The following is a list of example evidence for controls not monitored in Drata for SOC 2, ISO 27001:2013, ISO 27001:2022, and HIPAA. Your auditor may request additional evidence for each control.
Code | Name | Applicable Frameworks | Example Evidence |
DCF-7 | Separate Testing and Production Environments | SOC 2, ISO 27001:2013, ISO 27001:2022 | 1. Screenshots from test and production environments for the application |
DCF-11 | Annual Access Control Review | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Tickets documenting the access control lists that were reviewed for in scope cloud environments, SaaS applications, infrastructure as code tools, and security protection tools (as applicable) 2. Tickets should be marked as completed/closed and the reviewer should provide comments on the results of the reviews. |
DCF-12 | Hardening Standards in Place | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Evidence from infrastructure as code tools showing configurations that would be implemented when new infrastructure is deployed. 2. Any type of document that formally documents the configurations that should be implemented for newly deployed infrastructure. |
DCF-16 | Annual Risk Assessment | SOC 2, ISO 27001:13, HIPAA, ISO 27001:22 | 1. Most recently completed risk assessment report. |
DCF-17 | Remediation Plan | SOC 2, ISO 27001:13, HIPPA, ISO 27001:22 | 1. Documented remediation plans for risks identified during the risk assessment. |
DCF-18 | Quarterly Vulnerability Scan | SOC 2, ISO 27001:13, HIPAA, ISO 27001:22 | 1. Completed quarterly vulnerability scans for the the last four quarters. |
DCF-19 | Annual Penetration Tests | SOC 2, ISO 27001:13, HIPAA, ISO 27001:22 | 1. Most recently completed annual penetration test. |
DCF-20 | Maintains Asset Inventory | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Formal, documented listing of all assets (workstations, mobile devices, servers, databases, etc.) 2. For cloud infrastructure, screenshots from cloud environments listing all infrastructure |
DCF-21 | Architectural Diagram | SOC 2, ISO 27001:13, HIPAA, ISO 27001:22 | 1. Approved Architectural Diagram |
DCF-22 | Network segmentation in place | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Formal, documented network/architecture diagram evidencing network segmentation of your cloud environments. |
DCF-26 | BCP/DR Tests Conducted Annually | SOC 2, ISO 27001:13, HIPAA, ISO 27001:22 | 1. Most recently completed BCP/DR test. |
DCF-35 | Security Team Communicates in a Timely Manner | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Screenshots from communication tools (Slack, PagerDuty) showing the process for security events to be communicated to appropriate personnel. |
DCF-42 | Defined Management Roles & Responsibilities | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Roles and Responsibilities section from the information security policy. |
DCF-43 | Termination/Offboarding Checklist | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Formal documented termination checklist/help desk ticket for a recent terminated employee. |
DCF-56 | Vendor Agreements Maintained | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Executed Agreement/contract between the entity and key vendors. |
DCF-57 | Vendor Compliance Reports | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Screenshots from the vendor directory showing that vendors are categorized based on impact /risk. 2. Review documents showing that vendors' SOC2 reports were reviewed (Drata can provide a review template for this). |
DCF-58 | Authentication Protocol | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. If SSO is an option, screenshots of a user logging in with SSO. 2. If username and password is an option, screenshots of a user logging in with a username and password. 3. Screenshots of MFA being required for employee users. 4. If customer users have the option to enable MFA, screenshots showing they are provided the option to enable MFA. |
DCF-59 | Role-Based Security Implementation | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Screenshots from the application showing how users are assigned roles. |
DCF-60 | Password Storage | SOC 2, ISO 27001:2013, HIPAA | 1. If username and password is required, screenshots from the database showing that password are stored using a salted hash. |
DCF-61 | Customer Data Segregation | SOC 2, ISO 27001:2013, ISO 27001:2022 | 1. Screenshots from the database showing that customers are assigned separate IDs. 2. Screenshots from the application showing that a customer cannot see data of another customer (attempt to show one customer trying to access data of another customer). |
