Drata

We recommend completing the following checklist in sequential order as you work towards your SOC 2 audit. The items listed below are applicable after you have successfully connected your systems in Drata:

Fill in your <a href="https://app.drata.com/account-settings/company-info" rel="nofollow noopener noreferrer" target="_blank">Company Information</a>

Ensure all<a href="https://help.drata.com/en/articles/7973705-policies-to-framework-summary"> relevant policies for SOC 2</a> are drafted, reviewed and approved in your <a href="https://app.drata.com/governance/policies" rel="nofollow noopener noreferrer" target="_blank">Policy Center</a>

Invite your employees to Drata to complete their onboarding process:

1. Device Compliance
2. Background Check (<a href="https://help.drata.com/en/articles/5732624-soc-2-background-checks-faqs">SOC 2 Background Check FAQs</a>)
3. Policy Acceptance (<a href="https://help.drata.com/en/articles/5849305-policy-acceptance-grouping">Policy Acceptance Grouping: Who needs to accept what policy?</a>)
4. Security Awareness Training

Scope out your Trust Services Criteria (SOC 2 Trust Services Categories Overview)

1. You should scope your TSC before beginning working on controls. As you mark TSCs in and out of scope, the controls mapped to those TSCs will be moved in and out of scope accordingly.

Complete <a href="https://app.drata.com/risk-assessment/engineering" rel="nofollow noopener noreferrer" target="_blank">Risk Assessment</a> / <a href="https://app.drata.com/risk-management/risk-register" rel="nofollow noopener noreferrer" target="_blank">Risk Management</a> sections.

1. Risk Assessment
 1. <a href="https://help.drata.com/en/articles/9472625-streamlined-risk-assessment-set-up">Streamlined Risk Assessment set up</a> - resource that you can use to simplify the risk assessment setup process.
 2. <a href="https://help.drata.com/en/articles/9354303-risk-assessment-overview">Risk Assessment Overview</a>
2. <a href="https://help.drata.com/en/articles/6406513-risk-management">Risk Management</a> - this is an add-on feature in Drata to allow you to track Risks within the platform

Download the Risk Assessment Report and ensure to modify the applicable tables and sections to accurately reflect your risk assessment process, and upload to Evidence Library and map to the following controls:

1. <a href="https://app.drata.com/compliance/controls/details/id/43?q=DCF-16&amp;page=1" rel="nofollow noopener noreferrer" target="_blank">DCF-16: Annual Risk Assessment</a>
2. <a href="https://app.drata.com/compliance/controls/details/id/81?q=DCF-17&amp;page=1" rel="nofollow noopener noreferrer" target="_blank">DCF-17: Remediation Plan</a>

Get <a href="https://app.drata.com/compliance/monitoring" rel="nofollow noopener noreferrer" target="_blank">Monitoring Tests</a> to 100% (Please note: All Monitoring Tests have a Learn More button that will take you to a Help Article which will give you more information and provide remediation steps)

Upload <a href="https://app.drata.com/compliance/controls/inscope?isMonitored=false&amp;page=1" rel="nofollow noopener noreferrer" target="_blank">Evidence for Not Monitored Controls</a> referencing our suggested <a href="https://help.drata.com/en/articles/9421165-example-evidence-for-not-monitored-controls-soc-2">Example Evidence for Not Monitored Controls (SOC 2</a>)

1. SOC 2 Type 1 - we recommend to upload evidence before your actual audit date
2. SOC 2 Type 2 - we recommend verifying with your auditor when you can upload evidence. More than likely, your auditor will prefer you upload evidence during your observation period.
3. Note: Please ensure that evidence are uploaded to controls that may show as ready while only linked to an approved policy in Drata (<a href="https://help.drata.com/en/articles/8016471-example-evidence-for-not-monitored-controls-linked-to-policies">Example Evidence for Not Monitored Controls Linked to Policies</a>)

Include all Key Vendors in your <a href="https://app.drata.com/risk/vendors" rel="nofollow noopener noreferrer" target="_blank">Vendors</a> module (<a href="https://help.drata.com/en/articles/6008277-how-to-determine-key-vendors-to-include-in-drata">How to Determine Key Vendors to include in Drata</a>)

1. Perform Vendor Compliance Report Review by following our guidance on <a href="https://help.drata.com/en/articles/7065036-reviewing-your-vendors-soc-2-reports-using-drata">Reviewing Your Vendors' SOC 2 Reports Using Drata</a>
2. If your vendor does not have a SOC 2 Report, but provided their ISO 27001 Certificate, you can use our alternate <a href="https://help.drata.com/en/articles/7792143-iso-27001-certification-review-template">ISO 27001 Certification Review Template</a>
3. If your vendor does not have any Compliance Reports, you can send them a <a href="https://help.drata.com/en/articles/5741004-vendor-security-questionnaire">Vendor Security Questionnaire</a>

Select your SOC 2 Auditor via Drata’s <a href="https://drata.com/auditor/directory" rel="nofollow noopener noreferrer" target="_blank">Auditor Directory</a>. You can interview your potential SOC 2 Auditor using our guidance on what <a href="https://help.drata.com/en/articles/5732618-questions-to-ask-a-potential-soc-2-auditor">Questions to ask a potential SOC 2 auditor</a>

1. Important Note: You can engage at any point with an auditor and is a step we recommend as most control-specific questions are better answered by the auditor Optional: You can discuss a Readiness Assessment with your SOC 2 Auditor to provide extra assurance before the actual audit.

Reach out to your Customer Success Manager to schedule a Pre-Audit Check-in

Set up <a href="https://help.drata.com/en/articles/6928357-audit-hub">Audit Hub</a> and invite your Auditors

Reach out to your Customer Success Manager and let us know the great news!

