plan | Upload documentation of the most recent risk assessment activities performed (e.g., risk register, risk treatment plan) in accordance with company policies and compliance requirements.
Example: risk register entries mapped to treatment decisions, assigned owners, target dates, remediation tickets, and evidence of approval. |
DCF-21 | Architectural Diagram | Upload evidence of your current architecture diagram(s) and evidence of updates/reviews within the past year for accuracy (e.g., emails from responsible personnel confirming the accuracy and completeness of the architecture diagram(s), etc.)
Example: Architecture diagrams are visual representations of software system components.
For additional information and resources visit:
Azure: https://azurediagrams.com/
|
DCF-28 | Security Events Tracked and Evaluated | Upload evidence that security events are tracked, triaged, and evaluated.
Example: SIEM/alerting dashboard screenshots, alert review queues, incident/event tickets with triage notes, and periodic security review meeting notes or reports.
|
DCF-29 | Incident Response Team | Upload evidence of your documented roles and responsibilities for incident response.
Example: incident response process documentation describing incident managers, handlers, communication coordinators, advisors, and escalation/ownership.
|
DCF-33 | Periodic Policy Reviews | Upload evidence of periodic policy reviews.
Example: policy review calendar/schedule, policy version history showing annual/periodic review, and approval/sign-off records for the latest review.
|
DCF-42 | Defined Roles and Responsibilities | Upload evidence of defined roles and responsibilities across the organization for relevant functions.
Example: Role descriptions, RACI matrix, or security responsibility matrix.
|
DCF-130 | Documentation of Breaches or Unauthorized Disclosures of PII | For any personal data breaches or unauthorized disclosures of PII, upload evidence showing documentation is retained including facts, effects/impact, and remedial action taken.
Example: Screenshots of the incident tracking system used to track breaches or security incidents involving PII.
|
DCF-135 | Notification of Incidents or Breaches | Example of security incident or breach, upload evidence showing notification was provided to affected parties and authorities (as applicable) in accordance with company policies/procedures and contractual/legal obligations.
Example: notification email/letter templates used, communication logs, and incident timeline showing when notifications were sent.
|
DCF-154 | Incident Response Test | Upload evidence of your most recently completed incident response test.
Example: Documentation of activities performed, results, lessons learned, and calendar invites showing participants and dates, etc.
|
DCF-155 | Testing of Changes | Example of test changes (e.g., software development change), upload evidence showing the change was reviewed, tested, and approved with segregation of duties prior to deployment to production.
Example: Screenshots from the ticketing system for a few changes showing that changes were tested.
|
DCF-156 | Change Releases Approved | For an example change release, upload evidence showing that the release was approved by authorized personnel prior to deployment to production (e.g., screenshot of a pull request/ticket showing approval for a release candidate by authorized personnel).
Example: Screenshots from the ticketing system for a few changes showing that changes were approved by appropriate personnel.
|
DCF-159 | Incident Response Plan | Upload your incident response plan documentation.
|
DCF-160 | Continuous Control Monitoring | Upload evidence of a continuous control monitoring approach for key controls.
Example: Control library screenshot/export from the compliance automation tool, monitoring dashboard screenshot, or automated evidence collection log / audit trail, etc.
|
DCF-163 | Legal Requirements | Upload evidence of identification and management of applicable legal/regulatory requirements.
Example: legal/compliance obligations register, legal/regulatory related policies, meeting minutes notes, change log/tickets, etc.
|
DCF-168 | Vendor Management Policy | Upload your vendor management policy.
|
DCF-175 | Communications Plan | Upload your communications plan.
|
DCF-407 | Audit Logs Data Points | Upload evidence showing that audit logs have been configured to contain user or identity, type of event, date and time, success and failure indication, origination of event, affected data, and system component, resource, or service. Example: Screenshot or export of a sample log showing the relevant attributes. By recording these details for the auditable events, a potential compromise can be quickly identified, with sufficient detail to facilitate follow- up on suspicious activities. |
DCF-434 | Policies and Procedures for Logging | Upload Logging and Monitoring Policy. |
DCF-597 | Baseline Configurations | Upload evidence of documented baseline configurations and hardening standards and policies.
Example: Baseline/hardening standards (e.g., CIS benchmarks or vendor guidance).
|
DCF-800 | AI Governance Policy | Upload your AI governance policy.
Example: Approved AI governance policy covering roles, oversight, accountability, and governance structure; version history and approval records.
|
DCF-801 | AI Risk Management Policy | Upload your AI risk management policy.
Example: AI risk management policy defining risk identification, assessment, treatment, monitoring, and escalation; version history and approval.
|
DCF-802 | AI Feedback Management | Upload evidence of AI feedback management.
Example: Documented process for collecting, triaging, and responding to internal/external AI feedback (tickets/logs), plus examples of handled feedback items.
|
DCF-804 | AI Training | Upload evidence of AI training.
Example: AI-related training materials (slides/videos/agenda) and completion records for relevant personnel within the past year.
|
DCF-805 | AI Committees | Upload evidence of AI committees or governance artifacts.
Example: Committee charter, membership list, meeting cadence, and recent meeting minutes/decisions.
|
DCF-806 | AI Development and Evaluation Policy | Upload your AI development and evaluation policy.
|
DCF-807 | Risk Tolerance | Upload evidence of defined AI risk tolerance.
