Example Evidence for Not Monitored Controls (SOC 2, ISO 27001, HIPAA)

The following is a list of example evidence for controls not monitored in Drata for SOC 2, ISO 27001:2013, ISO 27001:2022, and HIPAA. Your auditor may request additional evidence for each control.

Code	Name	Applicable Frameworks	Example Evidence
DCF-7	Separate Testing and Production Environments	SOC 2, ISO 27001:2013, ISO 27001:2022	1. Screenshots from test and production environments for the application
DCF-11	Annual Access Control Review	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Tickets documenting the access control lists that were reviewed for in scope cloud environments, SaaS applications, infrastructure as code tools, and security protection tools (as applicable) 2. Tickets should be marked as completed/closed and the reviewer should provide comments on the results of the reviews.
DCF-12	Hardening Standards in Place	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Evidence from infrastructure as code tools showing configurations that would be implemented when new infrastructure is deployed. 2. Any type of document that formally documents the configurations that should be implemented for newly deployed infrastructure.
DCF-16	Annual Risk Assessment	SOC 2, ISO 27001:13, HIPAA, ISO 27001:22	1. Most recently completed risk assessment report.
DCF-17	Remediation Plan	SOC 2, ISO 27001:13, HIPPA, ISO 27001:22	1. Documented remediation plans for risks identified during the risk assessment.
DCF-18	Quarterly Vulnerability Scan	SOC 2, ISO 27001:13, HIPAA, ISO 27001:22	1. Completed quarterly vulnerability scans for the the last four quarters.
DCF-19	Annual Penetration Tests	SOC 2, ISO 27001:13, HIPAA, ISO 27001:22	1. Most recently completed annual penetration test.
DCF-20	Maintains Asset Inventory	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Formal, documented listing of all assets (workstations, mobile devices, servers, databases, etc.) 2. For cloud infrastructure, screenshots from cloud environments listing all infrastructure
DCF-21	Architectural Diagram	SOC 2, ISO 27001:13, HIPAA, ISO 27001:22	1. Approved Architectural Diagram
DCF-22	Network segmentation in place	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Formal, documented network/architecture diagram evidencing network segmentation of your cloud environments.
DCF-26	BCP/DR Tests Conducted Annually	SOC 2, ISO 27001:13, HIPAA, ISO 27001:22	1. Most recently completed BCP/DR test.
DCF-35	Security Team Communicates in a Timely Manner	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Screenshots from communication tools (Slack, PagerDuty) showing the process for security events to be communicated to appropriate personnel.
DCF-42	Defined Management Roles & Responsibilities	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Roles and Responsibilities section from the information security policy.
DCF-43	Termination/Offboarding Checklist	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Formal documented termination checklist/help desk ticket for a recent terminated employee.
DCF-56	Vendor Agreements Maintained	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Executed Agreement/contract between the entity and key vendors.
DCF-57	Vendor Compliance Reports	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Screenshots from the vendor directory showing that vendors are categorized based on impact /risk. 2. Review documents showing that vendors' SOC2 reports were reviewed (Drata can provide a review template for this).
DCF-58	Authentication Protocol	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. If SSO is an option, screenshots of a user logging in with SSO. 2. If username and password is an option, screenshots of a user logging in with a username and password. 3. Screenshots of MFA being required for employee users. 4. If customer users have the option to enable MFA, screenshots showing they are provided the option to enable MFA.
DCF-59	Role-Based Security Implementation	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Screenshots from the application showing how users are assigned roles.
DCF-60	Password Storage	SOC 2, ISO 27001:2013, HIPAA	1. If username and password is required, screenshots from the database showing that password are stored using a salted hash.
DCF-61	Customer Data Segregation	SOC 2, ISO 27001:2013, ISO 27001:2022	1. Screenshots from the database showing that customers are assigned separate IDs. 2. Screenshots from the application showing that a customer cannot see data of another customer (attempt to show one customer trying to access data of another customer).
DCF-62	Inactivity and Browser Exit Logout	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Screenshots of users being logged out of the application when browser/tab is closed and being forced to reauthenticate upon next login. 2. Screenshots showing that a user is logged out after pre-defined activity timeout and being forced to reauthenticate upon next login.
