The following is a list of example evidence for controls not monitored in Drata for ISO 27001.
Note: An auditor may request additional evidence for each control.
Code | Name | Example Evidence |
DCF-5 | Code Repository Controls | Upload evidence of the branch protection settings for relevant code repositories used in production. |
DCF-5,DCF-155 | Software Development Change Control | For an example change (e.g., software development change), upload evidence showing that the change was reviewed, tested, and approved with segregation of duties prior to deployment to production. |
DCF-6 | Change Deployers | Upload evidence showing users with access to deploy changes to production. |
DCF-7 | Separate Testing and Production Environments | Upload evidence showing separate environments exist for development, testing, staging, and production as applicable |
DCF-9 | Internal Communication Channels | Upload examples of internal communication channels for employees to report failures, events, incidents, concerns, and other issues. |
DCF-11 | User Access Review | Upload documentation of the most recent user access and permissions review.
Auditors would generally expect to see these review activities done at least annually, with quarterly frequency being the most common. Auditors may also expect that the user access review includes a review of physical access rights, if applicable (e.g., reviews of active personnel in the badge system, etc.) |
DCF-12 | Baseline Configuration and Hardening Standards | Upload evidence of your documented baseline security configuration and hardening standards such as industry-accepted hardening standards or vendor recommendations and evidence that these are implemented (for example, through infrastructure as code).
|
DCF-14 | Organizational Chart | Upload your current organizational chart (e.g., screenshot or export from HRMS showing personnel, their job title, department, reporting lines, etc). |
DCF-16,DCF-17 | Risk Assessment Results | Upload documentation of the most recent risk assessment activities performed (e.g., risk register, risk treatment plan) in accordance with company policies and compliance requirements. |
DCF-19 | Penetration Test | Upload evidence of the most recent penetration testing activities. |
DCF-20 | Asset Inventory | 1. Formal, documented listing of all assets (workstations, mobile devices, servers, databases, etc.) |
DCF-22 | Network Diagram | Upload evidence of your current network diagram(s) and evidence of updates/reviews within the past year for accuracy (e.g., emails from responsible personnel confirming the accuracy and completeness of the network diagram(s), etc.) |
DCF-26 | Business Continuity/Disaster Recovery Test | Upload evidence of your most recent business continuity and/or disaster recovery test. |
DCF-28,DCF-30 | Incident Documentation | For an example security event deemed an incident, upload the incident documentation including evidence of internal tracking (e.g., internal ticket), root-cause analysis (RCA)/post-mortem, lessons learned, etc. |
DCF-29 | Incident Response Roles and Responsibilities | Upload evidence of your documented roles and responsibilities for incident response.
|
DCF-35 | Security Team Communicates in a Timely Manner | Screenshots from communication tools (Slack, PagerDuty) showing the process for security events to be communicated to appropriate personnel. |
DCF-40 | Contractor Requirements | 1. Executed Agreement/contract between the entity and key vendors. |
DCF-43 | Termination/Offboarding Checklist | 1. Formal documented termination checklist/help desk ticket for a recent terminated employee. |
DCF-46,DCF-179 | Formal Screening Process | Upload evidence of the formal interview/recruitment process for a recently hired personnel. |
DCF-47,DCF-179 | Job Descriptions | Upload documented job descriptions for both a recently hired personnel and an existing personnel. |
DCF-53 | Cryptography Policies | List of all locations where data is transmitted or received over open, public networks. |
DCF-56 | Vendor Agreement | Upload evidence of an example executed agreement with a vendor or service provider. |
DCF-57 | Vendor Register and Agreements | 1. Executed Agreement/contract between the entity and key vendors. |
DCF-58 | Authentication Protocol | 1. If SSO is an option, screenshots of a user logging in with SSO. |
DCF-59,DCF-326,DCF-562 | Administrative Users | Upload screenshots or exports of user lists (with a screenshot of parameters used for exporting) showing the users with administrative or privileged access to the systems (e.g., super users, administrators, power users, etc.) for relevant systems. |
DCF-60 | Secure Password Storage | 1. If username and password is required, screenshots from the database showing that password are stored using a salted hash. |
DCF-62 | Application Logoff | Upload evidence of automated logoff for relevant systems/applications. For example: |
DCF-64 | Commitments Communicated to Customers | 1. Upload evidence of a recently executed service agreement with a customer. |
DCF-65 | Public Privacy Policy/Notice | Add a link to your publicly available privacy policy/notice.