Example: Documented risk appetite/tolerance statements and decision criteria approved by leadership, including thresholds for deployment/acceptance, KRIs / Metrics dashboard, or Meeting Minutes, etc. |
DCF-808 | Residual Risk | Upload evidence of residual risk decisions.
Example: Risk Register + documented residual risk assessments and formal risk acceptance/exception approvals (sign-offs) with rationale and review dates.
|
DCF-809 | AI Practitioner Proficiency | Upload evidence of AI practitioner proficiency.
Example: Role-based competency matrix, qualifications/certifications, training completion, and skills assessments for practitioners.
|
DCF-810 | Human Oversight over AI Systems | Upload evidence of human oversight over AI systems.
Example: Documented human/oversight policy or procedures, Model/Use-Case approval workflow evidence, Oversight artifacts (e.g., human review logs, ticket examples, monitoring dashboards), etc.
|
DCF-811 | AI System Fairness and Bias Evaluation | Upload evidence of AI system fairness and bias evaluation.
Example: Fairness/bias testing reports, dataset analysis, evaluation metrics, remediation actions, and ongoing monitoring evidence (e.g., dashboards, tickets), etc. |
DCF-812 | AI Model Environmental Impact | Upload evidence of assessing AI model environmental impact.
Example: AI Environmental Impact Assessment, cloud sustainability/carbon reports (e.g., AWS/Azure/GCP), or operational controls showing ongoing effort.
|
DCF-813 | AI Risk Tracking | Upload evidence of AI risk tracking.
Example: AI risk register and ongoing monitoring reports showing risk status, owners, actions, and updates over time.
|
DCF-689 | On-Call Team | Upload evidence of an on-call program/team.
Example: On-call rotation schedule from incident management platform (e.g., PagerDuty), escalation policies, and recent on-call handoff notes or incident evidence.
|
DCF-757 | User and System Guides | Upload evidence showing that your organization provides user guides, help articles, system documentation or other resources to users to provide information about the design and operation of the system, functional and nonfunctional requirements related to system processing, information specifications required to support the use of the system, etc. (e.g., links to external documentation portal or help center, documented user guides, etc.).
Example: end-user guides, administrator/system operation guides, and SOPs/runbooks with version history and publication location (wiki/repo).
|
DCF-789 | Expectations of Interested Parties | Upload documented expectations of interested parties (stakeholders) relevant to the management system.
Example: Stakeholder register listing needs/expectations, requirements-to-controls mapping (e.g., contract/regulatory + customer security requirements), meeting minutes with stakeholders and leadership.
|
DCF-767 | Incident Procedures When Unauthorized PII Detected | Upload procedures for handling incidents when unauthorized PII is detected.
Example: SOP/runbook describing detection, containment, reporting, assessment, notification decisioning, and remediation steps, plus Incident Response Plan, Data Loss Prevention Policy, Incident tickets.
|
DCF-877 | AI Impact Assessment | Upload most recent evidence of AI impact assessment.
Example: Completed impact assessment covering intended use, stakeholders, potential harms/benefits, mitigations; approval workflow evidence, and relevant ticket support or meeting minutes.
|
DCF-878 | AI Resources | Upload evidence of AI resources.
Example: Resourcing plan/budget, tooling inventory, staffing/role assignments, and evidence resources are reviewed and maintained.
|
DCF-879 | AI Data Management | Upload evidence of AI data management.
Example: AI data management plans/procedures, dataset documentation, operational evidence, and log/tickets showing it was reviewed and approved.
|
DCF-161.AI | Management System Scope (AI) | Upload evidence defining the scope of the AI management system.
This is located in your Artificial Intelligence Management System (AIMS) Plan for ISO 42001.
Example: Documented AI Management System Scope Statement describing boundaries, included AI systems/processes, exclusions, and justification; approval record. Include evidence of periodic review cadence and an approval record.
|
DCF-162.AI | Statement of Applicability (AI) | Upload the AI Statement of Applicability (SoA).
This is located in your Artificial Intelligence Management System (AIMS) Plan for ISO 42001.
Example: SoA document listing applicable controls, applicability decisions, implementation status, and references to supporting evidence.
|
DCF-164.AI | Management System Management Review (AI) | Upload evidence of management review for the AI management system.
Example: Management review agenda/minutes, inputs/outputs, decisions/actions, and follow-up tracking.
|
DCF-170.AI | Management System Objectives (AI) | Upload documented AI management system objectives.
Example: Measurable objectives with owners, timelines, Key Performance Indicators (KPIs), and review cadence; evidence of leadership approval.
|
DCF-176.AI | Measurement and Monitoring Plan (AI) | Upload a measurement and monitoring plan for the AI management system.
Example: Monitoring plan defining what is measured, methods, frequency, thresholds, reporting, and corrective action triggers.
|
DCF-178.AI | Record Management and Control (AI) | Upload evidence of record management and control for AI management system records.
Example: Records control procedure (retention, access, integrity), records inventory, and examples of controlled records.
|
DCF-184.AI | Management System Plan (AI) | Upload the AI management system plan or Artificial Intelligence Management System (AIMS) Plan.
|
DCF-566.AI | Management of Nonconformities (AI) | Upload evidence of management of nonconformities.
Example: Nonconformity procedure, corrective action records, root cause analysis, and tracking to closure.
|