The following is a list of example evidence for controls not monitored in Drata for ISO 27001.
Note: An auditor may request additional evidence for each control.
Code | Name | Example Evidence |
DCF-7 | Separate Environments | Screenshots from test and production environments for the application |
DCF-9 | Internal Communication Channels | Screenshots from communication tools (Slack, PagerDuty) showing the process for security events to be communicated to appropriate personnel. |
DCF-11 | Periodic Access Reviews | 1. Tickets documenting the access control lists that were reviewed for in scope cloud environments, SaaS applications, infrastructure as code tools, and security protection tools (as applicable) - and - 2. Tickets should be marked as completed/closed and the reviewer should provide comments on the results of the reviews. |
DCF-12 | System Security Configuration and Hardening Standards | 1. Evidence from infrastructure as code tools showing configurations that would be implemented when new infrastructure is deployed. - and - 2. Any type of document that formally documents the configurations that should be implemented for newly deployed infrastructure. |
DCF-16 | Periodic Risk Assessment | Most recently completed risk assessment report. |
DCF-17 | Risk Treatment Plan | Documented remediation plans for risks identified during the risk assessment. |
DCF-19 | Penetration Tests | Most recently completed annual penetration test. |
DCF-20 | Asset Inventory | 1. Formal, documented listing of all assets (workstations, mobile devices, servers, databases) - and - 2. For cloud infrastructure, screenshots from cloud environments listing all infrastructure |
DCF-21 | Architectural Diagram | Approved Architectural Diagram |
DCF-22 | Network Diagram | Formal, documented network/architecture diagram evidencing network segmentation of your cloud environments. |
DCF-26 | BCP/DR Tests | Most recently completed BCP/DR test. |
DCF-21 | Architectural Diagram | Approved Architectural Diagram |
DCF-29 | Incident Response Team | Provide the documented list of Incident Response team members who have the responsibility and authority to coordinate and execute incident response procedures. |
DCF-30 | Incident Response Lessons Learned Documented | For example, a security event that is deemed an incident, you can provide the incident documentation including evidence of internal tracking (such as internal ticket), root-cause analysis (RCA)/post-mortem, lessons learned. |
DCF-35 | Security Team Communicates in a Timely Manner | Screenshots from communication tools (Slack, PagerDuty) showing the process for security events to be communicated to appropriate personnel. |
DCF-40 | Contractor Requirements | Executed Agreement/contract between the entity and key vendors. |
DCF-43 | Termination/Offboarding Checklist | Formal documented termination checklist/help desk ticket for a recent terminated employee. |
DCF-53 | Cryptography Policies | 1. List of all locations where data is transmitted or received over open, public networks. -and- 2. Documented standards which detail the level of security protocols and cryptographic algorithms used to protect this data. -and- 3. Screenshots from the system configurations of the systems receiving this data showing the implementation of these security protocols and encryption algorithms |
DCF-56 | Vendor Register and Agreements | Executed Agreement/contract between the entity and key vendors. |
DCF-58 | Authentication Protocol | 1. If SSO is an option, screenshots of a user logging in with SSO. -and- 2. If username and password is an option, screenshots of a user logging in with a username and password. -and- 3. Screenshots of MFA being required for employee users. -and- 4. If customer users have the option to enable MFA, screenshots showing they are provided the option to enable MFA. |
DCF-60 | Secure Password Storage | If username and password is required, screenshots from the database showing that password are stored using a salted hash. |
DCF-62 | Inactivity and Browser Exit Logout | 1. Screenshots of users being logged out of the application when browser/tab is closed and being forced to re-authenticate upon next login. - and - 2. Screenshots showing that a user is logged out after pre-defined activity timeout and being forced to re-authenticate upon next login. |
DCF-64 | Commitments Communicated to Customers | 1. Upload evidence of a recently executed service agreement with a customer. - and - 2. Upload evidence of your terms of service available online, as well as screenshots of the account sign up process showing users are required to accept the terms of service prior to using the system. |
DCF-69 | Access Provisioning | Formal, documented access request form/help desk ticket for a recent new hire. |
DCF-72 | Root Access Control | Screenshots of a user logging into the production systems, showing that they have to use a unique SSH account. - or - Screenshot of the setting from the production servers showing that the "root" account cannot be used to login to production. |
DCF-74 | Communication of System Changes | 1. Example emails communicating changes to customers. - and - 2. Screenshots of banners warning customers of downtime prior to system maintenance. |
