Skip to main content
All CollectionsEvidence Library
Example Evidence for Not Monitored Controls Linked to Policies
Example Evidence for Not Monitored Controls Linked to Policies
Updated over 2 months ago

Background

This article is intended to serve as a reference for Controls that may show as Ready while only linked to an approved Policy in Drata, but more evidence is recommended from a compliance perspective. Some controls may only require an approved policy as evidence, and will be noted as such in the table below.

For the full list of “Not Monitored” controls, please refer to the following articles. These articles will include additional “Not Monitored” controls that are not linked to policies by Drata and will need additional evidence uploaded to be ready for an audit.

Control Code

Control Name

Applicable Frameworks

Example Evidence

DCF-7

Separate Testing and Production Environments

SOC 2, ISO 27001:13, PCI, ISO 27001:22

1. Screenshots from test and production environments for the application

DCF-11

Annual Access Control Review

SOC 2, ISO 27001:13, HIPAA, ISO 27001:22

1. Tickets documenting the access control lists that were reviewed for in scope cloud environments, SaaS applications, infrastructure as code tools, and security protection tools (as applicable) 2. Tickets should be marked as completed/closed and the reviewer should provide comments on the results of the reviews.

DCF-12

Hardening Standards in Place

SOC 2, ISO 27001:13, HIPAA, PCI, ISO 27001:22

1. Evidence from infrastructure as code tools showing configurations that would be implemented when new infrastructure is deployed. 2. Any type of document that formally documents the configurations that should be implemented for newly deployed infrastructure.

DCF-16

Annual Risk Assessment

SOC 2, ISO 27001:13, HIPAA, PCI, ISO 27001:22

1. Most recently completed risk assessment report.

DCF-17

Remediation Plan

SOC 2, ISO 27001:13, HIPAA, PCI, ISO 27001:22

1. Documented remediation plans for risks identified during the risk assessment.

DCF-18

Quarterly Vulnerability Scan

SOC 2, ISO 27001:13, HIPAA, GDPR, PCI, ISO 27001:22

1. Completed quarterly vulnerability scans for the the last four quarters.

DCF-19

Annual Penetration Tests

SOC 2, ISO 27001:13, HIPAA, GDPR, PCI, ISO 27001:22

1. Most recently completed annual penetration test.

DCF-20

Asset Inventory

SOC 2, ISO 27001:13, HIPAA, PCI, ISO 27001:22

1. Formal, documented listing of all assets (workstations, mobile devices, servers, databases, etc.) 2. For cloud infrastructure, screenshots from cloud environments listing all infrastructure

DCF-21

Architectural Diagram

SOC 2, ISO 27001:13, HIPAA, PCI, ISO 27001:22

1. Approved Architectural Diagram

DCF-22

Network segmentation in place

SOC 2, ISO 27001:13, HIPAA, ISO 27001:22

1. Formal, documented network/architecture diagram evidencing network segmentation of your cloud environments.

DCF-26

BCP/DR Tests Conducted Annually

SOC 2, ISO 27001:13, HIPAA, ISO 27001:22

1. Most recently completed BCP/DR test.

DCF-35

Security Team Communicates in a Timely Manner

SOC 2, ISO 27001:13, HIPAA, ISO 27001:22

1. Screenshots from communication tools (Slack, PagerDuty, etc.) showing the process for security events to be communicated to appropriate personnel.

DCF-42

Defined Management Roles & Responsibilities

SOC 2, ISO 27001:13, HIPAA, ISO 27001:22

1. Roles and Responsibilities section from the information security policy.

DCF-56

Vendor Agreements Maintained

SOC 2, ISO 27001:13, HIPAA, ISO 27001:22

1. Executed Agreement/contract between your company and key vendors.

DCF-57

Vendor Compliance Reports

SOC 2, ISO 27001:13, HIPAA ISO 27001:22

1. Screenshots from the vendor directory showing that vendors are categorized based on impact /risk. 2. Review documents showing that vendors' SOC2 reports were reviewed.

DCF-58

Authentication Protocol

SOC 2, ISO 27001:13, HIPAA, ISO 27001:22

1. If SSO is an option, screenshots of a user logging in with SSO. 2. If username and password is an option, screenshots of a user logging in with a username and password. 3. Screenshots of MFA being required for employee users. 4. If customer users have the option to enable MFA, screenshots showing they are provided the option to enable MFA.

