Drata

We recommend completing the following checklist in sequential order as you work towards your SOC 2 audit. The items listed below are applicable after you have successfully connected your systems in Drata:

Fill in your <a href="https://app.drata.com/account-settings/company-info" rel="nofollow noopener noreferrer" target="_blank">Company Information</a>

Ensure all<a href="https://help.drata.com/en/articles/7973705-policies-to-framework-summary"> relevant policies for SOC 2</a> are drafted, reviewed and approved in your <a href="https://app.drata.com/governance/policies" rel="nofollow noopener noreferrer" target="_blank">Policy Center</a>

Invite your employees to Drata to complete their onboarding process:

1. Device Compliance
2. Background Check (<a href="https://help.drata.com/en/articles/5732624-soc-2-background-checks-faqs">SOC 2 Background Check FAQs</a>)
3. Policy Acceptance (<a href="https://help.drata.com/en/articles/5849305-policy-acceptance-grouping">Policy Acceptance Grouping: Who needs to accept what policy?</a>)
4. Security Awareness Training

Scope out your Trust Services Criteria (<a href="https://help.drata.com/en/articles/5947518-soc-2-trust-services-categories-overview">SOC 2 Trust Services Categories Overview</a>)

Complete <a href="https://app.drata.com/risk-assessment/engineering" rel="nofollow noopener noreferrer" target="_blank">Risk Assessment</a> / <a href="https://app.drata.com/risk-management/risk-register" rel="nofollow noopener noreferrer" target="_blank">Risk Management</a> sections.

1. Risk Assessment
 1. <a href="https://help.drata.com/en/articles/6535770-risk-assessment-simplified">Risk Assessment Simplified</a> - resource that you can use to simplify the formally-written questions
 2. <a href="https://help.drata.com/en/articles/6116040-risk-assessment-results-and-treatment-plan">Risk Assessment Results and Treatment Plan</a> - resource that you can use to guide you through Sections 4 and 5
2. <a href="https://help.drata.com/en/articles/6406513-risk-management">Risk Management</a> - this is an add-on feature in Drata to allow you to track Risks within the platform

Download the Risk Assessment Report (and Risk Treatment document for Risk Management Module) and upload to:

1. <a href="https://app.drata.com/compliance/controls/details/id/43?q=DCF-16&amp;page=1" rel="nofollow noopener noreferrer" target="_blank">DCF-16: Annual Risk Assessment</a>
2. <a href="https://app.drata.com/compliance/controls/details/id/81?q=DCF-17&amp;page=1" rel="nofollow noopener noreferrer" target="_blank">DCF-17: Remediation Plan</a>

Get <a href="https://app.drata.com/compliance/monitoring" rel="nofollow noopener noreferrer" target="_blank">Monitoring Tests</a> to 100% (Please note: All Monitoring Tests have a Learn More button that will take you to a Help Article which will give you more information and provide remediation steps)

Upload <a href="https://app.drata.com/compliance/controls/inscope?isMonitored=false&amp;page=1" rel="nofollow noopener noreferrer" target="_blank">Evidence for Not Monitored Controls</a> referencing our suggested <a href="https://help.drata.com/en/articles/5621854-example-evidence-for-not-monitored-controls-soc-2-iso-27001-hipaa">Example Evidence for Not Monitored Controls </a>

1. SOC 2 Type 1 - we recommend to upload evidence before your actual audit date
2. SOC 2 Type 2 - we recommend verifying with your auditor when you can upload evidence. More than likely, your auditor will prefer you upload evidence during your observation period.
3. Note: Please ensure that evidence are uploaded to controls that may show as ready while only linked to an approved policy in Drata (<a href="https://help.drata.com/en/articles/8016471-example-evidence-for-not-monitored-controls-linked-to-policies">Example Evidence for Not Monitored Controls Linked to Policies</a>)

Include all Key Vendors in your <a href="https://app.drata.com/risk/vendors" rel="nofollow noopener noreferrer" target="_blank">Vendors</a> module (<a href="https://help.drata.com/en/articles/6008277-how-to-determine-key-vendors-to-include-in-drata">How to Determine Key Vendors to include in Drata</a>)

1. Perform Vendor Compliance Report Review by following our guidance on <a href="https://help.drata.com/en/articles/7065036-reviewing-your-vendors-soc-2-reports-using-drata">Reviewing Your Vendors' SOC 2 Reports Using Drata</a>
2. If your vendor does not have a SOC 2 Report, but provided their ISO 27001 Certificate, you can use our alternate <a href="https://help.drata.com/en/articles/7792143-iso-27001-certification-review-template">ISO 27001 Certification Review Template</a>
3. If your vendor does not have any Compliance Reports, you can send them a <a href="https://help.drata.com/en/articles/5741004-vendor-security-questionnaire">Vendor Security Questionnaire</a>

Select your SOC 2 Auditor via Drata’s <a href="https://drata.com/auditor/directory" rel="nofollow noopener noreferrer" target="_blank">Auditor Directory</a>. You can interview your potential SOC 2 Auditor using our guidance on what <a href="https://help.drata.com/en/articles/5732618-questions-to-ask-a-potential-soc-2-auditor">Questions to ask a potential SOC 2 auditor</a>

1. Important Note: You can engage at any point with an auditor and is a step we recommend as most control-specific questions are better answered by the auditor Optional: You can discuss a Readiness Assessment with your SOC 2 Auditor to provide extra assurance before the actual audit.

Reach out to your Customer Success Manager to schedule a Pre-Audit Check-in

Set up <a href="https://help.drata.com/en/articles/6928357-audit-hub">Audit Hub</a> and invite your Auditors

Reach out to your Customer Success Manager and let us know the great news!

