When logging into Drata for the first time and looking at the Key Personnel Info page or the Controls page, one of the standout pieces of information requested will be around your Board of Directors. But for many smaller companies, a Board might not exist. And you can’t just create a Board of Directors out of thin air, recruiting/appointing members of the Board takes time. Luckily though, you are not required to create a Board of Directors. In the event that you do not currently have a Board, there are certain controls within Drata that can be modified or marked out of scope, which we will cover below.
DCF-41 Independent Board of Directors
The first control related to a Board of Directors is DCF-41. In the event that you don’t have a Board of Directors, you can mark this control out of scope as well as disable the monitoring test “Independent Board of Directors”. You are not required to have an independent board of directors to meet the SOC2 criteria : (see this help article for more information about whether an independent board of directors is required: https://help.drata.com/en/articles/5633581-are-we-required-to-have-an-independent-board-of-directors)
DCF-143 Board Oversight Briefings Conducted
The second control related to your Board is DCF-143. If you do not have a Board of Directors,we recommend editing the control. The intent of this control is to demonstrate that someone is ultimately responsible for maintaining oversight of your control environment. When a Board of Directors exists, they are ultimately responsible for this. Without a Board, though, this duty falls under Executive Management (or someone or some group designated by Executive Management). For this reason, we suggest changing the name of the control to: “Management Oversight Briefings Conducted”.
The Control Description should be changed to: “The company's executive management team or a relevant appointee is briefed at least annually on the state of the company's cybersecurity and privacy risk. Executive management or their appointee provides feedback and direction as needed.”
The Control Question should then be changed to: “Does the organization conduct management oversight briefings annually to provide an update of the company’s cybersecurity and privacy risk?”
Evidence to support the implementation of this control would then be meeting minutes showing that Executive Management or their appointee was briefed on the state of cybersecurity including the results of your risk assessment, vulnerability scans, and penetration test.
DCF-144 Board Charter Documented
The third control is another control we suggest modifying. The intent of this control is to demonstrate that formal documentation exists stating that some person or some group is responsible for overseeing your control environment. When a Board of Directors exists, this is traditionally captured in a Board Charter. However, without a Board, this documentation is still required, but may be in the form of policies, job descriptions, or some other document. If a Board of Directors does not exist, we recommend changing this Control Name to: “Responsibility for Control Environment Documented”.
The Control Description should be modified to: “The responsibility for managing the controls in place within the organization has been formally documented.”
And the Control Question should read: “Does the organization have formal documentation which outlines the responsibilities of executive management as they relate to internal control?”
As previously mentioned, this documentation can take many forms. The Information Security Policy may state somewhere: “The Executive Management team is responsible for overseeing and managing the implementation of all controls within the company.” or the job descriptions for the members of your Executive team might have statements under the “Responsibilities'' section noting that they are responsible for overseeing controls implemented at your company. Regardless of where this is documented, this documentation should then be linked to DCF-144.
DCF-145 Board Expertise Developed
The fourth control, Board Expertise Developed, can be marked out of scope. The intent of this control is to show that even though the Board does not have day-to-day responsibilities within the company, they have the expertise to effectively manage the control environment. However, if you don’t have a Board, and Executive Management is fulfilling this, they do have day-to-day responsibilities and are familiar enough with your environment that they can effectively manage it.
DCF-146 Board Meetings Conducted
The final control, Board Meetings Conducted, can also be marked out of scope. With the modification of DCF-143, this control would be redundant if it were changed as well.