DCF-59

Role-Based Security Implementation

SOC 2, ISO 27001:13, HIPAA, PCI, ISO 27001:22

1. Screenshots from the application showing how users are assigned roles.

DCF-60

Password Storage

SOC 2, ISO 27001:13, HIPAA

1. If username and password is required, screenshots from the database showing that password are stored using a salted hash.

DCF-61

Customer Data Segregation

SOC 2, ISO 27001:13, ISO 27001:22

1. Screenshots from the database showing that customers are assigned separate IDs. 2. Screenshots from the application showing that a customer cannot see data of another customer (attempt to show one customer trying to access data of another customer).

DCF-62

Inactivity and Browser Exit Logout

SOC 2, ISO 27001:13, HIPAA, ISO 27001:22

1. Screenshots of users being logged out of the application when browser/tab is closed and being forced to reauthenticate upon next login. 2. Screenshots showing that a user is logged out after pre-defined activity timeout and being forced to reauthenticate upon next login.

DCF-69

System Access Granted

SOC 2, ISO 27001:13, HIPAA, ISO 27001:22

1.Formal, documented access request form/help desk ticket for a recent new hire.

DCF-74

Customers Informed of Changes

SOC 2, ISO 27001:13, ISO 27001:22

1. Example emails communicating changes to customers. 2. Screenshots of banners warning customers of downtime prior to system maintenance.

DCF-76

Critical Change Management

SOC 2, ISO 27001:13, ISO 27001:22

1. Formal, documented emergency change procedures for critical changes.

DCF-79

Logs Centrally Stored

SOC 2, ISO 27001:13, HIPAA, ISO 27001:22

1. Screenshots from the location where logs of system activity are stored.

DCF-80

Log Management System

SOC 2, ISO 27001:13, HIPAA, ISO 27001:22

1. Screenshots from the location where logs of system activity are stored.

DCF-86

Operational Audit

SOC 2, ISO 27001:13, HIPAA, ISO 27001:22

1. Screenshots from the systems used to monitor for system availability issues. 2. Screenshots showing how personnel would be alerted of availability issues and who would be alerted.

DCF-91

Intrusion Detection System

SOC 2, ISO 27001:13, HIPAA, PCI, ISO 27001:22

1. Screenshots from AWS GuardDuty, Azure Sentinel, GCP Security Command Center or equivalent monitoring tool showing that the service is enabled. 2. Screenshots from the mentioned applications/tools/services showing the types of threats that would be detected. 3. Screenshots from the mentioned applications/tools/services showing how personnel would be alerted and who would be alerted when threats are detected.

DCF-95

Monitoring Processing Capacity and Usage

SOC 2, ISO 27001:13, ISO 27001:22

1. Evidence that management reviewed processing capacity and usage reports on a quarterly basis

DCF-97

Auto-Scale Configuration

SOC 2, ISO 27001:13, ISO 27001:22

1. Screenshot of auto scaling configurations for relevant infrastructure.

DCF-98

Daily Backup Statuses Monitored

SOC 2, ISO 27001:13, HIPAA, ISO 27001:22

1. Tickets showing that backup failures were monitored and resolved.

DCF-99

Failed Backup Alert and Action

SOC 2, ISO 27001:13, HIPAA, ISO 27001:22

1. Automated configurations from the backup service for notifying personnel when backup processes fail. 2. Example email for a failed backup and ticket documenting resolution.

DCF-100

Backup Integrity and Completeness

SOC 2, ISO 27001:13, HIPAA, ISO 27001:22

1. Screenshots showing a backup snapshot was restored completely and accurately. 2. Evidence from the annual DR tests showing that backups were restored completely and accurately.

DCF-104

Test Data Used in Test Environment

SOC 2, ISO 27001:13, PCI, ISO 27001:22

1.Screenshots from the test environment showing that "real" data is not used.

