HERE’S WHY
It is crucial for organizations to both maintain and determine control readiness. With Drata, you can set up internal reviews and approvals for your controls, reducing complex processes and various tools.
BEFORE DIVING IN
Roles with write-access to the Control page will have access to act on and manage Required Approvals. The roles include admins, information security leads, workspace managers, and control managers.
Only the assigned approvers have the ability to ‘Approve’ or ‘Request Changes’.
Control owners and approvers can be the same person.
Auditors with read_only access will not be able to see the internal notes section, but have read_only access to the Required Approvals component.
Required Approvals Stages
Once a required approval for a control is set up, there are 4 different review stages the control can go through.
Prepare for approvers
Needs approval
Changes requested
Approved
In the left sidebar of the Controls page, you can filter controls based on the desired review stage. If a control does not have a required approval, the control will be under the ‘No approvals assigned’ filter.
Prepare for approvers
During the ‘Prepare for approvers’ stage, control owners prepare and manage the control information, mapping, and evidence for the approvers. Once the control is ready to be reviewed, any role with write access to the Control page, including the control owner, can select ‘Send to approvers’.
The approvers are notified and assigned the task of reviewing the control. The following image shows when a role receives a request to review required approvals.
Needs approval
In the ‘Needs approval’ stage, only approvers can approve or request changes.
The following images show what the non-approver view and approver view look like in the ‘Needs Approval’ stage.
Added approvers will be notified and the required approval will automatically update to show the latest approvers.
Removed approvers will see the non-approvers view.
You can add or remove approvers by selecting the ‘edit’ icon.
Non-approver view
Approver view
Changes requested
When approvers request changes, they can select the evidence that needs to be updated and enter the request details. The reason for change request will be added into the internal notes sections for that control, ensuring transparency and accountability.
After the approver sends the request, the control owner is notified, a Drata task is created, and the required approval status is updated to ‘Changes requested’.
These details are added to the internal notes section for that control.
Approved
For the review stage to be approved, the required approval must be approved and then the next approval deadline will be set.
The following must occur for a control stage to be updated to ‘Approved’:
The approvers must approve the required approvals.
The approver must set the next approval date.
When the next approval deadline is set, 14 days prior to the approval deadline, the required approval stage changes to “Needs approval” and the approver is notified. The scheduled task updates the approval stage to ‘Needs approval’ 14 days before the approval deadline at 2:00 AM UTC. The approver is also notified when the scheduled task updates the approval stage. The control will now move to Not Ready, given that it is not approved.
If the scheduled task fails to update the status, an event is created in the Event Tracking to notify the control owner of the failed task. The approver can change the approval deadline by selecting the edit icon or request changes.
Only approvers can submit a change request by selecting the “Request changes” button. After a change is requested, the control owner is notified.
Note: When you map an approved control that has required approvals to a policy, the control owners are notified, and the control’s review status reverts to prepares for approvers. To learn more about mapping policies to controls, go to Policy Center: Link your policies to your controls.
FAQ
How can you add evidence after a required approval is approved?
There are 3 ways evidence can be added to a control, however this will impact an approved required approval.
Add evidence from the control drawer in the Controls page. When evidence is added, edited, or deleted from a required approval that’s approved, the required approval is no longer approved and you will be prompted to select the following options:
Add evidence to the Evidence Library or Policy Center. When evidence is added, new version created, linked and unlinked to a control that has a required approval approved, the required approval review stage is updated to prepare the approver. Control owners are notified that they must review changed evidence in their control drawer before sending the control for approval.
Add evidence from the control drawer in Audit Hub. When evidence is added in the control drawer from the Audit Hub, the required approval updates to 'Needs approval' stage.
How does adding required approvals impact Control Readiness?
When controls do not have a required approval set up, it will follow the same readiness calculation we have for controls.
When a control has a required approval set up, the control must pass the requirements for readiness and needs to be approved for the control readiness status to go from “Not Ready” to “Ready”.
The following image shows a control that has been approved but does not meet the requirements for readiness.
What happens when the approver is no longer at the organization?
We acknowledge that changes may occur in your organization and that your assigned approvers may become former employees or their roles in your organization may change. In this case, the approver is removed from the approver list.
If there are no approvers, a red banner is displayed and notified that an approver is needed. The following image shows when a required approval does not have an approver.
To view the list of controls that do not have approvers, select “No approvers assigned”. You can also filter controls based on the required approvals review status which include:
Approved
Changes requested
Needs approval
Prepare for approvers