HERE'S WHY
In order to prepare for your SOC 2 audit you will want to undergo an annual risk assessment.
BEFORE DIVING IN
Admins and information security leads will have access to submit risk assessments via Drata.
HERE'S HOW
Navigate to 'Risk Assessment' on the left nav under 'Risk'. From there, you will see 6 cards labeled 'Engineering', 'Legal', 'HR', 'Info Sec', 'Finance' and 'Sales'.
Select the risk assessment type you would like to start with. Note, different team members can complete different forms, they do not all have to be completed by one person.
Assigning an Owner
Select the gear icon located in the upper-right corner of the respective assessment card to open the details drawer.
2. Begin typing a user’s name in the 'Owner' field — The list will auto-populate the list as you type. Select the appropriate user to be assigned the assessment.
NOTE: Both 'Owner' and 'Due Date' fields are OPTIONAL and only roles with risk assessment permissions will be populated in the owner field.
3. Select the owner, and select an optional due date.
4. By saving your changes, an email will automatically be triggered and sent to the owner with a direct link to the assessment. The owner and due date will also be displayed within the individual cards
5. After selecting the risk assessment type you'd like to start with, you will complete the questions provided in the form. You can download the Risk Assessment report at any time by clicking the 'Download Report' button.
NOTE: The report will only contain questionnaire answers for submitted Risk Assessments.
Once downloaded, you can make any additional edits to that report. You will then upload the report to the 'Evidence Library'. You will then want to link the evidence to DCF-16 (Annual Risk Assessment) and DCF-17 (Remediation Plan).