Skip to main content
All CollectionsComplianceExample Evidence for Not Monitored Controls
Example Evidence for Not Monitored Controls (ISO 27001)
Example Evidence for Not Monitored Controls (ISO 27001)

Example Evidence for Not Monitored Controls (ISO 27001)

Jane Baik avatar
Written by Jane Baik
Updated over a week ago

The following is a list of example evidence for controls not monitored in Drata for ISO 27001.

Note: An auditor may request additional evidence for each control.

Code

Name

Example Evidence

DCF-7

Separate Environments

Screenshots from test and production environments for the application

DCF-9

Internal Communication Channels

Screenshots from communication tools (Slack, PagerDuty) showing the process for security events to be communicated to appropriate personnel.

DCF-11

Periodic Access Reviews

1. Tickets documenting the access control lists that were reviewed for in scope cloud environments, SaaS applications, infrastructure as code tools, and security protection tools (as applicable)

- and -

2. Tickets should be marked as completed/closed and the reviewer should provide comments on the results of the reviews.

DCF-12

System Security Configuration and Hardening Standards

1. Evidence from infrastructure as code tools showing configurations that would be implemented when new infrastructure is deployed.

- and -

2. Any type of document that formally documents the configurations that should be implemented for newly deployed infrastructure.

DCF-16

Periodic Risk Assessment

Most recently completed risk assessment report.

DCF-17

Risk Treatment Plan

Documented remediation plans for risks identified during the risk assessment.

DCF-19

Penetration Tests

Most recently completed annual penetration test.

DCF-20

Asset Inventory

1. Formal, documented listing of all assets (workstations, mobile devices, servers, databases)

- and -

2. For cloud infrastructure, screenshots from cloud environments listing all infrastructure

DCF-21

Architectural Diagram

Approved Architectural Diagram

DCF-22

Network Diagram

Formal, documented network/architecture diagram evidencing network segmentation of your cloud environments.

DCF-26

BCP/DR Tests

Most recently completed BCP/DR test.

DCF-21

Architectural Diagram

Approved Architectural Diagram

DCF-29

Incident Response Team

Provide the documented list of Incident Response team members who have the responsibility and authority to coordinate and execute incident response procedures.

DCF-30

Incident Response Lessons Learned Documented

For example, a security event that is deemed an incident, you can provide the incident documentation including evidence of internal tracking (such as internal ticket), root-cause analysis (RCA)/post-mortem, lessons learned.

DCF-35

Security Team Communicates in a Timely Manner

Screenshots from communication tools (Slack, PagerDuty) showing the process for security events to be communicated to appropriate personnel.

DCF-40

Contractor Requirements

Executed Agreement/contract between the entity and key vendors.

DCF-43

Termination/Offboarding Checklist

Formal documented termination checklist/help desk ticket for a recent terminated employee.

DCF-53

Cryptography Policies

1. List of all locations where data is transmitted or received over open, public networks.

-and-

2. Documented standards which detail the level of security protocols and cryptographic algorithms used to protect this data.

-and-

3. Screenshots from the system configurations of the systems receiving this data showing the implementation of these security protocols and encryption algorithms

DCF-56

Vendor Register and Agreements

Executed Agreement/contract between the entity and key vendors.

DCF-58

Authentication Protocol

1. If SSO is an option, screenshots of a user logging in with SSO.

-and-

2. If username and password is an option, screenshots of a user logging in with a username and password.

-and-

3. Screenshots of MFA being required for employee users.

-and-

4. If customer users have the option to enable MFA, screenshots showing they are provided the option to enable MFA.

DCF-60

Secure Password Storage

If username and password is required, screenshots from the database showing that password are stored using a salted hash.

DCF-62

Inactivity and Browser Exit Logout

1. Screenshots of users being logged out of the application when browser/tab is closed and being forced to re-authenticate upon next login.

- and -

2. Screenshots showing that a user is logged out after pre-defined activity timeout and being forced to re-authenticate upon next login.

DCF-64

Commitments Communicated to Customers

1. Upload evidence of a recently executed service agreement with a customer.

- and -

2. Upload evidence of your terms of service available online, as well as screenshots of the account sign up process showing users are required to accept the terms of service prior to using the system.