DCF-76 | Critical Change Management | Formal, documented emergency change procedures for critical changes. |
DCF-79 | Logging System | Screenshots from the location where logs of system activity are stored. |
DCF-80 | Log Management System | 1. Screenshots of logging software alert configuration - and - 2. Screenshots from the location where logs of system activity are stored. - and - 3. Evidence of corrective action being taken when alerted |
DCF-91 | Intrusion Detection/Prevention System | 1. Screenshots from AWS GuardDuty, Azure Sentinel, GCP Security Command Center or equivalent monitoring tool showing that the service is enabled. - and - 2. Screenshots from the mentioned applications/tools/services showing the types of threats that would be detected. - and - 3. Screenshots from the mentioned applications/tools/services showing how personnel would be alerted and who would be alerted when threats are detected. |
DCF-92 | Encrypted Remote Production Access | 1. Screenshots of a user trying to access production systems without being connected to a VPN and providing access is denied. - and - 2. Screenshots of a user accessing production after connecting to a VPN to show a successful connection. |
DCF-95 | Monitoring Processing Capacity and Usage | Evidence that management reviewed processing capacity and usage reports on a quarterly basis |
DCF-97 | Autoscaling | Screenshot of auto scaling configurations for EC2 instances. |
DCF-98 | Daily Backup Statuses Monitored | Tickets showing that backup failures were monitored and resolved. |
DCF-99 | Backup Monitoring | 1. Automated configurations from the backup service for notifying personnel when backup processes fail. - and - 2. Example email for a failed backup and ticket documenting resolution. |
DCF-100 | Backup Restore Testing | 1. Screenshots showing a backup snapshot was restored completely and accurately. - and - 2. Evidence from the annual DR tests showing that backups were restored completely and accurately. |
DCF-103 | Customer Data Deletion Upon Termination | 1. For a recently churned customer, upload evidence showing that customer data disposal was conducted in accordance with the contractual agreements with the customer (such as evidence of logs showing data was disposed of, screenshots from production resources such as storage buckets and databases showing customer-specific resources were decommissioned). -and- 2. Upload evidence of the agreement with the former customer to show the specific data disposal requirements and commitments. |
DCF-104 | Test Data | Screenshots from the test environment showing that "real" data is not used. |
DCF-105 | Personnel Non-Disclosure Agreements (NDA) | Example new hire employee agreement, with NDA included. |
DCF-106 | Clean Desk and Clear Screen Policies and Procedures | 1. Acceptable Use Policy - and - 2. (If applicable) Acknowledgement of the Acceptable Use Policy |
DCF-107 | Disposal of Sensitive Data on Paper | Observation of hard copy material being disposed
Note: This can be performed by auditors on-site, or via virtual meeting. |
DCF-108 | Secure Storage Mechanisms | Pictures of secure storage bins from office locations. |
DCF-109 | Disposal of Sensitive Data on Hardware | Data Retention Policy or equivalent policy documenting this policy and procedure. |
DCF-112 | Notice and Acknowledgement of Privacy Practices | Screenshots of the new user registration process where new users are provided the notice of privacy practices before completing the registration process. |
DCF-113 | Review Privacy Notice Annually | Meeting minutes from management's annual meeting to review privacy practices. |
DCF-114 | Privacy Policy Publicly Available | Screenshot of privacy practices posted on the entity's website. |
DCF-115 | Privacy Policy Content | Formal, documented privacy practices from the entity's website. |
DCF-116 | Acknowledge The Privacy Policy | Screenshots of the new user registration process showing that users are required to explicitly agree to the notice of privacy practices prior to the completion of the registration process. |
DCF-117 | Minimal Information Required | Screenshot of all information that the user can enter when providing data through the application. |
DCF-118 | Third Party Reliability | For all third parties in which personal information is collected from, evidence that management performed appropriate due diligence to ensure that data from third parties was collected fairly and lawfully. |
DCF-119 | Allowable Use and Disclosure | Section from privacy practices/policy that covers this item. |
DCF-120 | Periodic Review of Privacy Policy | Meeting minutes for management's annual review of privacy policies |
DCF-121 | Purposeful Use Only | Section from privacy practices/policy that covers this item. |
DCF-123 | Procedures for Information Disposal | Formal, documented data deletion policy. |
DCF-124 | Require Authentication for Access | Screenshots of a user authenticating to the application prior to seeing their information. |
DCF-125 | Users Can Access All Their Information | Screenshots of where a user can find their information within the platform (for example, user profile). |
