Skip to main content
All CollectionsCompliance
Annual Compliance Review
Annual Compliance Review

Ensure your security posture is maintained year to year

Dana Mauger avatar
Written by Dana Mauger
Updated over a week ago


While Drata automatically monitors your controls and gathers evidence, there are some tasks that need to be completed every 12 months to ensure your company maintains its security posture. Drata will send an email notifying you of this 9 months after your first policy was approved (to allow time to reaffirm prior to the 12 month mark).


Some actions are the responsibility of those with Admin or Information security leads within Drata, while others might be shared with others in your organization. Some tasks may be managed outside of Drata. In addition, there are actions your employees have to take every 12 months to maintain compliance.


The items listed below should be updated, executed and/or implemented every 12 months, even if there are no changes from the previous year.

Complete the following in Drata:

  1. Review, update, and approve all policies in the Policy Center

    1. In order to create a new policy version that your personnel and contractors can acknowledge, you will at least need to update the policy renewal date, and select the option for a "material change." This will allow you to proceed with a new version which you can then approve.

      1. Keep in mind that many frameworks require review and approval of your policies annually so make sure to select a policy renewal date that aligns with your compliance program goals.

    2. Once reviewed and approved, please instruct your personnel to sign in to Drata and acknowledge the policies—suggested email template

    3. Note: Set the 'Policy Acceptance Grace Period' in the 'Information Security Policy' to give personnel a window of time to acknowledge/re-acknowledge policies before associated tests fail

  2. If applicable, reset the Annual Security Awareness Training from the Personnel page for all or select individuals (or manually upload new evidence)

  3. Complete your company's Annual Risk Assessment and upload the file to 'Evidence Library'

  4. Review Vendor agreements, update information, and upload current compliance reports

  5. Upload proof of annual Access Control Review

  6. Upload current versions of the following documents to Evidence Library:

    1. Annual Penetration Test

    2. Architecture Diagram

    3. Business Continuity Plan/Data Recovery Plan

    4. Network Diagram

  7. Review and update Account Information as needed

  8. Upload latest evidence for any controls that do not have an automated test, including Custom Controls

Ensure current employees and contractors do the following:

  1. Review and acknowledge policies in Drata

  2. Complete the Annual Security Awareness Trainingeither within Drata or upload proof of completion

Annual compliance best practices associated to controls:

  1. Conduct access control review

  2. Conduct employee performance reviews

  3. Review and update job descriptions as needed

Annual compliance tasks reminder email

Twice a year, Drata will send all admins an email with a reminder to perform tasks that are best practice to perform annually, along with a link to this article. This email is first sent 9 months after the first employee acknowledges one of your policies. The second email is sent 11 months after the first employee acknowledges one of your policies. Then, we send each of the two aforementioned emails annually according to the date they were first sent.

Additional Resources:

Did this answer your question?