DCF-105

Employee Non-Disclosure Agreement (NDA)

SOC 2, ISO 27001:13, ISO 27001:22

1. Example new hire employee agreement, with NDA included.

DCF-108

Storage of Sensitive Data on Paper

SOC 2, ISO 27001:13, HIPAA, ISO 27001:22

1. Pictures of secure storage bins from office locations.

DCF-109

Disposal of Sensitive Data on Hardware

SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022

1. Data Retention Policy or equivalent policy documenting this policy and procedure.

DCF-113

Review Privacy Notice Annually

SOC 2, ISO 27001:13, HIPAA, ISO 27001:22

1. Meeting minutes from management's annual meeting to review privacy practices.

DCF-114

Privacy Policy Publicly Available

SOC 2, ISO 27001:13, HIPAA, ISO 27001:22

1. Screenshot of privacy practices posted on the entity's website.

DCF-117

Minimal Information Required

SOC 2, ISO 27001:13, GDPR, ISO 27001:22

1. Screenshot of all information that the user can enter when providing data through the application.

DCF-120

Annual Review of Purposes

SOC 2, ISO 27001:13, HIPAA, GDPR, ISO 27001:22

1. Meeting minutes for management's annual review of privacy policies

DCF-127

Communication to 3rd Parties

SOC 2, ISO 27001:13, HIPAA, ISO 27001:22

1. Evidence to support that third parties with whom PII is sent to, were provided requirements for how PII should be handled, according to your requirements.

DCF-128

Disclosure with 3rd Parties

SOC 2, ISO 27001:13, HIPAA, ISO 27001:22

1. Example executed contracts with third parties that receive PII showing that contracts included provisions for third parties to protect personal information.

DCF-129

PII with 3rd Parties and Vendors

SOC 2, ISO 27001:13, HIPAA, ISO 27001:22

1. Formal, documented authorized list of third parties that can receive or access PII.

DCF-131

Incident Report Template and Process

SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022

1. Formal, documented incident response procedures.

DCF-132

Privacy and Security Requirements in Third-Party Agreements

SOC 2, ISO 27001:13, HIPAA, ISO 27001:22

1. Executed BAAs or other contractual agreements with third parties and vendors that are provided access to PHI or other sensitive data.

DCF-133

Unauthorized Disclosures by 3rd Parties

SOC 2, ISO 27001:13, HIPAA, ISO 27001:22

1. Example executed contracts with third parties that receive PII showing that contracts included provisions for third parties to protect personal information.

DCF-134

3rd Parties and Vendors Given Instructions on Breach Reporting

SOC 2, ISO 27001:13, HIPAA, ISO 27001:22

1. Executed contracts with third parties that are provided access to PII to confirm that third parties are provided with information on how to report breaches of PII to the entity.

DCF-142

Quarterly Review of Privacy Compliance

SOC 2, ISO 27001:13, HIPAA, ISO 27001:22

1. Meeting minutes from quarterly management meetings for tracking compliance with privacy practices and privacy regulations.

DCF-144

Board Charter Documented

SOC 2, ISO 27001:13

1. Copy of Board Charter

DCF-145

Board Expertise Developed

SOC 2, ISO 27001:13, ISO 27001:22

1. Board of Directors Backgrounds or Bios

DCF-146

Board Meetings Conducted

SOC 2

1. Meeting minutes from Board meetings

DCF-147

Physical Access to Facilities is Protected

SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022

1. Physical Access Control Policy

DCF-149

Removable Media Device Encryption

SOC 2, ISO 27001:13, HIPAA, ISO 27001:22

1. If removable media devices are issued by the company to employees, provide evidence that removable media devices are encrypted.