DCF-126 | Personal Information Accessible Through System Authentication | Screenshots of a user modifying their personal information within the application. |
DCF-127 | Privacy Requirements Communicated to Third parties | Evidence to support that third parties with whom PII is sent to, were provided requirements for how PII should be handled, according to your requirements. |
DCF-128 | Disclosure with 3rd Parties | Example executed contracts with third parties that receive PII showing that contracts included provisions for third parties to protect personal information. |
DCF-129 | PII with 3rd Parties and Vendors | Formal, documented authorized list of third parties that can receive or access PII. |
DCF-130 | Documentation of Breaches or Unauthorized Disclosures of PII | Screenshots of the incident tracking system used to track breaches or security incidents involving PII. |
DCF-131 | Incident Report Template and Process | Formal, documented incident response procedures. |
DCF-132 | Privacy and Security Requirements in Third-Party Agreements | Executed agreements (such Data Processing Agreements, Business Associates Agreements, Service Provider Agreements) with third parties and vendors that are provided access to personal data. |
DCF-133 | Unauthorized Disclosures by 3rd Parties | Example executed contracts with third parties that receive PII showing that contracts included provisions for third parties to protect personal information. |
DCF-134 | 3rd Parties and Vendors Given Instructions on Breach Reporting | Executed contracts with third parties that are provided access to PII to confirm that third parties are provided with information on how to report breaches of PII to the entity. |
DCF-135 | Notification of Incidents or Breaches | 1. Formal, documented breach notification procedures. - and - 2. Breach Notification Template |
DCF-136 | Use of Subprocessors Communicated | Section from privacy practices on your website showing that 3rd parties that receive PII are listed. |
DCF-137 | Data Entry Field Completion Automated | Screenshots of a user enter information into the application to confirm that edit checks are included in fields. |
DCF-142 | Quarterly Review of Privacy Compliance | Meeting minutes from quarterly management meetings for tracking compliance with privacy practices and privacy regulations. |
DCF-143 | Board Oversight Briefings Conducted | Meeting minutes from the Board of Directors meeting showing that the state of cybersecurity and privacy risks were discussed. |
DCF-144 | Board Charter Documented | Copy of Board Charter |
DCF-145 | Board Expertise Developed | Board of Directors Backgrounds or Bios |
DCF-147 | Physical Access to Facilities is Protected | Physical Access Control Policy |
DCF-148 | Regression Testing in Place | Example of regression testing that was performed prior to a recent major product release. |
DCF-149 | Removable Media Device Encryption | If removable media devices are issued by the company to employees, provide evidence that removable media devices are encrypted. |
DCF-150 | Data Loss Prevention (DLP) Mechanisms | 1. Screenshots of DLP software. - and - 2. Example of emails being blocked when they contain sensitive data |
DCF-151 | FIM (File Integrity Monitoring) Software in Place | 1. Screenshots of FIM software. - and - 2. Examples of FIM detecting changes. |
DCF-152 | Automated Security Updates | Evidence from servers or patching systems showing that operating systems were patched monthly. |
DCF-153 | Conduct Control Self-Assessments | 1. Annual internal control assessment report with any identified findings (Note: Drata can also be used as evidence for continuous control assessment) - and - 2. Evidence that corrective actions were taken for the identified findings |
DCF-154 | Incident Response Test | Most recently completed incident response tabletop test. |
DCF-155 | Testing of Changes | Screenshots from the ticketing system for a few changes showing that changes were tested. |
DCF-156 | Change Releases Approved | Screenshots from the ticketing system for a few changes showing that changes were approved by appropriate personnel. |
DCF-158 | MFA Available for External Users | Screenshots from the application showing that customers have the option of using MFA for their accounts. |
DCF-161 | Management System Scope | ISMS Plan (2013 and 2022) |
DCF-162 | Statement of Applicability | If not managed within Drata's Policy Center, upload your Statement of Applicability (SOA) in conformance with ISO requirements. |
DCF-163 | Interested Parties and Legal Requirements | ISMS Plan (2013 and 2022),AI Governance Policy |
DCF-164 | Management System Management Review | Will be a part of your ISMS policy. |
DCF-165 | Periodic Independent Assessments | 1. Evidence of testing performed for internal audit. - and - 2. Internal audit report. |
DCF-166 | Business Continuity Plan | Business Continuity Plan. |
DCF-167 | Business Impact Analysis | Business Impact Analysis (Typically part of the business continuity plan). |
DCF-168 | Vendor Management Policy | Vendor Management Policy |
DCF-170 | Management System Objectives | Information Security Policy,ISMS Plan (2013 and 2022) |
DCF-171 | Documented Operating Procedures | Will be a part of your ISMS policy. |