DCF-69

Access Provisioning

Formal, documented access request form/help desk ticket for a recent new hire.

DCF-72

Root Access Control

Screenshots of a user logging into the production systems, showing that they have to use a unique SSH account.

- or -

Screenshot of the setting from the production servers showing that the "root" account cannot be used to login to production.

DCF-74

Communication of System Changes

1. Example emails communicating changes to customers.

- and -

2. Screenshots of banners warning customers of downtime prior to system maintenance.

DCF-76

Critical Change Management

Formal, documented emergency change procedures for critical changes.

DCF-79

Logging System

Screenshots from the location where logs of system activity are stored.

DCF-80

Log Management System

1. Screenshots of logging software alert configuration

- and -

2. Screenshots from the location where logs of system activity are stored.

- and -

3. Evidence of corrective action being taken when alerted

DCF-91

Intrusion Detection/Prevention System

1. Screenshots from AWS GuardDuty, Azure Sentinel, GCP Security Command Center or equivalent monitoring tool showing that the service is enabled.

- and -

2. Screenshots from the mentioned applications/tools/services showing the types of threats that would be detected.

- and -

3. Screenshots from the mentioned applications/tools/services showing how personnel would be alerted and who would be alerted when threats are detected.

DCF-92

Encrypted Remote Production Access

1. Screenshots of a user trying to access production systems without being connected to a VPN and providing access is denied.

- and -

2. Screenshots of a user accessing production after connecting to a VPN to show a successful connection.

DCF-95

Monitoring Processing Capacity and Usage

Evidence that management reviewed processing capacity and usage reports on a quarterly basis

DCF-97

Autoscaling

Screenshot of auto scaling configurations for EC2 instances.

DCF-98

Daily Backup Statuses Monitored

Tickets showing that backup failures were monitored and resolved.

DCF-99

Backup Monitoring

1. Automated configurations from the backup service for notifying personnel when backup processes fail.

- and -

2. Example email for a failed backup and ticket documenting resolution.

DCF-100

Backup Restore Testing

1. Screenshots showing a backup snapshot was restored completely and accurately.

- and -

2. Evidence from the annual DR tests showing that backups were restored completely and accurately.

DCF-103

Customer Data Deletion Upon Termination

1. For a recently churned customer, upload evidence showing that customer data disposal was conducted in accordance with the contractual agreements with the customer (such as evidence of logs showing data was disposed of, screenshots from production resources such as storage buckets and databases showing customer-specific resources were decommissioned).

-and-

2. Upload evidence of the agreement with the former customer to show the specific data disposal requirements and commitments.

DCF-104

Test Data

Screenshots from the test environment showing that "real" data is not used.

DCF-105

Personnel Non-Disclosure Agreements (NDA)

Example new hire employee agreement, with NDA included.

DCF-106

Clean Desk and Clear Screen Policies and Procedures

1. Acceptable Use Policy

- and -

2. (If applicable) Acknowledgement of the Acceptable Use Policy

DCF-107

Disposal of Sensitive Data on Paper

Observation of hard copy material being disposed

Note: This can be performed by auditors on-site, or via virtual meeting.

DCF-108

Secure Storage Mechanisms

Pictures of secure storage bins from office locations.

DCF-109

Disposal of Sensitive Data on Hardware

Data Retention Policy or equivalent policy documenting this policy and procedure.

DCF-112

Notice and Acknowledgement of Privacy Practices

Screenshots of the new user registration process where new users are provided the notice of privacy practices before completing the registration process.

DCF-113

Review Privacy Notice Annually

Meeting minutes from management's annual meeting to review privacy practices.

DCF-114

Privacy Policy Publicly Available

Screenshot of privacy practices posted on the entity's website.

DCF-115

Privacy Policy Content

Formal, documented privacy practices from the entity's website.

DCF-116

Acknowledge The Privacy Policy

Screenshots of the new user registration process showing that users are required to explicitly agree to the notice of privacy practices prior to the completion of the registration process.

DCF-117

Minimal Information Required

Screenshot of all information that the user can enter when providing data through the application.