DCF-62 | Inactivity and Browser Exit Logout | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Screenshots of users being logged out of the application when browser/tab is closed and being forced to reauthenticate upon next login. 2. Screenshots showing that a user is logged out after pre-defined activity timeout and being forced to reauthenticate upon next login. |
DCF-63 | Accepting The Terms of Service | SOC 2, ISO 27001:2013, ISO 27001:2022 | 1. Screenshots of the new account creation process showing that new users must explicitly or implicitly accept the terms of service. |
DCF-69 | System Access Granted | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1.Formal, documented access request form/help desk ticket for a recent new hire. |
DCF-72 | Unique SSH | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Screenshots of a user logging into the production systems, showing that they have to use a unique SSH account. 2. Screenshot of the setting from the production servers showing that the "root" account cannot be used to login to production. |
DCF-74 | Customers Informed of Changes | SOC 2, ISO 27001:2013, ISO 27001:2022 | 1. Example emails communicating changes to customers. 2. Screenshots of banners warning customers of downtime prior to system maintenance. |
DCF-76 | Critical Change Management | SOC 2, ISO 27001:2013, ISO 27001:2022 | 1. Formal, documented emergency change procedures for critical changes. |
DCF-79 | Logs Centrally Stored | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Screenshots from the location where logs of system activity are stored. |
DCF-80 | Log Management System | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Screenshots from the location where logs of system activity are stored. |
DCF-86 | Operational Audit | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Screenshots from the systems used to monitor for system availability issues. 2. Screenshots showing how personnel would be alerted of availability issues and who would be alerted. |
DCF-91 | Intrusion Detection System in Place | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Screenshots from AWS GuardDuty, Azure Sentinel, GCP Security Command Center or equivalent monitoring tool showing that the service is enabled. 2. Screenshots from the mentioned applications/tools/services showing the types of threats that would be detected. 3. Screenshots from the mentioned applications/tools/services showing how personnel would be alerted and who would be alerted when threats are detected. |
DCF-92 | (Prior Control Name) VPN Required for Production Access
(New Control Name) Encrypted Remote Production Access
*Depending on when your tenant was created, you may see either name. | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. screenshots of a user trying to access production systems without being connected to a VPN and providing access is denied. 2. Screenshots of a user accessing production after connecting to a VPN to show a successful connection. |
DCF-95 | Monitoring Processing Capacity and Usage | SOC 2, ISO 27001:2013, ISO 27001:2022 | 1. Evidence that management reviewed processing capacity and usage reports on a quarterly basis |
DCF-97 | Auto-Scale Configuration | SOC 2, ISO 27001:2013, ISO 27001:2022 | 1. Screenshot of auto scaling configurations for EC2 instances. |
DCF-98 | Daily Backup Statuses Monitored | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Tickets showing that backup failures were monitored and resolved. |
DCF-99 | Failed Backup Alert and Action | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Automated configurations from the backup service for notifying personnel when backup processes fail. 2. Example email for a failed backup and ticket documenting resolution. |
DCF-100 | Backup Integrity and Completeness | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Screenshots showing a backup snapshot was restored completely and accurately. 2. Evidence from the annual DR tests showing that backups were restored completely and accurately. |
DCF-104 | Test Data Used in Test Environment | SOC 2, ISO 27001:2013, ISO 27001:2022 | 1.Screenshots from the test environment showing that "real" data is not used. |
DCF-105 | Employee Non-Disclosure Agreement (NDA) | SOC 2, ISO 27001:2013, ISO 27001:2022 | 1. Example new hire employee agreement, with NDA included. |
DCF-108 | Storage of Sensitive Data on Paper | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Pictures of secure storage bins from office locations. |
DCF-109 | Disposal of Sensitive Data on Hardware | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Data Retention Policy or equivalent policy documenting this policy and procedure. |
DCF-110 | Application Edits | SOC 2 | 1. Screenshots of users entering data into the application to confirm that the application limits input values to only valid values. |
DCF-111 | System Edits | SOC 2 | 1. Screenshots of user entering data into the application to confirm that the application requires mandatory data to be entered. |