Additional information may be required in the privacy policy to comply with privacy-specific legislation depending on the relevant jurisdiction. Consult with legal counsel. |
DCF-67,DCF-355 | Multi-Factor Authentication | Upload screenshots of the multi-factor authentication configurations for relevant systems (where not integrated with Drata). If MFA is enforced on a per-user level instead of a global setting, upload evidence showing all users have MFA enabled. |
DCF-68 | Password Configurations | Upload evidence of the password requirements enforced for relevant systems to demonstrate are implemented in accordance with company policy. |
DCF-69 | Access Provisioning | Upload an example record of access request and approval for a user to be granted permission to a system. |
DCF-70 | Termination/Offboarding | Upload evidence showing the offboarding activities for one recently terminated personnel (e.g., offboarding checklist, IT or help desk ticket). |
DCF-72 | Root Password Login Disabled | Upload evidence showing that root password authentication to production resources (e.g., virtual machines, containers, etc.) is disabled. |
DCF-74 | Communication of System Changes | 1. Example emails communicating changes to customers. |
DCF-76 | Hot Fixes/Emergency Changes | For a hot fix or emergency change, upload evidence to show that the change followed the standard change management process (reviews, testing and approval) or that it was reviewed and approved by an authorized individual after implementation. |
DCF-77 | Backup and Retention Configurations | Upload evidence showing back-up and retention configurations for production databases (e.g., screenshots showing backup frequency and window, retention period, etc.). |
DCF-79 | Logging System | Screenshots from the location where logs of system activity are stored. |
DCF-80 | Log Management System | 1. Screenshots of logging software alert configuration |
DCF-85 | Network Security Configurations | Upload evidence of network security configurations. |
DCF-88 | Web Application Firewall (WAF) | Upload evidence of web application firewall (WAF) configurations (for example, screenshots showing active WAF rulesets, etc. ) |
DCF-91 | Intrusion Detection/Prevention System | 1. Screenshots from AWS GuardDuty, Azure Sentinel, GCP Security Command Center or equivalent monitoring tool showing that the service is enabled. |
DCF-92 | Encrypted Connections for Remote Access | Upload evidence that remote access to production resources is only available through an encrypted connection. |
DCF-95 | Processing Capacity Monitoring | Upload evidence of processing capacity monitoring (e.g., screenshots from observability and telemetry tools showing dashboards for utilization metrics, screenshot of alert configurations for resource utilization, etc). |
DCF-97 | Autoscaling | Screenshot of auto scaling configurations for EC2 instances. |
DCF-98 | Daily Backup Statuses Monitored | 1. Tickets showing that backup failures were monitored and resolved. |
DCF-99 | Backup Monitoring | 1. Automated configurations from the backup service for notifying personnel when backup processes fail. |
DCF-100 | Backup Restoration Test | Upload evidence of your most recent test restore of backed-up data completed within the past year. |
DCF-103,DCF-253 | Customer Data Deletion | For a recently churned customer, upload evidence showing that customer data disposal was conducted in accordance with the contractual agreements with the customer. |
DCF-104 | Test Data in Lower Environments | Upload evidence showing that production data is not used in testing, staging or other lower environments. |
DCF-105,DCF-763 | Employee NDA | Upload an example executed agreement addressing confidentiality with recently hired employee (e.g., NDA, PIIA, employment agreement including confidentiality clauses, etc.) |
DCF-105 | Third Party NDA | Upload an example executed agreement with a third party (e.g., vendor, contractor, business partner, etc.) addressing confidentiality. |
DCF-106 | Clean Desk and Clear Screen Policies and Procedures | 1. Acceptable Use Policy |
DCF-107 | Disposal of Sensitive Data on Paper | 1. Observation of hard copy material being disposed |
DCF-108 | Secure Storage Mechanisms | 1. Pictures of secure storage bins from office locations. |
DCF-109 | Disposal of Data on Hardware | Upload evidence for one instance of data disposal on hardware showing that data was disposed securely. |
DCF-112 | Explicit Acknowledgement of Privacy Policy/Notice | Upload screenshots of the account sign up process for your system or application(s) showing users are required to accept the privacy policy/notice prior to using the system. |
DCF-113 | Review Privacy Notice Annually | 1. Meeting minutes from management's annual meeting to review privacy practices. |
DCF-114 | Privacy Policy Publicly Available | 1. Screenshot of privacy practices posted on the entity's website. |
DCF-116 | Acknowledge The Privacy Policy | 1. Screenshots of the new user registration process showing that users are required to explicitly agree to the notice of privacy practices prior to the completion of the registration process. |
