Drata

When looking for a ISO 27001 Certification Body, here is a list of questions you should consider asking as part of your evaluation process.

For a company like mine, what Annex A Controls do you think may be Out of Scope or Not Applicable? 

What other items will I need to complete besides my Drata dashboard to be audit ready?

What percentage of controls will you be able to confirm through Drata and how much evidence will I need to manually gather?

From planning to report and certificate delivery, what is the high-level audit process and how long does it typically take to complete?

How much communication should I expect during the audit process?

How will I know if you identify a Non-Conformity? Will we have an opportunity to discuss results prior to the final report and certificate being issued?

What is the typical period of time between the stage 1 and a stage 2 audit?

Will you have to come onsite for our audit? 

Will you have to go to all locations where we have an office?

Ask specific questions on how they would audit your tech stack. For instance, what are the most important controls for S3? What controls would I need for Kubernetes?

- Who is your Accreditation Body?
- For a company like mine, what Annex A Controls do you think may be Out of Scope or Not Applicable? 
- What other items will I need to complete besides my Drata dashboard to be audit ready?
- What percentage of controls will you be able to confirm through Drata and how much evidence will I need to manually gather?
- From planning to report and certificate delivery, what is the high-level audit process and how long does it typically take to complete?
- How much communication should I expect during the audit process?
- How will I know if you identify a Non-Conformity? Will we have an opportunity to discuss results prior to the final report and certificate being issued?
- What is the typical period of time between the stage 1 and a stage 2 audit?
- Will you have to come onsite for our audit? 
- Will you have to go to all locations where we have an office?
- Ask specific questions on how they would audit your tech stack. For instance, what are the most important controls for S3? What controls would I need for Kubernetes?