DCF-112 | Provide Notice of Privacy Practices | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Screenshots of the new user registration process where new users are provided the notice of privacy practices before completing the registration process. |
DCF-113 | Review Privacy Notice Annually | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Meeting minutes from management's annual meeting to review privacy practices. |
DCF-114 | Privacy Policy Publicly Available | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Screenshot of privacy practices posted on the entity's website. |
DCF-115 | Privacy Policy Inclusions | SOC 2, ISO 27001:2013, ISO 27001:2022 | 1. Formal, documented privacy practices from the entity's website. |
DCF-116 | Accept The Privacy Policy | SOC 2, ISO 27001:2013, ISO 27001:2022 | 1. Screenshots of the new user registration process showing that users are required to explicitly agree to the notice of privacy practices prior to the completion of the registration process. |
DCF-117 | Minimal Information Required | SOC 2, ISO 27001:2013, ISO 27001:2022 | 1. Screenshot of all information that the user can enter when providing data through the application. |
DCF-118 | Third Party Reliability | SOC 2, ISO 27001:2013, ISO 27001:2022 | 1, For all third parties in which personal information is collected from, evidence that management performed appropriate due diligence to ensure that data from third parties was collected fairly and lawfully. |
DCF-119 | Allowable Use and Disclosure | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Section from privacy practices/policy that covers this item. |
DCF-120 | Annual Review of Purposes | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Meeting minutes for management's annual review of privacy policies |
DCF-121 | Purposeful Use Only | SOC 2, ISO 27001:2013, ISO 27001:2022 | 1. Section from privacy practices/policy that covers this item. |
DCF-122 | Requests for Deletion | SOC 2 | 1. Example requests for deletion of personal information and evidence that the data was deleted timely. |
DCF-123 | Data Destruction Policy | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Formal, documented data deletion policy. |
DCF-124 | Require Authentication for Access | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Screenshots of a user authenticating to the application prior to seeing their information. |
DCF-125 | Users Can Access All Their Information | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Screenshots of where a user can find their information within the platform (i.e. user profile). |
DCF-126 | Users Can Update their Information | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Screenshots of a user modifying their personal information within the application. |
DCF-127 | Communication to 3rd Parties | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Evidence to support that third parties with whom PII is sent to, were provided requirements for how PII should be handled, according to your requirements. |
DCF-128 | Disclosure with 3rd Parties | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Example executed contracts with third parties that receive PII showing that contracts included provisions for third parties to protect personal information. |
DCF-129 | PII with 3rd Parties and Vendors | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Formal, documented authorized list of third parties that can receive or access PII. |
DCF-130 | Tracking Breaches of PII | SOC 2, ISO 27001:2013, ISO 27001:2022 | 1. Screenshots of the incident tracking system used to track breaches or security incidents involving PII. |
DCF-131 | Incident Report Template and Process | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Formal, documented incident response procedures. |
DCF-132 | Privacy and Security Requirements in Third-Party Agreements | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Executed agreements (such Data Processing Agreements, Business Associates Agreements, Service Provider Agreements) with third parties and vendors that are provided access to personal data. |
DCF-133 | Unauthorized Disclosures by 3rd Parties | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Example executed contracts with third parties that receive PII showing that contracts included provisions for third parties to protect personal information. |
DCF-134 | 3rd Parties and Vendors Given Instructions on Breach Reporting | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Executed contracts with third parties that are provided access to PII to confirm that third parties are provided with information on how to report breaches of PII to the entity. |
DCF-135 | Notice of Breach to Affected Users | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Formal, documented breach notification procedures. 2. Breach Notification Template |