DCF-117 | Minimal Information Required | 1. Screenshot of all information that the user can enter when providing data through the application. |
DCF-118 | Third Party Reliability | 1, For all third parties in which personal information is collected from, evidence that management performed appropriate due diligence to ensure that data from third parties was collected fairly and lawfully. |
DCF-119 | Allowable Use and Disclosure | 1. Section from privacy practices/policy that covers this item. |
DCF-120 | Privacy Policy Changes Communication | For any recent changes to the public privacy policy, upload evidence showing customers were notified of such changes (Example: screenshots of email notifications sent to customers notifying them of changes to the privacy policy, etc.) and that the privacy policy includes the date the privacy policy was last updated (Example: screenshot or export of the public privacy policy showing last update date). |
DCF-120 | Review of Privacy Policy | Upload evidence of the most review of the online privacy policy/notice to show the policy has been reviewed within the past year. |
DCF-121 | Purposeful Use Only | 1. Section from privacy practices/policy that covers this item. |
DCF-123,DCF-253 | Procedures for Information Disposal | Upload your documented procedures for erasure or destruction of information that has been identified for disposal. |
DCF-124 | Require Authentication for Access | 1. Screenshots of a user authenticating to the application prior to seeing their information. |
DCF-125 | Users Can Access All Their Information | 1. Screenshots of where a user can find their information within the platform (i.e. user profile). |
DCF-126 | Personal Information Accessible Through System Authentication | 1. Screenshots of a user modifying their personal information within the application. |
DCF-127 | Privacy Requirements Communicated to Third parties | 1. Evidence to support that third parties with whom PII is sent to, were provided requirements for how PII should be handled, according to your requirements. |
DCF-128 | Disclosure with 3rd Parties | 1. Example executed contracts with third parties that receive PII showing that contracts included provisions for third parties to protect personal information. |
DCF-129 | PII with 3rd Parties and Vendors | 1. Formal, documented authorized list of third parties that can receive or access PII. |
DCF-130 | Documentation of Breaches or Unauthorized Disclosures of PII | 1. Screenshots of the incident tracking system used to track breaches or security incidents involving PII. |
DCF-131 | Incident Report Template and Process | 1. Formal, documented incident response procedures. |
DCF-133 | Unauthorized Disclosures by 3rd Parties | 1. Example executed contracts with third parties that receive PII showing that contracts included provisions for third parties to protect personal information. |
DCF-134 | 3rd Parties and Vendors Given Instructions on Breach Reporting | 1. Executed contracts with third parties that are provided access to PII to confirm that third parties are provided with information on how to report breaches of PII to the entity. |
DCF-135 | Notification of Incidents or Breaches | For one example security incident or breach, upload evidence showing that notification of the incident or breach was given to affected parties and authorities (as applicable) in accordance with company policies and procedures and contractual and legal obligations. |
DCF-136 | Use of Subprocessors Communicated | 1. Section from privacy practices on your website showing that 3rd parties that receive PII are listed. |
DCF-137 | Data Entry Field Completion Automated | 1. Screenshots of a user enter information into the application to confirm that edit checks are included in fields. |
DCF-142 | Quarterly Review of Privacy Compliance | 1. Meeting minutes from quarterly management meetings for tracking compliance with privacy practices and privacy regulations. |
DCF-143 | Board Oversight Briefings Conducted | 1. Meeting minutes from the Board of Directors meeting showing that the state of cybersecurity and privacy risks were discussed. |
DCF-144 | Board Charter Documented | 1. Copy of Board Charter |
DCF-145 | Board Expertise Developed | 1. Board of Directors Backgrounds or Bios |
DCF-147 | Physical Access to Facilities is Protected | 1. Physical Access Control Policy |
DCF-148 | Regression Testing in Place | 1. Example of regression testing that was performed prior to a recent major product release. |
DCF-149 | Removable Media Device Encryption | 1. If removable media devices are issued by the company to employees, provide evidence that removable media devices are encrypted. |
DCF-150 | Data Leakage Prevention | Upload evidence of the data leakage prevention (DLP) measures implemented in the organization (e.g., screenshots of DLP rules implemented in corporate email service, configurations from DLP tools in place, etc.) |
DCF-151 | FIM (File Integrity Monitoring) Software in Place | 1. Screenshots of FIM software. |
DCF-152,DCF-677 | Automated Operating System Upgrades | Upload evidence showing that automated mechanisms have been implemented to install security upgrades to operating systems (e.g., screenshots showing unattended upgrades, apt-get-update / apt-get-upgrades within infrastructure as code configuration files, screenshots of management console for patch management tools such as Automox, etc.) |