1. Fill in your <a href="https://app.drata.com/account-settings/company-info" rel="nofollow noopener noreferrer" target="_blank">Company Information</a> 
2. Ensure all<a href="https://help.drata.com/en/articles/7973705-policies-to-framework-summary"> relevant policies for SOC 2</a> are drafted, reviewed and approved in your <a href="https://app.drata.com/governance/policies" rel="nofollow noopener noreferrer" target="_blank">Policy Center</a>
3. Invite your employees to Drata to complete their onboarding process:
 1. Device Compliance
 2. Background Check (<a href="https://help.drata.com/en/articles/5732624-soc-2-background-checks-faqs">SOC 2 Background Check FAQs</a>)
 3. Policy Acceptance (<a href="https://help.drata.com/en/articles/5849305-policy-acceptance-grouping">Policy Acceptance Grouping: Who needs to accept what policy?</a>)
 4. Security Awareness Training
4. Scope out your Trust Services Criteria (SOC 2 Trust Services Categories Overview)
 1. You should scope your TSC before beginning working on controls. As you mark TSCs in and out of scope, the controls mapped to those TSCs will be moved in and out of scope accordingly.
5. Complete <a href="https://app.drata.com/risk-assessment/engineering" rel="nofollow noopener noreferrer" target="_blank">Risk Assessment</a> / <a href="https://app.drata.com/risk-management/risk-register" rel="nofollow noopener noreferrer" target="_blank">Risk Management</a> sections.
 1. Risk Assessment
 1. <a href="https://help.drata.com/en/articles/9472625-streamlined-risk-assessment-set-up">Streamlined Risk Assessment set up</a> - resource that you can use to simplify the risk assessment setup process.
 2. <a href="https://help.drata.com/en/articles/9354303-risk-assessment-overview">Risk Assessment Overview</a>
 2. <a href="https://help.drata.com/en/articles/6406513-risk-management">Risk Management</a> - this is an add-on feature in Drata to allow you to track Risks within the platform
6. Download the Risk Assessment Report and ensure to modify the applicable tables and sections to accurately reflect your risk assessment process, and upload to Evidence Library and map to the following controls:
 1. <a href="https://app.drata.com/compliance/controls/details/id/43?q=DCF-16&amp;page=1" rel="nofollow noopener noreferrer" target="_blank">DCF-16: Annual Risk Assessment</a>
 2. <a href="https://app.drata.com/compliance/controls/details/id/81?q=DCF-17&amp;page=1" rel="nofollow noopener noreferrer" target="_blank">DCF-17: Remediation Plan</a>
7. Get <a href="https://app.drata.com/compliance/monitoring" rel="nofollow noopener noreferrer" target="_blank">Monitoring Tests</a> to 100% (Please note: All Monitoring Tests have a Learn More button that will take you to a Help Article which will give you more information and provide remediation steps)
8. Upload <a href="https://app.drata.com/compliance/controls/inscope?isMonitored=false&amp;page=1" rel="nofollow noopener noreferrer" target="_blank">Evidence for Not Monitored Controls</a> referencing our suggested <a href="https://help.drata.com/en/articles/9421165-example-evidence-for-not-monitored-controls-soc-2">Example Evidence for Not Monitored Controls (SOC 2</a>)
 1. SOC 2 Type 1 - we recommend to upload evidence before your actual audit date
 2. SOC 2 Type 2 - we recommend verifying with your auditor when you can upload evidence. More than likely, your auditor will prefer you upload evidence during your observation period.
 3. Note: Please ensure that evidence are uploaded to controls that may show as ready while only linked to an approved policy in Drata (<a href="https://help.drata.com/en/articles/8016471-example-evidence-for-not-monitored-controls-linked-to-policies">Example Evidence for Not Monitored Controls Linked to Policies</a>)
9. Include all Key Vendors in your <a href="https://app.drata.com/risk/vendors" rel="nofollow noopener noreferrer" target="_blank">Vendors</a> module (<a href="https://help.drata.com/en/articles/6008277-how-to-determine-key-vendors-to-include-in-drata">How to Determine Key Vendors to include in Drata</a>)
 1. Perform Vendor Compliance Report Review by following our guidance on <a href="https://help.drata.com/en/articles/7065036-reviewing-your-vendors-soc-2-reports-using-drata">Reviewing Your Vendors' SOC 2 Reports Using Drata</a>
 2. If your vendor does not have a SOC 2 Report, but provided their ISO 27001 Certificate, you can use our alternate <a href="https://help.drata.com/en/articles/7792143-iso-27001-certification-review-template">ISO 27001 Certification Review Template</a>
 3. If your vendor does not have any Compliance Reports, you can send them a <a href="https://help.drata.com/en/articles/5741004-vendor-security-questionnaire">Vendor Security Questionnaire</a>
10. Select your SOC 2 Auditor via Drata’s <a href="https://drata.com/auditor/directory" rel="nofollow noopener noreferrer" target="_blank">Auditor Directory</a>. You can interview your potential SOC 2 Auditor using our guidance on what <a href="https://help.drata.com/en/articles/5732618-questions-to-ask-a-potential-soc-2-auditor">Questions to ask a potential SOC 2 auditor</a>
 1. Important Note: You can engage at any point with an auditor and is a step we recommend as most control-specific questions are better answered by the auditor Optional: You can discuss a Readiness Assessment with your SOC 2 Auditor to provide extra assurance before the actual audit.
11. Select your Audit Date
12. Reach out to your Customer Success Manager to schedule a Pre-Audit Check-in
13. Set up <a href="https://help.drata.com/en/articles/6928357-audit-hub">Audit Hub</a> and invite your Auditors
14. Complete your SOC 2 Audit
15. Reach out to your Customer Success Manager and let us know the great news!