DCF-136 | Privacy Policy Includes 3rd Party Vendors | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Section from privacy practices on your website showing that 3rd parties that receive PII are listed. |
DCF-137 | Data Entry Field Completion Automated | SOC 2, ISO 27001:2013 | 1. Screenshots of a user enter information into the application to confirm that edit checks are included in fields. |
DCF-138 | Confirmation Before Submission | SOC 2 | 1. Screenshots of a user entering information into the application to confirm that users are asked to confirm that their information is correct, prior to submitting information. |
DCF-139 | Contact Information for Privacy Concerns | SOC 2, HIPAA | 1. Section from privacy practices on your website showing contact information for how external personnel contact you with inquiries, complaints, and disputes. |
DCF-140 | Customer Portal | SOC 2, HIPAA | 1. Screenshots of how a customer can submit inquiries, complaints or disputes about privacy issues. |
DCF-141 | Customer Inquiries Tracked | SOC 2, HIPAA | 1. Screenshots of the incident tracking system used to track users' complaints, inquiries and disputes. 2. Example submitted inquiries, complaints or disputes and evidence that resolution was communicated to the customer and corrective actions were performed, as necessary. |
DCF-142 | Quarterly Review of Privacy Compliance | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Meeting minutes from quarterly management meetings for tracking compliance with privacy practices and privacy regulations. |
DCF-143 | Board Oversight Briefings Conducted | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Meeting minutes from the Board of Directors meeting showing that the state of cybersecurity and privacy risks were discussed. |
DCF-144 | Board Charter Documented | SOC 2, ISO 27001:2013 | 1. Copy of Board Charter |
DCF-145 | Board Expertise Developed | SOC 2, ISO 27001:2013, ISO 27001:2022 | 1. Board of Directors Backgrounds or Bios |
DCF-146 | Board Meetings Conducted | SOC 2 | 1. Meeting minutes from Board meetings |
DCF-147 | Physical Access to Facilities is Protected | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Physical Access Control Policy |
DCF-148 | Regression Testing in Place | SOC 2, ISO 27001:2013, ISO 27001:2022 | 1. Example of regression testing that was performed prior to a recent major product release. |
DCF-149 | Removable Media Device Encryption | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. If removable media devices are issued by the company to employees, provide evidence that removable media devices are encrypted. |
DCF-150 | DLP (Data Loss Prevention) Software is Used | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Screenshots of DLP software. 2. Example of emails being blocked when they contain sensitive data |
DCF-151 | FIM (File Integrity Monitoring) Software in Place | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Screenshots of FIM software. 2. Examples of FIM detecting changes. |
DCF-152 | Virtual Machine OS are Patched Monthly | SOC 2, ISO 27001:2013, ISO 27001:2022 | 1. Evidence from servers or patching systems showing that operating systems were patched monthly. |
DCF-153 | Conduct Control Self-Assessments | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Screenshots of how Drata is used for continuous monitoring of controls. |
DCF-154 | Annual Incident Response Test | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Most recently completed incident response tabletop test. |
DCF-155 | Code Changes are Tested | SOC 2, ISO 27001:2013, ISO 27001:2022 | 1. Screenshots from the ticketing system for a few changes showing that changes were tested. |
DCF-156 | Production Code Released by Appropriate Personnel | SOC 2, ISO 27001:2013, ISO 27001:2022 | 1. Screenshots from the ticketing system for a few changes showing that changes were approved by appropriate personnel. |
DCF-157 | Cybersecurity Insurance Maintained | SOC 2 | 1. Cybersecurity insurance certificate. |
DCF-158 | MFA Available for External Users | SOC 2, ISO 27001:2013, ISO 27001:2022 | 1. Screenshots from the application showing that customers have the option of using MFA for their accounts. |
DCF-160 | Continuous Control Monitoring | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Screenshots of how Drata is used for continuous monitoring of controls. |
DCF-161 | ISMS Scope | ISO 27001:2013, ISO 27001:2022 | 1. Will be a part of your ISMS policy. |
DCF-162 | Statement of Applicability | ISO 27001:2013, ISO 27001:2022 | 1. Will be a part of your ISMS policy. |
DCF-163 | Interested Parties and Legal Requirements | ISO 27001:2013, ISO 27001:2022 | 1. Will be a part of your ISMS policy. |
DCF-164 | ISMS Management Review | ISO 27001:2013, ISO 27001:2022 | 1. Will be a part of your ISMS policy. |