DCF-150

DLP (Data Loss Prevention) Software is Used

SOC 2, ISO 27001:13, HIPAA, ISO 27001:22

1. Screenshots of DLP software. 2. Example of emails being blocked when they contain sensitive data

DCF-151

FIM (File Integrity Monitoring) Software in Place

SOC 2, ISO 27001:13, HIPAA, ISO 27001:22

1. Screenshots of FIM software. 2. Examples of FIM detecting changes.

DCF-153

Conduct Control Self-Assessments

SOC 2, ISO 27001:13, HIPAA, ISO 27001:22

1. Screenshots of how Drata is used for continuous monitoring of controls.

DCF-154

Annual Incident Response Test

SOC 2, ISO 27001:13, HIPAA, PCI, ISO 27001:22

1. Most recently completed incident response tabletop test.

DCF-155

Code Changes are Tested

SOC 2, ISO 27001:13, ISO 27001:22

1. Screenshots from the ticketing system for a few changes showing that changes were tested.

DCF-156

Production Code Released by Appropriate Personnel

SOC 2, ISO 27001:13, ISO 27001:22

1. Screenshots from the ticketing system for a few changes showing that changes were approved by appropriate personnel.

DCF-160

Continuous Control Monitoring

SOC 2, ISO 27001:13, HIPAA, ISO 27001:22

1. Screenshots of how Drata is used for continuous monitoring of controls.

DCF-161

ISMS Scope

ISO 27001:2013, ISO 27001:2022

1. Will be a part of your ISMS policy.

DCF-162

Statement of Applicability

ISO 27001:2013, ISO 27001:2022

1. Will be a part of your ISMS policy.

DCF-163

Interested Parties and Legal Requirements

ISO 27001:2013, ISO 27001:2022

1. Will be a part of your ISMS policy.

DCF-164

ISMS Management Review

ISO 27001:2013, ISO 27001:2022

1. Will be a part of your ISMS policy.

DCF-165

Independent Assessment

ISO 27001:13, ISO 27001:22

1. Evidence of testing performed for internal audit. 2. Internal audit report.

DCF-166

Business Continuity Plan

SOC 2, ISO 27001:2013, HIPAA, PCI, GDPR, ISO 27001:2022

1. Business Continuity Plan.

DCF-167

Business Impact Analysis

ISO 27001:2013, HIPAA, ISO 27001:2022

1. Business Impact Analysis (Typically part of the business continuity plan).

DCF-168

Vendor Management Policy

SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022

1. Vendor Management Policy.

DCF-170

Information Security Objectives

ISO 27001:2013, ISO 27001:2022

1. Will be a part of your ISMS policy.

DCF-171

Operating Procedures

ISO 27001:2013, ISO 27001:2022

1. Will be a part of your ISMS policy.

DCF-172

Organizational Change Management

ISO 27001:2013, ISO 27001:2022

1. Will be a part of your ISMS policy.

DCF-173

Employment Terms & Conditions

ISO 27001:13, ISO 27001:22

1. Employee agreement template.

DCF-174

Telework and Endpoint Devices

ISO 27001:2013, ISO 27001:2022

1. Section from the information security policy

DCF-175

ISMS Communication Plan

ISO 27001:2013, ISO 27001:2022

1. Will be a part of your ISMS policy.

DCF-176

Monitoring Plan

ISO 27001:2013, ISO 27001:2022

1. Will be a part of your ISMS policy.

DCF-177

Event Logging

ISO 27001:2013, HIPAA, ISO 27001:2022

1. Section from the Data Protection Policy

DCF-178

ISMS Record Management and Doc Control

ISO 27001:13, ISO 27001:22

1. Evidence showing that policy documents are versioned control. 2. Change log from the ISMS policy for the ISMS document.

DCF-179

Information Security Skills Matrix

ISO 27001:13, HIPAA, ISO 27001:22

1. Information Security Skills Matrix (template provides in ISMS Plan for ISO customers)

DCF-180

Secure Information Transfer

ISO 27001:2013, ISO 27001:2022

1. Section from the Data Protection Policy

DCF-182

Asset Management Policy

SOC 2, ISO 27001:2013, HIPAA, ISO 27001:2022

1. Asset Management Policy.

DCF-183

Vulnerability Management

SOC 2, ISO 27001:2013, HIPAA, PCI, GDPR ISO 27001:2022

1. Vulnerability Management Policy.

DCF-184

Information Security Management System (ISMS)

ISO 27001:2013, ISO 27001:2022

1. ISMS Plan

DCF-185

Periodic Dynamic Threat Assessment

ISO 27001:22, NIST SP 800-53r5

1. Completed Threat Assessment Plan contained within Appendix A of the Security version of the Risk Assessment Policy and Appendix C in the Privacy version of Risk Assessment Policy. 2. Screenshots showing that your organization is subscribed to a service or mailing list that provides information on new/developing security issues. 3. Evidence demonstrating that threats are being assessed according to the defined Threat Assessment Plan

DCF-186

Data De-identification

ISO 27001:2022

Data Classification PolicyData Protection Policy

DCF-187

Configuration Management Plan

ISO 27001:2022

Completed Appendix A within the Change Management Policy

DCF-189

Activity Review

HIPAA

For this control, your organization will have to define a frequency for each of the three covered activities. This could be weekly, monthly, quarterly, it will depend on the size of your organization and what makes sense for each of the three areas: 1. Audit log reviews - A ticket from the ticketing system documenting which audit logs were reviewed, who reviewed them, and when the review was completed. 2. Security Incident Tracking Reports - A ticket documenting the review of incident reports including who completed the review and when the review was completed. Or meeting minutes demonstrating that incident reports were reviewed including who attended the meeting and the date. 3. Ticket documenting which system activity logs were reviewed, who reviewed these activity reports, and when the review was completed.