DCF-118

Third Party Reliability

For all third parties in which personal information is collected from, evidence that management performed appropriate due diligence to ensure that data from third parties was collected fairly and lawfully.

DCF-119

Allowable Use and Disclosure

Section from privacy practices/policy that covers this item.

DCF-120

Periodic Review of Privacy Policy

Meeting minutes for management's annual review of privacy policies

DCF-121

Purposeful Use Only

Section from privacy practices/policy that covers this item.

DCF-123

Procedures for Information Disposal

Formal, documented data deletion policy.

DCF-124

Require Authentication for Access

Screenshots of a user authenticating to the application prior to seeing their information.

DCF-125

Users Can Access All Their Information

Screenshots of where a user can find their information within the platform (for example, user profile).

DCF-126

Personal Information Accessible Through System Authentication

Screenshots of a user modifying their personal information within the application.

DCF-127

Privacy Requirements Communicated to Third parties

Evidence to support that third parties with whom PII is sent to, were provided requirements for how PII should be handled, according to your requirements.

DCF-128

Disclosure with 3rd Parties

Example executed contracts with third parties that receive PII showing that contracts included provisions for third parties to protect personal information.

DCF-129

PII with 3rd Parties and Vendors

Formal, documented authorized list of third parties that can receive or access PII.

DCF-130

Documentation of Breaches or Unauthorized Disclosures of PII

Screenshots of the incident tracking system used to track breaches or security incidents involving PII.

DCF-131

Incident Report Template and Process

Formal, documented incident response procedures.

DCF-132

Privacy and Security Requirements in Third-Party Agreements

Executed agreements (such Data Processing Agreements, Business Associates Agreements, Service Provider Agreements) with third parties and vendors that are provided access to personal data.

DCF-133

Unauthorized Disclosures by 3rd Parties

Example executed contracts with third parties that receive PII showing that contracts included provisions for third parties to protect personal information.

DCF-134

3rd Parties and Vendors Given Instructions on Breach Reporting

Executed contracts with third parties that are provided access to PII to confirm that third parties are provided with information on how to report breaches of PII to the entity.

DCF-135

Notification of Incidents or Breaches

1. Formal, documented breach notification procedures.

- and -

2. Breach Notification Template

DCF-136

Use of Subprocessors Communicated

Section from privacy practices on your website showing that 3rd parties that receive PII are listed.

DCF-137

Data Entry Field Completion Automated

Screenshots of a user enter information into the application to confirm that edit checks are included in fields.

DCF-142

Quarterly Review of Privacy Compliance

Meeting minutes from quarterly management meetings for tracking compliance with privacy practices and privacy regulations.

DCF-143

Board Oversight Briefings Conducted

Meeting minutes from the Board of Directors meeting showing that the state of cybersecurity and privacy risks were discussed.

DCF-144

Board Charter Documented

Copy of Board Charter

DCF-145

Board Expertise Developed

Board of Directors Backgrounds or Bios

DCF-147

Physical Access to Facilities is Protected

Physical Access Control Policy

DCF-148

Regression Testing in Place

Example of regression testing that was performed prior to a recent major product release.

DCF-149

Removable Media Device Encryption

If removable media devices are issued by the company to employees, provide evidence that removable media devices are encrypted.

DCF-150

Data Loss Prevention (DLP) Mechanisms

1. Screenshots of DLP software.

- and -

2. Example of emails being blocked when they contain sensitive data

DCF-151

FIM (File Integrity Monitoring) Software in Place

1. Screenshots of FIM software.

- and -

2. Examples of FIM detecting changes.

DCF-152

Automated Security Updates

Evidence from servers or patching systems showing that operating systems were patched monthly.

DCF-153

Conduct Control Self-Assessments

1. Annual internal control assessment report with any identified findings

(Note: Drata can also be used as evidence for continuous control assessment)

- and -

2. Evidence that corrective actions were taken for the identified findings

DCF-154

Incident Response Test

Most recently completed incident response tabletop test.

DCF-155

Testing of Changes

Screenshots from the ticketing system for a few changes showing that changes were tested.

DCF-156

Change Releases Approved

Screenshots from the ticketing system for a few changes showing that changes were approved by appropriate personnel.