DCF-165 | Internal Audit | ISO 27001:2013, ISO 27001:2022 | 1. Evidence of testing performed for internal audit. 2. Internal audit report. |
DCF-166 | Business Continuity Plan | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Business Continuity Plan. |
DCF-167 | Business Impact Analysis | ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Business Impact Analysis (Typically part of the business continuity plan). |
DCF-168 | Vendor Management Policy | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Vendor Management Policy. |
DCF-169 | Backup Policy | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Backup Policy. |
DCF-170 | Information Security Objectives | ISO 27001:2013, ISO 27001:2022 | 1. Will be a part of your ISMS policy. |
DCF-171 | Operating Procedures | ISO 27001:2013, ISO 27001:2022 | 1. Will be a part of your ISMS policy. |
DCF-172 | Organizational Change Management | ISO 27001:2013, ISO 27001:2022 | 1. Will be a part of your ISMS policy. |
DCF-173 | Employment Terms & Conditions | ISO 27001:2013, ISO 27001:2022 | 1. Employee agreement template. |
DCF-174 | Telework and Endpoint Devices | ISO 27001:2013, ISO 27001:2022 | 1. Section from the information security policy |
DCF-175 | ISMS Communication Plan | ISO 27001:2013, ISO 27001:2022 | 1. Will be a part of your ISMS policy. |
DCF-176 | Monitoring Plan | ISO 27001:2013, ISO 27001:2022 | 1. Will be a part of your ISMS policy. |
DCF-177 | Event Logging | ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Section from the Data Protection Policy |
DCF-178 | ISMS Record Management and Doc Control | ISO 27001:2013, ISO 27001:2022 | 1. Evidence showing that policy documents are versioned control. 2. Change log from the ISMS policy for the ISMS document. |
DCF-179 | Information Security Skills Matrix | ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Information Security Skills Matrix |
DCF-180 | Secure Information Transfer | ISO 27001:2013, ISO 27001:2022 | 1. Section from the Data Protection Policy |
DCF-182 | Asset Management Policy | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Asset Management Policy. |
DCF-183 | Vulnerability Management | SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022 | 1. Vulnerability Management Policy. |
DCF-184 | Information Security Management System (ISMS) | ISO 27001:2013, ISO 27001:2022 | 1. ISMS Plan |
DCF-185 | Periodic Dynamic Threat Assessment | ISO 27001:2022 |
|
DCF-186 | Data De-identification | ISO 27001:2022 |
|
DCF-187 | Configuration Management Plan | ISO 27001:2022 |
|
DCF-188 | Communication with Security and Privacy Organizations | ISO 27001:2022 |
|
DCF-189 | Activity Review | HIPAA | For this control, your organization will have to define a frequency for each of the three covered activities. This could be weekly, monthly, quarterly, it will depend on the size of your organization and what makes sense for each of the three areas:
|
DCF-190 | Designated Security Officials | HIPAA |
or
|
DCF-191 | Security Updates | HIPAA |
|
DCF-192 | Privacy, Use, and Disclosure | HIPAA |
|
DCF-193 | Breach Notification | HIPAA, ISO 27001:2022 |
|
DCF-194 | Group Health Plans | HIPAA |
|
DCF-195 | Business Associate Agreements | HIPAA |
|
DCF-196 | HIPAA Awareness Training | HIPAA |
|
DCF-197 | Document Retention Period | HIPAA |
|
DCF-283 | Secure and Encrypted Data Transmission | ISO 27001:2022 |
|
DCF-292 | Periodic Evaluation of Malware Threats | ISO 27001:2022 |
|
DCF-312 | Annual Training for Developer Secure Coding Techniques | ISO 27001:2022 |
|
DCF-313 | Application Development based on Secure Coding Guidelines | ISO 27001:2022 |
|
DCF-352 | Unique First-time Passwords | ISO 27001:2022 |
|
DCF-356 | Authentication Policy Inclusions | ISO 27001:2022 |
|
DCF-357 | Shared Authentication Methods are Prohibited | ISO 27001:2022 |
|
DCF-365 | Secure Physical Access Control Mechanisms | ISO 27001:2022 |
|
DCF-535 | Organizational Context | ISO 27001:2022 |
|
DCF-557 | Shared Account Management | ISO 27001:2022 |
|
DCF-558 | Allow-by-Exception Rule for Authorized Applications | ISO 27001:2022 | Note: Can be marked out of scope if DCF-559 is implemented.
|
DCF-559 | Deny-by-Exception Rule for Unauthorized Applications | ISO 27001:2022 | Note: Can be marked out of scope if DCF-558 is implemented.
|
DCF-560 | Baselines for Detecting Anomalous Behavior | ISO 27001:2022 |
|
DCF-561 | System Protection During Audits | ISO 27001:2022 |
|
DCF-562 | Procedures for Utility Program Use | ISO 27001:2022 |
|
DCF-563 | Environment Identification | ISO 27001:2022 |
|
DCF-564 | Secure Development and Test Environments | ISO 27001:2022 |
|
DCF-565 | Managing Test Information | ISO 27001:2022 |
|
DCF-566 | Register of Non-conformities | ISO 27001:2022 |
|
DCF-567 | Change Management Policy | ISO 27001:2022 |
|
DCF-568 | Records of Competence | ISO 27001:2022 |
|