DCF-153 | Conduct Control Self-Assessments | 1. Annual internal control assessment report with any identified findings |
DCF-154 | Incident Response Test | Upload evidence of your most recently completed incident response test. |
DCF-156 | Change Release | For an example change release, upload evidence showing that the release was approved by authorized personnel prior to deployment to production (e.g., screenshot of a pull request/ticket showing approval for a release candidate by an authorized personnel). |
DCF-158 | MFA Available for External Users | 1. Screenshots from the application showing that customers have the option of using MFA for their accounts. |
DCF-161 | Management System Scope | ISMS Plan (2013 and 2022) |
DCF-162 | ISO Statement of Applicability | If not managed within Drata's Policy Center, upload your Statement of Applicability (SOA) in conformance with ISO requirements. |
DCF-163 | Interested Parties and Legal Requirements | ISMS Plan (2013 and 2022),AI Governance Policy |
DCF-164 | ISO Management Reviews | Upload evidence of your most recent documented management review for your ISO management system(s) |
DCF-165 | ISO Internal Audits | Upload evidence showing the organization performs internal audits at planned intervals as required by ISO to confirm the management system(s) conforms to the organization's requirements and the referenced standards, and is effectively implemented and maintained (e.g., documentation of the most recent internal audit program(s) and report(s) of audit results for the management system(s), etc.). |
DCF-166 | Business Continuity Plan | 1. Business Continuity Plan. |
DCF-167 | Business Impact Analysis | Upload evidence of your most recent business impact analysis (BIA) activities (e.g., documentation of the identification mission/business processes and recovery criticality, resource requirements, established recovery time and recovery point objectives (RTOs, RPOs), etc.). |
DCF-168 | Vendor Management Policy | Vendor Management Policy |
DCF-170 | Management System Objectives | Information Security Policy,ISMS Plan (2013 and 2022) |
DCF-171 | Documented Operating Procedures | Upload examples of your documented operating procedures for information security activities/controls.
|
DCF-172 | Organizational Change Management | 1. ISMS Plan / SDLC Policy / Change Management Policy |
DCF-173,DCF-763 | Employment Contracts | For one example personnel, upload executed employment contracts/agreements outlining the terms and conditions of employment as well as responsibilities during and after employment (e.g., duty of confidentiality, return of assets, protection of intellectual property, etc.). |
DCF-174 | Telework and Endpoint Devices | 1. Information Security Policy |
DCF-175 | Communications Plan | 1. ISMS Plan (2013 and 2022) |
DCF-176 | Measurement and Monitoring Plan | 1. Will be a part of your ISMS policy. |
DCF-177 | Event Logging | 1. Section from the Data Protection Policy |
DCF-178 | Record Management and Control | 1. Evidence showing that policy documents are versioned control. |
DCF-179 | ISO Evidence of Competence | Upload evidence for an example personnel with assigned roles within the management system(s) showing that they have the necessary competence to fulfill their duties on the basis of appropriate education, training, or experience. |
DCF-180 | Secure Information Transfer | Data Protection Policy |
DCF-182 | Asset Management Policy | Asset Management Policy |
DCF-184 | Management System Plan | ISMS Plan |
DCF-185 | Threat Intelligence | Upload evidence showing that the organization has implemented mechanisms to collect threat information and produce threat intelligence. |
DCF-186 | Data De-identification | 1. Data Classification Policy |
DCF-188 | Contact with Special Interest Groups | Upload evidence showing that the organization and members of management maintain contact with special interest groups (e.g., security groups, privacy groups, etc.). For example, screenshots or exports showing members of management receive newsletters and updates from professional association groups, email alerts from security advisories such as CISA, participation in conferences, threat advisories, etc. |
DCF-229 | Vendor Default Accounts Disabled, Removed or Changed | 1. Any policy or procedures documenting a requirement stating that ALL vendor supplied default account information must be changed. |
DCF-271 | Key Storage Locations Limited | Upload evidence of where your organization stores cryptographic keys. |
DCF-273 | Strong Key Generation Policies and Procedures | 1. Documented key management procedures which specify how to generate strong cryptographic keys. |
DCF-284 | Key and Certificate Validation | 1. Documented policies and procedures which specify processes for accepting only trusted keys and certificates (Encryption Policy). |
DCF-293 | Anti-Malware Capabilities and Automatic Updates | Upload evidence showing that the deployed anti-malware solution is kept via automatic updates and configured to detect all known types of malware and to remove, block, or contain all known types of malware. |