DCF-158

MFA Available for External Users

Screenshots from the application showing that customers have the option of using MFA for their accounts.

DCF-161

Management System Scope

ISMS Plan (2013 and 2022)

DCF-162

Statement of Applicability

If not managed within Drata's Policy Center, upload your Statement of Applicability (SOA) in conformance with ISO requirements.

DCF-163

Interested Parties and Legal Requirements

ISMS Plan (2013 and 2022),AI Governance Policy

DCF-164

Management System Management Review

Will be a part of your ISMS policy.

DCF-165

Periodic Independent Assessments

1. Evidence of testing performed for internal audit.

- and -

2. Internal audit report.

DCF-166

Business Continuity Plan

Business Continuity Plan.

DCF-167

Business Impact Analysis

Business Impact Analysis (Typically part of the business continuity plan).

DCF-168

Vendor Management Policy

Vendor Management Policy

DCF-170

Management System Objectives

Information Security Policy,ISMS Plan (2013 and 2022)

DCF-171

Documented Operating Procedures

Will be a part of your ISMS policy.

DCF-172

Organizational Change Management

ISMS Plan / SDLC Policy / Change Management Policy

DCF-173

Employment Terms & Conditions

For one example personnel, provide executed employment contracts/agreements outlining the terms and conditions of employment as well as responsibilities during and after employment (e.g., duty of confidentiality, return of assets, protection of intellectual property, etc.).

DCF-174

Telework and Endpoint Devices

Information Security Policy

DCF-175

Communications Plan

ISMS Plan (2013 and 2022)

DCF-176

Measurement and Monitoring Plan

Will be a part of your ISMS policy.

DCF-177

Event Logging

Section from the Logging and Monitoring Policy.

DCF-178

Record Management and Control

1. Evidence showing that policy documents are versioned control.

-and-

2. Change log from the ISMS policy for the ISMS document.

DCF-179

Competence Records

1. Upload documented job descriptions for both a recently hired personnel and an existing personnel.

-and-

2. Upload evidence of the formal interview/recruitment process for a recently hired personnel (such as calendar invites for interviews, documented feedback notes from interviewers, exports from the candidate's profile within the applicant tracking system, evidence of evaluation of resume and professional credentials).

-and-

3. Upload an example of a completed performance evaluation for a sample personnel performed within the past year showing components of the evaluation process (such as self-reviews, peer-reviews, manager-reviews).

-and-

4. Upload evidence for an example personnel with assigned roles within the management system(s) showing that they have the necessary competence to fulfill their duties on the basis of appropriate education, training, or experience.

Note: Example evidence may include, but is not limited to:

- records of education, certifications, and professional credentials

- records of training programs, courses and educational activities

- records of actions taken to acquire and retain the necessary competence as it relates to the management system

DCF-180

Secure Information Transfer

Data Protection Policy

DCF-182

Asset Management Policy

Asset Management Policy

DCF-184

Management System Plan

ISMS Plan

DCF-185

Threat Intelligence

1. Completed Threat Assessment Plan contained within Appendix A of the Security version of the Risk Assessment Policy and Appendix C in the Privacy version of Risk Assessment Policy.

- and -

2. Screenshots showing that your organization is subscribed to a service or mailing list that provides information on new/developing security issues.

- and -

3. Evidence demonstrating that threats are being assessed according to the defined Threat Assessment Plan.

DCF-186

Data De-identification

1. Data Classification Policy

- and -

2. Data Protection Policy

DCF-188

Communication with Advisories and Special Interest Groups

1. Screenshots showing that your organization is subscribed to a service or mailing list that provides information on new/developing security/privacy issues.

- and -

2. Screenshots showing that members of your organization responsible for security or privacy belong to industry groups related to security or privacy.

DCF-229

Vendor Default Accounts Disabled, Removed or Changed

1. Any policy or procedures documenting a requirement stating that ALL vendor supplied default account information must be changed.

-and-

2. Screenshots showing that vendor default accounts have been removed, had their default configurations changed, or are disabled.

DCF-253

Data Secure Disposal

Policies and procedures for data disposal.

DCF-271

Key Storage Locations Limited

List of all locations where keys are stored.