DCF-63	Accepting The Terms of Service	SOC 2, ISO 27001:2013, ISO 27001:2022	1. Screenshots of the new account creation process showing that new users must explicitly or implicitly accept the terms of service.
DCF-69	System Access Granted	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1.Formal, documented access request form/help desk ticket for a recent new hire.
DCF-72	Unique SSH	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Screenshots of a user logging into the production systems, showing that they have to use a unique SSH account. 2. Screenshot of the setting from the production servers showing that the "root" account cannot be used to login to production.
DCF-74	Customers Informed of Changes	SOC 2, ISO 27001:2013, ISO 27001:2022	1. Example emails communicating changes to customers. 2. Screenshots of banners warning customers of downtime prior to system maintenance.
DCF-76	Critical Change Management	SOC 2, ISO 27001:2013, ISO 27001:2022	1. Formal, documented emergency change procedures for critical changes.
DCF-79	Logs Centrally Stored	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Screenshots from the location where logs of system activity are stored.
DCF-80	Log Management System	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Screenshots from the location where logs of system activity are stored.
DCF-86	Operational Audit	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Screenshots from the systems used to monitor for system availability issues. 2. Screenshots showing how personnel would be alerted of availability issues and who would be alerted.
DCF-91	Intrusion Detection System in Place	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Screenshots from AWS GuardDuty, Azure Sentinel, GCP Security Command Center or equivalent monitoring tool showing that the service is enabled. 2. Screenshots from the mentioned applications/tools/services showing the types of threats that would be detected. 3. Screenshots from the mentioned applications/tools/services showing how personnel would be alerted and who would be alerted when threats are detected.
DCF-92	(Prior Control Name) VPN Required for Production Access (New Control Name) Encrypted Remote Production Access *Depending on when your tenant was created, you may see either name.	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. screenshots of a user trying to access production systems without being connected to a VPN and providing access is denied. 2. Screenshots of a user accessing production after connecting to a VPN to show a successful connection.
DCF-95	Monitoring Processing Capacity and Usage	SOC 2, ISO 27001:2013, ISO 27001:2022	1. Evidence that management reviewed processing capacity and usage reports on a quarterly basis
DCF-97	Auto-Scale Configuration	SOC 2, ISO 27001:2013, ISO 27001:2022	1. Screenshot of auto scaling configurations for EC2 instances.
DCF-98	Daily Backup Statuses Monitored	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Tickets showing that backup failures were monitored and resolved.
DCF-99	Failed Backup Alert and Action	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Automated configurations from the backup service for notifying personnel when backup processes fail. 2. Example email for a failed backup and ticket documenting resolution.
DCF-100	Backup Integrity and Completeness	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Screenshots showing a backup snapshot was restored completely and accurately. 2. Evidence from the annual DR tests showing that backups were restored completely and accurately.
DCF-104	Test Data Used in Test Environment	SOC 2, ISO 27001:2013, ISO 27001:2022	1.Screenshots from the test environment showing that "real" data is not used.
DCF-105	Employee Non-Disclosure Agreement (NDA)	SOC 2, ISO 27001:2013, ISO 27001:2022	1. Example new hire employee agreement, with NDA included.
DCF-108	Storage of Sensitive Data on Paper	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Pictures of secure storage bins from office locations.
DCF-109	Disposal of Sensitive Data on Hardware	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Data Retention Policy or equivalent policy documenting this policy and procedure.
DCF-110	Application Edits	SOC 2	1. Screenshots of users entering data into the application to confirm that the application limits input values to only valid values.
DCF-111	System Edits	SOC 2	1. Screenshots of user entering data into the application to confirm that the application requires mandatory data to be entered.
DCF-112	Provide Notice of Privacy Practices	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Screenshots of the new user registration process where new users are provided the notice of privacy practices before completing the registration process.
DCF-113	Review Privacy Notice Annually	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Meeting minutes from management's annual meeting to review privacy practices.
DCF-114	Privacy Policy Publicly Available	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Screenshot of privacy practices posted on the entity's website.
DCF-115	Privacy Policy Inclusions	SOC 2, ISO 27001:2013, ISO 27001:2022	1. Formal, documented privacy practices from the entity's website.
DCF-116	Accept The Privacy Policy	SOC 2, ISO 27001:2013, ISO 27001:2022	1. Screenshots of the new user registration process showing that users are required to explicitly agree to the notice of privacy practices prior to the completion of the registration process.