DCF-294 | Anti-malware Tools Behavior | Upload screenshots from your anti-malware solution console showing it is configured to perform periodic scans and active/real-time scans (e.g., scanning files from external sources as they are downloaded, opened, or executed) or to perform continuous behavioral analysis of systems or processes. |
DCF-305 | Production Components Change Control Procedures | For a non-software development change, upload documentation showing that the change was implemented in accordance with formal change management policies and procedures. For example, documentation of change description, justification, evaluation of security requirements and impact, approval by authorized parties, rollback procedures, etc., and records of testing (for example, acceptance and security impact testing). |
DCF-312 | Secure Code Development Training Record | Upload evidence of secure code development training completed by a member of personnel within the past year. |
DCF-350 | Password History Enforcement | Upload evidence showing that system configuration settings are in place to prevent password reuse in accordance with company policy and compliance requirements for relevant systems. |
DCF-352 | Unique First-time Passwords With One-Time Use | Upload evidence showing that for organization systems passwords are set to a unique value for first-time use and upon reset and temporary initial passwords are forced to be changed immediately after the first use. |
DCF-356 | Communication of Authentication Best Practices |
|
DCF-363 | Entry Controls in Place |
|
DCF-365 | Secure Physical Access Control Mechanisms | 1. Pictures showing how video cameras or access control mechanisms (or both) are protected from tampering and disabling. |
DCF-369 | Restricted Physical Access to Network Components | 1. Observation of physical access to wireless access points, gateways, networking/communications hardware, and telecommunication lines within the company facilities being restricted |
DCF-374 | Visitors Authorized and Escorted | 1. Observation of a vistor being escorted when entering company facilities |
DCF-375 | Personnel and Visitor Badges | 1. Observation of visitor obtaining a visitor badge and example of a visitor badge |
DCF-378 | Visitor Log | Upload evidence to show that a visitor log is maintained to keep an audit trail of visitor activity to the company facilities, computer rooms or data centers where sensitive data may be stored or transmitted (e.g., scan or photograph of the visitor log for an example day, etc.) |
DCF-381 | Media Physically Secured or Encrypted | Documented policies and procedures related to physically securing all media (including computers, removable media, paper receipts, paper records, and faxes). |
DCF-384 | Media Classification | Screenshots and/or pictures showing how media is classified including labels showing data sensitivity. |
DCF-386,DCF-385 | Management Approval for Media Transport | For one instance of media moved outside or within the facilities, upload evidence of management's documented approval for the movement of media. |
DCF-388 | Media Inventory Logs | If your organization manages electronic media with sensitive data, upload evidence of your media inventory. |
DCF-406 | Audit Logging | Screenshots showing that audit trails are enabled and active for in-scope systems |
DCF-407 | Audit Logs Data Points | Upload evidence showing that audit logs have been configured to contain user or identity, type of event, date and time, success and failure indication, origination of event, affected data, and system component, resource, or service. |
DCF-409 | Audit Trail for Privileged Access | Upload evidence showing that audit trails or logs are implemented for system components to capture all actions taken by any identities with administrative access, including execution of privileged functions and any interactive use of application or system accounts. |
DCF-411 | Audit Trail for Invalid Access Attempts | Upload evidence showing that audit trails or logs are implemented for system components to capture invalid access attempts. |
DCF-412 | Audit Trail for Identification and Authentication Mechanism Changes | Upload evidence showing that audit trails or logs are implemented for system components to capture changes to identification and authentication credentials (e.g., creation of new accounts, elevation of privileges, changes, additions, or deletions to accounts with administrative access, etc.). |
DCF-414 | Audit Trail of System-Level Object Changes | Upload evidence showing that audit trails or logs are implemented for system components to capture capture all creation and deletion of system-level objects. |
DCF-421 | Clock Synchronization | Upload evidence showing that the organization synchronizes all critical system clocks and times using time-synchronization technology (such as Network Time Protocol (NTP)). |
DCF-422,DCF-423,DCF-424 | System Time Source | Upload evidence showing that internal systems receive time information only from designated central time server or servers that are configured to receive time from industry-accepted external sources based on International Atomic Time or Coordinated Universal Time (UTC). |