DCF-273

Strong Key Generation Policies and Procedures

1. Documented key management procedures which specify how to generate strong cryptographic keys.

-and-

2. Screenshots showing the strong cryptographic key generation process.

DCF-284

Key and Certificate Validation

1. Documented policies and procedures which specify processes for accepting only trusted keys and certificates.

-and-

2. Screenshots showing that keys and certificates used in the environment are trusted.

DCF-293

Anti-Malware Capabilities and Automatic Updates

Screenshots from the anti-virus configurations. including the master installation, showing how the anti-virus and virus definitions are kept current and updated.

DCF-294

Anti-Malware Tools Behavior

Screenshots from the anti-virus configurations. including the master installation, showing that periodic scans are performed.

DCF-305

Production Components Change Control Procedures

1. Documented Change Control procedures which list a requirement to document the impact of proposed changes.

- and -

2. Screenshots or change documentation showing that the impact of the change was documented for a recent change

DCF-312

Secure Code Development Training

Upload evidence of secure code development training completed by an engineer/developer within the past year

DCF-326

Need-to-Know Principle

System-generated list of appropriate users with access to system components and data

DCF-350

Password History Enforcement

Screenshots of system configurations showing that passwords must be different from the previous 4 passwords.

DCF-352

Unique First-time Passwords With One-Time Use

1. Documented password procedures which define the following requirements:

  • First-time passwords must be set to a unique value for each user.

  • First-time passwords must change after first use.

  • Reset passwords must be set to a unique value for each user.

Reset passwords must change after each use.

- and-

2. Screenshots documenting this process of setting first time and reset passwords.

DCF-356

Communication of Authentication Best Practices

1. Screenshots showing where employees can find policies and procedures related to Authentication.

-and-

2. Documented policies and procedures related to Authentication which include the following:

  • Guidance on selecting strong authentication credentials.

  • Guidance for how users should protect their authentication credentials.

  • Instructions to not use previously used passwords.

  • Instructions stating to change a password if the password is suspected to be compromised.

DCF-363

Entry Controls in Place

For each computer room, data center, and other physical areas which contain systems:

  • Pictures showing that access is controlled using badge readers or other devices including authorizing badges and lock and key.

  • Screenshots or video showing an administrator’s attempt to log into system consoles showing that these systems are “locked” to prevent unauthorized access.

DCF-365

Secure Physical Access Control Mechanisms

Pictures showing how video cameras or access control mechanisms (or both) are protected from tampering and disabling.

DCF-369

Restricted Physical Access to Network Components

Observation of physical access to wireless access points, gateways, networking/communications hardware, and telecommunication lines within the company facilities being restricted

DCF-374

Visitors Authorized and Escorted

Observation of a visitor being escorted when entering company facilities

(Note: Observations should be performed by auditors on-site, or via virtual meeting)

DCF-375

Personnel and Visitor Badges

Observation of visitor obtaining a visitor badge and example of a visitor badge

(Note: Observations should be performed by auditors on-site, or via virtual meeting)

DCF-378

Visitor Log

Upload evidence to show that a visitor log is maintained to keep an audit trail of visitor activity to the company facilities, computer rooms or data centers where sensitive data may be stored or transmitted (such as scan or photograph of the visitor log for an example day)

DCF-381

Media Physically Secured or Encrypted

Documented policies and procedures related to physically securing all media (including computers, removable media, paper receipts, paper records, and faxes).

DCF-384

Media Classification

Screenshots and/or pictures showing how media is classified including labels showing data sensitivity.

DCF-385

Media Transferred Securely

1. Documented procedures related to media transfer which include acceptable methods of information transfer including authorized couriers and the ability to track media transfers.

-and-

2. Screenshots or documentation showing how media transfers are logged.

-and-

3. Documentation for a recent media transfer showing that tracking information was logged.

DCF-386

Management Approval for Media Transfer

Documentation from a recent media transfer (including media distribution to individuals) showing that the transfer was approved by an authorized member of management.

DCF-388

Media Inventory Logs

1. Evidence of documented inventory all electronic media with sensitive data being maintained

-and-

2. Evidence of annual review / verification of inventory being performed

DCF-390

Media Destruction

Documented policies and procedures related to Media Destruction.