1. Fill in your <a href="https://app.drata.com/account-settings/company-info" rel="nofollow noopener noreferrer" target="_blank">Company Information</a> 
2. Ensure all<a href="https://help.drata.com/en/articles/7973705-policies-to-framework-summary"> relevant policies for SOC 2</a> are drafted, reviewed and approved in your <a href="https://app.drata.com/governance/policies" rel="nofollow noopener noreferrer" target="_blank">Policy Center</a>
3. Invite your employees to Drata to complete their onboarding process:
 1. Device Compliance
 2. Background Check (<a href="https://help.drata.com/en/articles/5732624-soc-2-background-checks-faqs">SOC 2 Background Check FAQs</a>)
 3. Policy Acceptance (<a href="https://help.drata.com/en/articles/5849305-policy-acceptance-grouping">Policy Acceptance Grouping: Who needs to accept what policy?</a>)
 4. Security Awareness Training
4. Scope out your Trust Services Criteria (<a href="https://help.drata.com/en/articles/5947518-soc-2-trust-services-categories-overview">SOC 2 Trust Services Categories Overview</a>)
5. Complete <a href="https://app.drata.com/risk-assessment/engineering" rel="nofollow noopener noreferrer" target="_blank">Risk Assessment</a> / <a href="https://app.drata.com/risk-management/risk-register" rel="nofollow noopener noreferrer" target="_blank">Risk Management</a> sections.
 1. Risk Assessment
 1. <a href="https://help.drata.com/en/articles/6535770-risk-assessment-simplified">Risk Assessment Simplified</a> - resource that you can use to simplify the formally-written questions
 2. <a href="https://help.drata.com/en/articles/6116040-risk-assessment-results-and-treatment-plan">Risk Assessment Results and Treatment Plan</a> - resource that you can use to guide you through Sections 4 and 5
 2. <a href="https://help.drata.com/en/articles/6406513-risk-management">Risk Management</a> - this is an add-on feature in Drata to allow you to track Risks within the platform
6. Download the Risk Assessment Report (and Risk Treatment document for Risk Management Module) and upload to:
 1. <a href="https://app.drata.com/compliance/controls/details/id/43?q=DCF-16&amp;page=1" rel="nofollow noopener noreferrer" target="_blank">DCF-16: Annual Risk Assessment</a>
 2. <a href="https://app.drata.com/compliance/controls/details/id/81?q=DCF-17&amp;page=1" rel="nofollow noopener noreferrer" target="_blank">DCF-17: Remediation Plan</a>
7. Get <a href="https://app.drata.com/compliance/monitoring" rel="nofollow noopener noreferrer" target="_blank">Monitoring Tests</a> to 100% (Please note: All Monitoring Tests have a Learn More button that will take you to a Help Article which will give you more information and provide remediation steps)
8. Upload <a href="https://app.drata.com/compliance/controls/inscope?isMonitored=false&amp;page=1" rel="nofollow noopener noreferrer" target="_blank">Evidence for Not Monitored Controls</a> referencing our suggested <a href="https://help.drata.com/en/articles/5621854-example-evidence-for-not-monitored-controls-soc-2-iso-27001-hipaa">Example Evidence for Not Monitored Controls </a>
 1. SOC 2 Type 1 - we recommend to upload evidence before your actual audit date
 2. SOC 2 Type 2 - we recommend verifying with your auditor when you can upload evidence. More than likely, your auditor will prefer you upload evidence during your observation period.
 3. Note: Please ensure that evidence are uploaded to controls that may show as ready while only linked to an approved policy in Drata (<a href="https://help.drata.com/en/articles/8016471-example-evidence-for-not-monitored-controls-linked-to-policies">Example Evidence for Not Monitored Controls Linked to Policies</a>)
9. Include all Key Vendors in your <a href="https://app.drata.com/risk/vendors" rel="nofollow noopener noreferrer" target="_blank">Vendors</a> module (<a href="https://help.drata.com/en/articles/6008277-how-to-determine-key-vendors-to-include-in-drata">How to Determine Key Vendors to include in Drata</a>)
 1. Perform Vendor Compliance Report Review by following our guidance on <a href="https://help.drata.com/en/articles/7065036-reviewing-your-vendors-soc-2-reports-using-drata">Reviewing Your Vendors' SOC 2 Reports Using Drata</a>
 2. If your vendor does not have a SOC 2 Report, but provided their ISO 27001 Certificate, you can use our alternate <a href="https://help.drata.com/en/articles/7792143-iso-27001-certification-review-template">ISO 27001 Certification Review Template</a>
 3. If your vendor does not have any Compliance Reports, you can send them a <a href="https://help.drata.com/en/articles/5741004-vendor-security-questionnaire">Vendor Security Questionnaire</a>
10. Select your SOC 2 Auditor via Drata’s <a href="https://drata.com/auditor/directory" rel="nofollow noopener noreferrer" target="_blank">Auditor Directory</a>. You can interview your potential SOC 2 Auditor using our guidance on what <a href="https://help.drata.com/en/articles/5732618-questions-to-ask-a-potential-soc-2-auditor">Questions to ask a potential SOC 2 auditor</a>
 1. Important Note: You can engage at any point with an auditor and is a step we recommend as most control-specific questions are better answered by the auditor Optional: You can discuss a Readiness Assessment with your SOC 2 Auditor to provide extra assurance before the actual audit.
11. Select your Audit Date
12. Reach out to your Customer Success Manager to schedule a Pre-Audit Check-in
13. Set up <a href="https://help.drata.com/en/articles/6928357-audit-hub">Audit Hub</a> and invite your Auditors
14. Complete your SOC 2 Audit
15. Reach out to your Customer Success Manager and let us know the great news!