DCF-429 | Access to Audit Trails | Upload evidence of the users with elevated access to log systems and log data. |
DCF-430 | Audit Trail Files Protected | 1. Screenshots or pictures showing that audit trails are protected from unauthorized access/modification/deletion through access control mechanisms, physical segregation, and/or logical network segregation. |
DCF-434 | Policies and Procedures for Logging | Logging and Monitoring Policy |
DCF-441 | Audit Log Retention Period | Upload evidence of your configured retention periods for audit logs. |
DCF-478 | Change Detection Mechanism | 1. Screenshots from the change detection solution (such as File Integrity Monitoring) and relevant change detection system configurations showing what is monitored. |
DCF-503 | Periodic Security Updates | Upload evidence showing that periodic security updates are provided to personnel through different mechanisms (e.g., screenshots of internal newsletters or intranet with security reminders, security updates sent out via Slack or other internal communication channels, etc.) |
DCF-507 | Vendor Due Diligence | For any new service provider or vendor, you'll need to perform due diligence on (evaluate) them prior to engaging with them. Due diligence can consist of reviewing security questionnaires or obtaining confirmation that they have compliance certifications (such as a SOC 2). You should document the results of your due diligence as well as the day it was completed. |
DCF-527 | Designated Data Protection Officer | Upload evidence showing that a data protection officer has been officially appointed (e.g., internal privacy policies, RACI matrix, job descriptions, etc. identifying the data protection officer, etc.). |
DCF-535 | Organizational Context | 1. Documentation that discusses how your company fits into the data processing ecosystem and includes each of the areas discussed in the 'Control Activities' section. Please see Appendix B of Drata’s latest Personal Data Management Policy template for helpful definitions. |
DCF-537,DCF-132 | Data Processing Agreements with Subprocessors | Upload one example of an executed data processing agreement (DPA) with a subprocessor. |
DCF-557 | Shared Account Management | For any highly privileged shared accounts, upload evidence of the business justification and evidence of how these shared accounts are securely managed. |
DCF-558 | Restrictions on Software Installation | Upload evidence showing that the organization has implemented mechanisms to prevent the installation and use of unauthorized software in company-managed assets (e.g., screenshots from MDM tools showing rules preventing software installation are enforced on company devices, access controls limiting access to run executables, etc.) |
DCF-566 | ISO Management of Nonconformities | Upload evidence showing that your organization is managing nonconformities in accordance with ISO requirements. |
DCF-567 | Change Management Policy | Change Management Policy |
DCF-569 | Information Labeling | 1. Data Protection Policy and Data Classification Policy |
DCF-570 | Disciplinary Process | Upload your company's documented disciplinary process. The disciplinary process may be an HR-owned process available and communicated to employees through employee handbooks, code of conduct, etc, or included within an information security policy document. |
DCF-571 | Fire Detection and Suppression | 1. Observation of fire detection and suppression systems installed in critical locations |
DCF-572 | Temperature Monitoring Systems | 1. Observation of systems in place to monitor and control air temperature and humidity at appropriate levels |
DCF-573 | Uninterruptible Power Supply | 1. Observation of uninterruptible power supply (UPS) systems in place for data centers or server rooms |
DCF-574 | Mobile Device Management Software | Upload evidence to show that a mobile device management (MDM) tool has been implemented to enforce security controls on mobile devices (e.g., screenshots from the MDM's centralized management console, screenshots of baseline configurations, security policies or blueprints enforced on devices per OS type, etc.) |
DCF-611 | Obscured Authentication Feedback | 1. Screenshot of user interface during the authentication process to show authentication feedback is hidden (e.g. password entry fields displaying asterisks or limited visibility feedback) |
DCF-637 | Documented Secure Development Process | Upload documentation of your organization's secure development processes. |
DCF-678 | Network Security Policy | Network Security Policy |
DCF-681 | Phishing Simulations | Upload evidence showing phishing simulations are conducted as part of the company's security awareness initiatives. |
DCF-684 | Redundancy of Processing | 1. Provide evidence that redundancy strategies were implemented for equipment, systems and processes as deemed necessary per the business continuity plans |
DCF-687 | Email Authentication/Phishing and Spam Detection | Upload evidence showing that phishing and spam detection mechanisms have been implemented in your organization. |