DCF-117	Minimal Information Required	SOC 2, ISO 27001:2013, ISO 27001:2022	1. Screenshot of all information that the user can enter when providing data through the application.
DCF-118	Third Party Reliability	SOC 2, ISO 27001:2013, ISO 27001:2022	1, For all third parties in which personal information is collected from, evidence that management performed appropriate due diligence to ensure that data from third parties was collected fairly and lawfully.
DCF-119	Allowable Use and Disclosure	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Section from privacy practices/policy that covers this item.
DCF-120	Annual Review of Purposes	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Meeting minutes for management's annual review of privacy policies
DCF-121	Purposeful Use Only	SOC 2, ISO 27001:2013, ISO 27001:2022	1. Section from privacy practices/policy that covers this item.
DCF-122	Requests for Deletion	SOC 2	1. Example requests for deletion of personal information and evidence that the data was deleted timely.
DCF-123	Data Destruction Policy	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Formal, documented data deletion policy.
DCF-124	Require Authentication for Access	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Screenshots of a user authenticating to the application prior to seeing their information.
DCF-125	Users Can Access All Their Information	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Screenshots of where a user can find their information within the platform (i.e. user profile).
DCF-126	Users Can Update their Information	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Screenshots of a user modifying their personal information within the application.
DCF-127	Communication to 3rd Parties	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Evidence to support that third parties with whom PII is sent to, were provided requirements for how PII should be handled, according to your requirements.
DCF-128	Disclosure with 3rd Parties	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Example executed contracts with third parties that receive PII showing that contracts included provisions for third parties to protect personal information.
DCF-129	PII with 3rd Parties and Vendors	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Formal, documented authorized list of third parties that can receive or access PII.
DCF-130	Tracking Breaches of PII	SOC 2, ISO 27001:2013, ISO 27001:2022	1. Screenshots of the incident tracking system used to track breaches or security incidents involving PII.
DCF-131	Incident Report Template and Process	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Formal, documented incident response procedures.
DCF-132	Privacy and Security Requirements in Third-Party Agreements	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Executed agreements (such Data Processing Agreements, Business Associates Agreements, Service Provider Agreements) with third parties and vendors that are provided access to personal data.
DCF-133	Unauthorized Disclosures by 3rd Parties	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Example executed contracts with third parties that receive PII showing that contracts included provisions for third parties to protect personal information.
DCF-134	3rd Parties and Vendors Given Instructions on Breach Reporting	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Executed contracts with third parties that are provided access to PII to confirm that third parties are provided with information on how to report breaches of PII to the entity.
DCF-135	Notice of Breach to Affected Users	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Formal, documented breach notification procedures. 2. Breach Notification Template
DCF-136	Privacy Policy Includes 3rd Party Vendors	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Section from privacy practices on your website showing that 3rd parties that receive PII are listed.
DCF-137	Data Entry Field Completion Automated	SOC 2, ISO 27001:2013	1. Screenshots of a user enter information into the application to confirm that edit checks are included in fields.
DCF-138	Confirmation Before Submission	SOC 2	1. Screenshots of a user entering information into the application to confirm that users are asked to confirm that their information is correct, prior to submitting information.
DCF-139	Contact Information for Privacy Concerns	SOC 2, HIPAA	1. Section from privacy practices on your website showing contact information for how external personnel contact you with inquiries, complaints, and disputes.
DCF-140	Customer Portal	SOC 2, HIPAA	1. Screenshots of how a customer can submit inquiries, complaints or disputes about privacy issues.
DCF-141	Customer Inquiries Tracked	SOC 2, HIPAA	1. Screenshots of the incident tracking system used to track users' complaints, inquiries and disputes. 2. Example submitted inquiries, complaints or disputes and evidence that resolution was communicated to the customer and corrective actions were performed, as necessary.
DCF-142	Quarterly Review of Privacy Compliance	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Meeting minutes from quarterly management meetings for tracking compliance with privacy practices and privacy regulations.
DCF-143	Board Oversight Briefings Conducted	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Meeting minutes from the Board of Directors meeting showing that the state of cybersecurity and privacy risks were discussed.