DCF-406

Audit Logging

Screenshots showing that audit trails are enabled and active for in-scope systems

DCF-407

Audit Logs Data Points

System user access lists from in-scope systems showing that access is linked to individual user.

DCF-409

Audit Trail for Privileged Access

1. Screenshots of audit log settings showing that all actions taken by root/admin users will be logged.

-and-

2. Screenshots of an example log showing that these log settings are functioning correctly.

DCF-411

Audit Trail for Invalid Access Attempts

1. Screenshots of audit log settings showing that invalid/failed login attempts are logged.

-and-

2. Screenshots of an example log showing that these log settings are functioning correctly.

DCF-412

Audit Trail for Identification and Authentication Mechanism Changes

1. Screenshots of audit log settings showing that the use of identification and authentication mechanisms are logged, elevation of privileges are logged, and that changes (addition, modification, or deletion) to accounts with administrator or root privileges are logged.

-and-

2. Screenshots of example logs showing that these log settings are functioning correctly.

DCF-414

Audit Trail of System-Level Object Changes

1. Screenshots of audit log settings showing that the creation or deletion of system-level objects are logged.

-and-

2. Screenshots of an example log showing that these log settings are functioning correctly.

DCF-421

Clock Synchronization

Documented procedures for synchronizing time across in-scope system components which include the following elements:

  • Only the designated central time server may receive time signals from the designated external time source.

  • Time signals are received in UTC or International Atomic Time.

  • When there is more than one central time server, these time servers are configured to peer with one another.

  • Systems may only receive synchronization information from designated central time server(s).

DCF-422

Time-related System Parameters

Screenshots showing that the documented process has been implemented (for example, that NTP has been configured and is being used by system components to synchronize time). Screenshots should show that:

  • Time signals are received in UTC or International Atomic Time.

  • When there is more than one central time server, these time servers are configured to peer with one another.

  • Systems may only receive synchronization information from designated central time server(s).

DCF-423

Time Server Peering

Screenshots showing that the documented process has been implemented (for example, that NTP has been configured and is being used by system components to synchronize time). Screenshots should show that:

  • When there is more than one central time server, these time servers are configured to peer with one another.

DCF-424

System Time Source

Screenshots showing that the documented process has been implemented (for example, that NTP has been configured and is being used by system components to synchronize time). Screenshots should show that:

  • System may only receive synchronization information from designated central time server(s).

DCF-429

Limited Access to Audit Trails

Screenshots from the logging system or system user access lists showing that audit trails can only be accessed by individuals with a business need to access them.

DCF-430

Audit Trail Files Protected

Screenshots or pictures showing that audit trails are protected from unauthorized access/modification/deletion through access control mechanisms, physical segregation, and/or logical network segregation.

DCF-434

Policies and Procedures for Logging

Logging and Monitoring Policy

DCF-441

Audit Log Retention Period

1. Documented policy related to Audit Log Retention which states a requirement that logs will be retained for at least 1 year.

-and-

2. Screenshot showing that logs, archives or logs, or compressed log files are stored for at least one year.

DCF-478

Change Detection Mechanism

1. Screenshots from the change detection solution (such as File Integrity Monitoring) and relevant change detection system configurations showing what is monitored.

-and-

2. Documented list of files which are monitored by the change detection solution.

DCF-503

Multiple Methods for Security Awareness

Upload evidence showing that periodic security updates are provided to personnel through different mechanisms (such as screenshots of internal newsletters or intranet with security reminders, security updates sent through Slack or other internal communication channels)

DCF-507

Vendor Due Diligence

For any new service provider or vendor, you'll need to perform due diligence on (evaluate) them prior to engaging with them. Due diligence can consist of reviewing security questionnaires or obtaining confirmation that they have compliance certifications (such as a SOC 2). You should document the results of your due diligence as well as the day it was completed.

DCF-527

Designated Data Protection Officer

Upload evidence showing that a data protection officer has been officially appointed (such as internal privacy policies, RACI matrix, job descriptions,identifying the data protection officer).