DCF-688 | Return of Assets | For one recently terminated personnel, upload evidence showing that assets were returned to the company. |
DCF-689 | On-call Team | Upload evidence of on-call rotation schedule. |
DCF-694 | Approved Usage of Unencrypted Media | For any unencrypted physical media and/or portable devices used, upload evidence of documented business justification and approval from management for its use. |
DCF-698 | Automated Mechanisms for Audit Log Reviews | Screenshot of the configuration from audit log review solutions such as centralized log management systems, event log analyzers, security information and event management (SIEM) solutions, etc. |
DCF-707 | Credentials for System Accounts Not Hard-Coded | Upload evidence showing that the organization has implemented mechanisms to validate that authentication credentials for any application and system accounts are not hard coded in scripts, configuration/property files, or bespoke and custom source code. |
DCF-708 | Software and Third Party Libraries Inventory | Upload evidence of your organization's software and third party libraries Inventory (i.e., software bill of materials). |
DCF-712 | Static Application Security Testing | Upload evidence that static application security testing (SAST) is conducted for software development testing. |
DCF-741 | Logging and Monitoring Policy | 1. Logging and Monitoring Policy |
DCF-744 | Contact with Authorities | Upload evidence of incident response procedures/playbooks or documented communication plans showing that your organization has identified and documented authorities to be contacted (such as law enforcement, regulatory bodies, supervisory authorities) as well as the events or circumstances that would require communication and the methods and responsibilities for communication with authorities. |
DCF-745 | Segregation of Duties | Upload evidence showing that your organization has identified conflicting duties and conflicting areas of responsibility that must be segregated and implemented mechanisms for segregation of duties.
It is recommended that the organization's approach to managing segregation of duties is documented, including the identified activities to be segregated and how segregation of duties is achieved for each (e.g., through role-based access control, assigning duties to different individuals, etc.). |
DCF-748 | Segregation of Networks | Upload evidence showing that network segmentation or other techniques are used to split the network in security boundaries and to control traffic between them based on business and security needs. |
DCF-749 | Leak Detection System | 1. Observation of leak detection systems at critical facilities |
DCF-760 | Control of Audit Activities | Upload evidence showing that audit requirements and activities involving verification of operational systems are planned and agreed-upon by management to minimize disruptions to business processes and security risks. |
DCF-762 | Managing Changes to Supplier Services | 1. For a change to the provision of services by a vendor, provide documentation to evidence that a review and due diligence activities were required and authorized by management |
DCF-775 | Cloud Deletion Protection | 1. Screenshots of the configuration enabled for deletion protection for cloud resources |
DCF-776 | Principle of Least Privilege | For each in-scope system / application, provide the user access listing with roles & permissions assigned to show that principle of least privilege has been implemented |
DCF-777 | Cloud Resource Tagging | 1. Inventory listing with tags assigned |
DCF-779 | Cryptographic Key Rotation | Upload evidence of cryptographic key rotation processes implemented in accordance with defined company procedures. |
DCF-780 | Web Filtering | Upload evidence showing that the organization has implemented web filtering mechanisms to enforce the company's internet usage policies (e.g., screenshots of web filtering configurations showing access to known malicious sites are blocked, access to prohibited web resources per the company's acceptable use policy is prohibited, etc.) |
DCF-781 | Secure Login | For internally-developed systems, upload evidence showing that access to the system is done through a secure login procedure.
|
DCF-782 | Cloud Storage Lifecycle Rules | Upload evidence of any cloud storage lifecycle rules in place to delete data automatically after expiration of specified retention periods (e.g., screenshots from cloud storage showing configured expiration actions, etc.) |
DCF-783 | Secrets Rotation | Upload evidence of secrets rotation processes implemented in accordance with defined company procedures (e.g., screenshots of automated secrets rotation configurations in a secrets management systems, tickets or other documentation showing manual secrets rotation processes are carried out periodically, etc.) |
DCF-784 | Software Composition Analysis (SCA) | Upload evidence to show that your organization checks software components and libraries for policy and license compliance, security risks, and supported versions. |
DCF-785 | Secure Runtime Configurations | 1) Asset Management Policy |
DCF-789 | Expectations of Interested Parties | ISMS Plan (2013 and 2022) |