DCF-144	Board Charter Documented	SOC 2, ISO 27001:2013	1. Copy of Board Charter
DCF-145	Board Expertise Developed	SOC 2, ISO 27001:2013, ISO 27001:2022	1. Board of Directors Backgrounds or Bios
DCF-146	Board Meetings Conducted	SOC 2	1. Meeting minutes from Board meetings
DCF-147	Physical Access to Facilities is Protected	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Physical Access Control Policy
DCF-148	Regression Testing in Place	SOC 2, ISO 27001:2013, ISO 27001:2022	1. Example of regression testing that was performed prior to a recent major product release.
DCF-149	Removable Media Device Encryption	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. If removable media devices are issued by the company to employees, provide evidence that removable media devices are encrypted.
DCF-150	DLP (Data Loss Prevention) Software is Used	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Screenshots of DLP software. 2. Example of emails being blocked when they contain sensitive data
DCF-151	FIM (File Integrity Monitoring) Software in Place	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Screenshots of FIM software. 2. Examples of FIM detecting changes.
DCF-152	Virtual Machine OS are Patched Monthly	SOC 2, ISO 27001:2013, ISO 27001:2022	1. Evidence from servers or patching systems showing that operating systems were patched monthly.
DCF-153	Conduct Control Self-Assessments	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Screenshots of how Drata is used for continuous monitoring of controls.
DCF-154	Annual Incident Response Test	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Most recently completed incident response tabletop test.
DCF-155	Code Changes are Tested	SOC 2, ISO 27001:2013, ISO 27001:2022	1. Screenshots from the ticketing system for a few changes showing that changes were tested.
DCF-156	Production Code Released by Appropriate Personnel	SOC 2, ISO 27001:2013, ISO 27001:2022	1. Screenshots from the ticketing system for a few changes showing that changes were approved by appropriate personnel.
DCF-157	Cybersecurity Insurance Maintained	SOC 2	1. Cybersecurity insurance certificate.
DCF-158	MFA Available for External Users	SOC 2, ISO 27001:2013, ISO 27001:2022	1. Screenshots from the application showing that customers have the option of using MFA for their accounts.
DCF-160	Continuous Control Monitoring	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Screenshots of how Drata is used for continuous monitoring of controls.
DCF-161	ISMS Scope	ISO 27001:2013, ISO 27001:2022	1. Will be a part of your ISMS policy.
DCF-162	Statement of Applicability	ISO 27001:2013, ISO 27001:2022	1. Will be a part of your ISMS policy.
DCF-163	Interested Parties and Legal Requirements	ISO 27001:2013, ISO 27001:2022	1. Will be a part of your ISMS policy.
DCF-164	ISMS Management Review	ISO 27001:2013, ISO 27001:2022	1. Will be a part of your ISMS policy.
DCF-165	Internal Audit	ISO 27001:2013, ISO 27001:2022	1. Evidence of testing performed for internal audit. 2. Internal audit report.
DCF-166	Business Continuity Plan	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Business Continuity Plan.
DCF-167	Business Impact Analysis	ISO 27001:2013, HIPAA, ISO 27001:2022	1. Business Impact Analysis (Typically part of the business continuity plan).
DCF-168	Vendor Management Policy	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Vendor Management Policy.
DCF-169	Backup Policy	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Backup Policy.
DCF-170	Information Security Objectives	ISO 27001:2013, ISO 27001:2022	1. Will be a part of your ISMS policy.
DCF-171	Operating Procedures	ISO 27001:2013, ISO 27001:2022	1. Will be a part of your ISMS policy.
DCF-172	Organizational Change Management	ISO 27001:2013, ISO 27001:2022	1. Will be a part of your ISMS policy.
DCF-173	Employment Terms & Conditions	ISO 27001:2013, ISO 27001:2022	1. Employee agreement template.
DCF-174	Telework and Endpoint Devices	ISO 27001:2013, ISO 27001:2022	1. Section from the information security policy
DCF-175	ISMS Communication Plan	ISO 27001:2013, ISO 27001:2022	1. Will be a part of your ISMS policy.
DCF-176	Monitoring Plan	ISO 27001:2013, ISO 27001:2022	1. Will be a part of your ISMS policy.