Additionally, upload evidence showing that a mechanism to contact the data protection officer is communicated to users/data subjects (such as screenshots of the online privacy/policy showing that an email address of the data protection officer is provided).

DCF-535

Organizational Context

Documentation that discusses how your company fits into the data processing ecosystem and includes each of the areas discussed in the 'Control Activities' section. Please see Appendix B of Drata’s latest Personal Data Management Policy template for helpful definitions.

DCF-557

Shared Account Management

System Access Control Policy

DCF-558

Restrictions on Software Installation

Upload evidence showing that the organization has implemented mechanisms to prevent the installation and use of unauthorized software in company-managed assets (such as screenshots from MDM tools showing rules preventing software installation are enforced on company devices, access controls limiting access to run executables)

DCF-562

Management of Utility Programs

1. Any documented procedures covering who can access utility programs (admin consoles for tools like antivirus, MDM tools, logging systems)

- and -

2. List of users who currently have access to utility programs.

DCF-566

Management of Nonconformities

ISMS Plan, Appendix C

DCF-567

Change Management Policy

Change Management Policy

DCF-569

Information Labeling

Data Protection Policy and Data Classification Policy

DCF-570

Disciplinary Process

Upload your company's documented disciplinary process. The disciplinary process may be an HR-owned process available and communicated to employees through employee handbooks, code of conduct, etc, or included within an information security policy document.

Note: This evidence should not be confused with disciplinary processes related to low performance or misconduct such as harassment. This is specific to disciplinary actions invoked against personnel and who have committed an information security breach or security policy violation.

DCF-571

Fire Detection and Suppression

1. Observation of fire detection and suppression systems installed in critical locations

(Note: Observations should be performed by auditors on-site, or via virtual meeting)

-and-

2. Evidence of ongoing maintenance

DCF-572

Temperature Monitoring Systems

1. Observation of systems in place to monitor and control air temperature and humidity at appropriate levels

(Note: Observations should be performed by auditors on-site, or via virtual meeting)

-and-

2. Evidence of ongoing maintenance

DCF-573

Uninterruptible Power Supply

1. Observation of uninterruptible power supply (UPS) systems in place for data centers or server rooms

(Note: Observations should be performed by auditors on-site, or via virtual meeting)

-and-

2. Evidence of ongoing maintenance

DCF-574

Mobile Device Management Software

Upload evidence to show that a mobile device management (MDM) tool has been implemented to enforce security controls on mobile devices (such as screenshots from the MDM's centralized management console, screenshots of baseline configurations, security policies or blueprints enforced on devices per OS type)

DCF-611

Obscured Authentication Feedback

Screenshot of user interface during the authentication process to show authentication feedback is hidden (such as password entry fields displaying asterisks or limited visibility feedback)

DCF-619

Media Sanitization

For a sample of media sanitization and disposal actions, provide evidence that each sample was reviewed, approved, tracked and documented according to company policies and procedures

DCF-637

Secure Development Process

Software Development Life Cycle Policy

DCF-678

Network Security Policy

Network Security Policy

DCF-681

Phishing Simulations

Upload evidence showing phishing simulations are conducted as part of the company's security awareness initiatives (such as screenshots from phishing simulation campaign configurations, screenshots of dashboards showing results of the campaign, screenshot showing example simulated phishing email)

DCF-684

Redundancy of Processing

Provide evidence that redundancy strategies were implemented for equipment, systems and processes as deemed necessary per the business continuity plans

DCF-687

Phishing Detection Mechanisms

Upload evidence showing that phishing detection mechanisms have been implemented in your organization (such as screenshots showing SPF, DMARC, DKIM configurations enabled for email authentication)

DCF-688

Return of Assets

For one recently terminated personnel, upload evidence showing that assets were returned to the company (such as offboarding checklists or internal tickets showing tracking of return of devices, badges, tokens, upon termination, evidence of pre-paid labels sent to remote personnel for asset return and tracking).

DCF-689

On-Call Team

Upload evidence of on-call rotation schedule (such as screenshots from tools like PagerDuty or equivalent tool showing on-call schedule and teams assigned).

DCF-694

Use of Unencrypted Portable Storage

For any unencrypted physical media and/or portable devices used, upload evidence of documented business justification and approval from management for its use.