DCF-190

Designated Security Officials

HIPAA

1. Information Security Policy or 2. Job description of designated Security Official(s) outlining their responsibility for overseeing the organizations’ compliance with the security rule.

DCF-191

Security Updates

HIPAA

1. Formal documentation describing how the workforce is provided with periodic security updates, including how often security updates are provided. 2. Example of recent communication used for security updates (i.e. emails, newsletters, posters)

DCF-192

Privacy, Use, and Disclosure

HIPAA

Privacy, Use, and Disclosure Policy

DCF-193

Breach Notification

HIPAA, ISO 27001:2022

Breach Notification Policy

DCF-195

Business Associate Agreements

HIPAA

1. Vendor Management Policy 2. Business Associate Policy 3. BAA template (if not contained within the Business Associate Policy)

DCF-196

HIPAA Awareness Training

HIPAA

1. Privacy, Use, and Disclosure Policy 2. Screenshots showing a certificate of completion from the HIPAA training provider. 3. Any other evidence supporting training on policies and procedures for handling PHI, as applicable.

DCF-197

Document Retention Period

HIPAA

1. Data Protection Policy 2. A document retention schedule should additionally be drawn up listing specific types of records, such as Business Associate Agreements, and the retention period such as 7 years. This should be uploaded to the Evidence Library page, and then linked to this control. 3. Any other policies supporting document retention requirements, as applicable

DCF-527

Designated Data Protection Officer

GDPR

1. Screenshot or documentation that designates a DPO. See Control Activities for additional guidance on the requirements and expectations of the DPO.

DCF-528

Management of Sensitive Information

GDPR

1.Data Classification Policy as long as it includes: a. Classification for PII b. Handling procedures for PII 2. Any Security Awareness Training materials that include information about handling PII and inform end users how to report security issues.

DCF-535

Organizational Context

GDPR, ISO 27001:13, ISO 27001:22

1. Documentation that discusses how your company fits into the data processing ecosystem and includes each of the areas discussed in the 'Control Activities' section. Please see Appendix B of Drata’s latest Data Protection Policy template for helpful definitions.

DCF-536

Record of Processing Activity (ROPA)

GDPR

1. Completed ROPA documentation that includes the elements described in Control Activities a-g (Please see Appendix A of Drata’s latest Data Protection Policy template for more information on ROPAs). a. Be sure to consider your processing activities across different Personas, such as Marketing and Sales Prospects, Customers, Website Visitors, Employees, etc. It can be helpful to complete a separate ROPA per Persona. b. Further guidance on ROPAs can be found here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/documentation/how-do-we-document-our-processing-activities/ 2. ROPAs are only required in certain circumstances. The Control Activity Note details which circumstances trigger this requirement.

DCF-537

Data Processing Agreements in Place

GDPR

1. DPA templates used when sharing PII with third parties (an example DPA has been included in Appendix A of Drata’s latest Vendor Management Policy Template, for reference). 2. Copies of fully executed contracts with third parties that include DPAs.

DCF-539

Collection of PII from Special Categories

GDPR

1. Completed ROPA (see DCF-536 for more information on ROPAs) documentation that includes: a. Whether or not Special Categories of PII are collected (see Control Activity 1 for details on what PII is considered Special Categories). b. Which allowable conditions are used for collection (see Control Activity 2 for details on which allowable conditions are available).

DCF-557

Shared Account Management

ISO 27001:2022

1. System Access Control Policy

DCF-566

Register of Non-conformities

ISO 27001:2022

1. ISMS Plan, Appendix C

DCF-567

Change Management Policy

ISO 27001:2022

1. Change Management Policy

DCF-568

Records of Competence

ISO 27001:22

1. Records showing that all personnel listed in the ISMS Skills Matrix have the qualifications listed such as Resumes, LinkedIn Profiles, Copies of Certifications, etc.

Did this answer your question?