DCF-177	Event Logging	ISO 27001:2013, HIPAA, ISO 27001:2022	1. Section from the Data Protection Policy
DCF-178	ISMS Record Management and Doc Control	ISO 27001:2013, ISO 27001:2022	1. Evidence showing that policy documents are versioned control. 2. Change log from the ISMS policy for the ISMS document.
DCF-179	Information Security Skills Matrix	ISO 27001:2013, HIPAA, ISO 27001:2022	1. Information Security Skills Matrix
DCF-180	Secure Information Transfer	ISO 27001:2013, ISO 27001:2022	1. Section from the Data Protection Policy
DCF-182	Asset Management Policy	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Asset Management Policy.
DCF-183	Vulnerability Management	SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022	1. Vulnerability Management Policy.
DCF-184	Information Security Management System (ISMS)	ISO 27001:2013, ISO 27001:2022	1. ISMS Plan
DCF-185	Periodic Dynamic Threat Assessment	ISO 27001:2022	Completed Threat Assessment Plan contained within Appendix A of the Security version of the Risk Assessment Policy and Appendix C in the Privacy version of Risk Assessment Policy. Screenshots showing that your organization is subscribed to a service or mailing list that provides information on new/developing security issues. Evidence demonstrating that threats are being assessed according to the defined Threat Assessment Plan.
DCF-186	Data De-identification	ISO 27001:2022	Data Classification Policy Data Protection Policy
DCF-187	Configuration Management Plan	ISO 27001:2022	Completed Appendix A within the Change Management Policy
DCF-188	Communication with Security and Privacy Organizations	ISO 27001:2022	Screenshots showing that your organization is subscribed to a service or mailing list that provides information on new/developing security/privacy issues. Screenshots showing that members of your organization responsible for security or privacy belong to industry groups related to security or privacy.
DCF-189	Activity Review	HIPAA	For this control, your organization will have to define a frequency for each of the three covered activities. This could be weekly, monthly, quarterly, it will depend on the size of your organization and what makes sense for each of the three areas: Audit log reviews - A ticket from the ticketing system documenting which audit logs were reviewed, who reviewed them, and when the review was completed. Security Incident Tracking Reports - A ticket documenting the review of incident reports including who completed the review and when the review was completed. Or meeting minutes demonstrating that incident reports were reviewed including who attended the meeting and the date. Ticket documenting which system activity logs were reviewed, who reviewed these activity reports, and when the review was completed.
DCF-190	Designated Security Officials	HIPAA	Information Security Policy or Job description of designated Security Official(s) outlining their responsibility for overseeing the organizations’ compliance with the security rule.
DCF-191	Security Updates	HIPAA	Formal documentation describing how the workforce is provided with periodic security updates, including how often security updates are provided. Example of recent communication used for security updates (i.e. emails, newsletters, posters)
DCF-192	Privacy, Use, and Disclosure	HIPAA	Privacy, Use, and Disclosure Policy
DCF-193	Breach Notification	HIPAA, ISO 27001:2022	Breach Notification Policy
DCF-194	Group Health Plans	HIPAA	Plan documents outlining the requirements mapped to the controls. If you are not a Group Health Plan, then mark this control out of scope.
DCF-195	Business Associate Agreements	HIPAA	Vendor Management Policy Business Associate Policy BAA template (if not contained within the Business Associate Policy)
DCF-196	HIPAA Awareness Training	HIPAA	Privacy, Use, and Disclosure Policy If HIPAA training is not completed inside of Drata, screenshots showing a certificate of completion from the HIPAA training provider. Any other evidence supporting training on policies and procedures for handling PHI, as applicable.
DCF-197	Document Retention Period	HIPAA	Data Protection Policy A document retention schedule should additionally be drawn up listing specific types of records, such as Business Associate Agreements, and the retention period such as 7 years. This should be uploaded to the Evidence Library page, and then linked to this control. Any other policies supporting document retention requirements, as applicable
DCF-283	Secure and Encrypted Data Transmission	ISO 27001:2022	List of all locations where data is transmitted or received over open, public networks. Documented standards which detail the level of security protocols and cryptographic algorithms used to protect this data. Screenshots from the system configurations of the systems receiving this data showing the implementation of these security protocols and encryption algorithms.
DCF-292	Periodic Evaluation of Malware Threats	ISO 27001:2022	Job description of the individuals responsible for evaluating new/emerging malware threats. Screenshots of any tools, group memberships, or mailing lists used to assist in this monitoring.