DCF-698

Automated Mechanisms for Audit Log Reviews

Screenshot of the configuration from audit log review solutions such as centralized log management systems, event log analyzers, security information and event management (SIEM) solutions, etc.

DCF-707

Credentials for System Accounts Not Hard-Coded

Screenshots of the configuration to validate that authentication secrets for any application and system accounts are not hard coded in scripts, configuration/property files, or bespoke and custom source code.

DCF-708

Software and Third Party Libraries Inventory

Inventory list of bespoke and custom software and third-party software components (such as software bill of materials), is maintained and kept up to date (such as through the use of software composition analysis tools or other mechanisms).

DCF-712

Static Application Security Testing

Upload evidence that static application security testing (SAST) is conducted for software development testing (such as screenshots from the CI/CD pipeline for relevant code repositories showing a SAST scan automatically executes every time new code is committed, screenshots of configurations and dashboards from SAST tools such as SonarCloud).

DCF-741

Logging and Monitoring Policy

Logging and Monitoring Policy

DCF-748

Segmentation of Networks

Upload evidence showing that network segmentation or other techniques are used to split the network in security boundaries and to control traffic between them based on business and security needs.

DCF-749

Leak Detection System

Observation of leak detection systems at critical facilities

(Note: Observations should be performed by auditors on-site, or via virtual meeting)

DCF-744

Contact with Authorities

Incident Response Plan

DCF-745

Segregation of Duties

Segregation of duties outlined in the Information Security Policy and System Access Control Policy

DCF-760

Control of Audit Activities

Upload evidence showing that audit requirements and activities involving verification of operational systems are planned and agreed-upon by management to minimize disruptions to business processes and security risks (such as screenshots of communications and agreements with penetration tests vendors discussing and agreeing on the scope of the test, access requirements, availability considerations).

DCF-762

Managing Changes to Supplier Services

For a change to the provision of services by a vendor, provide documentation to evidence that a review and due diligence activities were required and authorized by management

(Note: Auditors may request a population and samples for this control)

DCF-763

Requirements for Protection of Intellectual Property Rights

Acceptable Use Policy

DCF-775

Cloud Deletion Protection

Screenshots of the configuration enabled for deletion protection for cloud resources

DCF-776

Principle of Least Privilege

For each in-scope system / application, provide the user access listing with roles & permissions assigned to show that principle of least privilege has been implemented

DCF-777

Cloud Resource Tagging

Inventory listing with tags assigned

DCF-779

Cryptographic Key Rotation

Upload evidence of cryptographic key rotation processes implemented in accordance with defined company procedures (such as screenshots of automated key rotation configurations in a key management system, tickets or other documentation showing manual key rotation processes are carried out periodically)

DCF-780

Web Filtering

Upload evidence showing that the organization has implemented web filtering mechanisms to enforce the company's internet usage policies (such as screenshots of web filtering configurations showing access to known malicious sites are blocked, access to prohibited web resources per the company's acceptable use policy is prohibited)

DCF-781

Secure Login Procedures

Screenshot of user interface during the login process to show in-house developed systems were configured to deter enumeration or brute-force attacks (such as displaying limited information in login error messages without indicating which data is correct or incorrect)

DCF-782

Cloud Storage Lifecycle

Upload evidence of any cloud storage lifecycle rules in place to delete data automatically after expiration of specified retention periods (such as screenshots from cloud storage showing configured expiration actions)

DCF-783

Credentials Rotation

Upload evidence of secrets rotation processes implemented in accordance with defined company procedures (such as screenshots of automated secrets rotation configurations in a secrets management systems, tickets or other documentation showing manual secrets rotation processes are carried out periodically)

DCF-784

Software Composition Analysis (SCA)

For a vulnerability identified in software components or libraries, provide evidence that fixes were implemented in accordance with the company's vulnerability management policies.

(Note: An auditor may request a population and samples for this control)

DCF-785

Secure Runtime Configurations

1) Asset Management Policy

-and-

2) Screenshots of run configuration standards for in-scope applications and platforms

DCF-789

Expectations of Interested Parties

ISMS Plan (2013 and 2022)

Did this answer your question?