DCF-312	Annual Training for Developer Secure Coding Techniques	ISO 27001:2022	Screenshots or exported training records showing that developers have received secure coding training, including how to avoid common software vulnerabilities, within the last 12 months.
DCF-313	Application Development based on Secure Coding Guidelines	ISO 27001:2022	Documented software development policies and procedures which include processes to protect custom developed code from common vulnerabilities.
DCF-352	Unique First-time Passwords	ISO 27001:2022	Documented password procedures which define the following requirements: First-time passwords must be set to a unique value for each user. First-time passwords must change after first use. Reset passwords must be set to a unique value for each user. Reset passwords must change after each use. Screenshots documenting this process of setting first time and reset passwords.
DCF-356	Authentication Policy Inclusions	ISO 27001:2022	Screenshots showing where employees can find policies and procedures related to Authentication. Documented policies and procedures related to Authentication which include the following: Guidance on selecting strong authentication credentials. Guidance for how users should protect their authentication credentials. Instructions to not use previously used passwords. Instructions stating to change a password if the password is suspected to be compromised.
DCF-357	Shared Authentication Methods are Prohibited	ISO 27001:2022	System user access lists which show that: Generic user IDs are disabled or removed. Shared user IDs for system administration activities and other critical functions do not exist. Shared and generic user IDs are not used to administer any system component. Documented policies and procedures related to Authentication which state that shared or group IDs/passwords or other authentication mechanisms are strictly prohibited.
DCF-365	Secure Physical Access Control Mechanisms	ISO 27001:2022	Pictures showing how video cameras or access control mechanisms (or both) are protected from tampering and disabling.
DCF-535	Organizational Context	ISO 27001:2022	Section 4.1 of the ISMS Plan.
DCF-557	Shared Account Management	ISO 27001:2022	System Access Control Policy
DCF-558	Allow-by-Exception Rule for Authorized Applications	ISO 27001:2022	Note: Can be marked out of scope if DCF-559 is implemented. Screenshots from an MDM tool or endpoint device configurations showing that software applications are whitelisted (explicitly allowed). Screenshot showing that installation of an application not on the approved whitelist has failed for an example endpoint device.
DCF-559	Deny-by-Exception Rule for Unauthorized Applications	ISO 27001:2022	Note: Can be marked out of scope if DCF-558 is implemented. Screenshots from an MDM tool or endpoint device configurations showing that software applications are blacklisted (explicitly denied). Screenshot showing that installation of an application on the approved blacklist has failed for an example endpoint device.
DCF-560	Baselines for Detecting Anomalous Behavior	ISO 27001:2022	Screenshots from your monitoring system showing that alerts are configured to detect suspicious or anomalous activity. Screenshots showing who gets notified when these alerts trigger. An example alert that was sent either as a test or from one of the alerts triggering.
DCF-561	System Protection During Audits	ISO 27001:2022	For any planned audits/assessments of your IT systems, documented plans detailing how the systems will be protected during the assessment.
DCF-562	Procedures for Utility Program Use	ISO 27001:2022	Any documented procedures covering who can access utility programs (admin consoles for tools like antivirus, MDM tools, logging systems, etc.) List of users who currently have access to utility programs.
DCF-563	Environment Identification	ISO 27001:2022	Screenshots showing how environments are identified (such as appending “QA” to the URL of the QA environment, such as: Example.com - Production QA.Example.com - QA region
DCF-564	Secure Development and Test Environments	ISO 27001:2022	Screenshots showing that Operating System updates have been applied to development and test regions. Screenshots of backup schedules showing that development and test regions are backed up. Screenshots of logging systems showing that development and test environments are being monitored.
DCF-565	Managing Test Information	ISO 27001:2022	Screenshots showing that test information is used within test environments. Formally documented approvals if Production information has been copied to the test environment. SDLC Policy
DCF-566	Register of Non-conformities	ISO 27001:2022	ISMS Plan, Appendix C
DCF-567	Change Management Policy	ISO 27001:2022	Change Management Policy
DCF-568	Records of Competence	ISO 27001:2022	Records showing that all personnel listed in the ISMS Skills Matrix have the qualifications listed such as Resumes, LinkedIn Profiles, Copies of Certifications, etc.