DCF-172 | Organizational Change Management | ISMS Plan / SDLC Policy / Change Management Policy |
DCF-173 | Employment Terms & Conditions | For one example personnel, provide executed employment contracts/agreements outlining the terms and conditions of employment as well as responsibilities during and after employment (e.g., duty of confidentiality, return of assets, protection of intellectual property, etc.). |
DCF-174 | Telework and Endpoint Devices | Information Security Policy |
DCF-175 | Communications Plan | ISMS Plan (2013 and 2022) |
DCF-176 | Measurement and Monitoring Plan | Will be a part of your ISMS policy. |
DCF-177 | Event Logging | Section from the Logging and Monitoring Policy. |
DCF-178 | Record Management and Control | 1. Evidence showing that policy documents are versioned control. -and- 2. Change log from the ISMS policy for the ISMS document. |
DCF-179 | Competence Records | 1. Upload documented job descriptions for both a recently hired personnel and an existing personnel. -and- 2. Upload evidence of the formal interview/recruitment process for a recently hired personnel (such as calendar invites for interviews, documented feedback notes from interviewers, exports from the candidate's profile within the applicant tracking system, evidence of evaluation of resume and professional credentials). -and- 3. Upload an example of a completed performance evaluation for a sample personnel performed within the past year showing components of the evaluation process (such as self-reviews, peer-reviews, manager-reviews). -and- 4. Upload evidence for an example personnel with assigned roles within the management system(s) showing that they have the necessary competence to fulfill their duties on the basis of appropriate education, training, or experience.
Note: Example evidence may include, but is not limited to: - records of education, certifications, and professional credentials - records of training programs, courses and educational activities - records of actions taken to acquire and retain the necessary competence as it relates to the management system |
DCF-180 | Secure Information Transfer | Data Protection Policy |
DCF-182 | Asset Management Policy | Asset Management Policy |
DCF-184 | Management System Plan | ISMS Plan |
DCF-185 | Threat Intelligence | 1. Completed Threat Assessment Plan contained within Appendix A of the Security version of the Risk Assessment Policy and Appendix C in the Privacy version of Risk Assessment Policy. - and - 2. Screenshots showing that your organization is subscribed to a service or mailing list that provides information on new/developing security issues. - and - 3. Evidence demonstrating that threats are being assessed according to the defined Threat Assessment Plan. |
DCF-186 | Data De-identification | 1. Data Classification Policy - and - 2. Data Protection Policy |
DCF-188 | Communication with Advisories and Special Interest Groups | 1. Screenshots showing that your organization is subscribed to a service or mailing list that provides information on new/developing security/privacy issues. - and - 2. Screenshots showing that members of your organization responsible for security or privacy belong to industry groups related to security or privacy. |
DCF-229 | Vendor Default Accounts Disabled, Removed or Changed | 1. Any policy or procedures documenting a requirement stating that ALL vendor supplied default account information must be changed. -and- 2. Screenshots showing that vendor default accounts have been removed, had their default configurations changed, or are disabled. |
DCF-253 | Data Secure Disposal | Policies and procedures for data disposal. |
DCF-271 | Key Storage Locations Limited | List of all locations where keys are stored. |
DCF-273 | Strong Key Generation Policies and Procedures | 1. Documented key management procedures which specify how to generate strong cryptographic keys. -and- 2. Screenshots showing the strong cryptographic key generation process. |
DCF-284 | Key and Certificate Validation | 1. Documented policies and procedures which specify processes for accepting only trusted keys and certificates. -and- 2. Screenshots showing that keys and certificates used in the environment are trusted. |
DCF-293 | Anti-Malware Capabilities and Automatic Updates | Screenshots from the anti-virus configurations. including the master installation, showing how the anti-virus and virus definitions are kept current and updated. |
DCF-294 | Anti-Malware Tools Behavior | Screenshots from the anti-virus configurations. including the master installation, showing that periodic scans are performed. |
DCF-305 | Production Components Change Control Procedures | 1. Documented Change Control procedures which list a requirement to document the impact of proposed changes. - and - 2. Screenshots or change documentation showing that the impact of the change was documented for a recent change |
DCF-312 | Secure Code Development Training | Upload evidence of secure code development training completed by an engineer/developer within the past year |
DCF-326 | Need-to-Know Principle | System-generated list of appropriate users with access to system components and data |
DCF-350 | Password History Enforcement | Screenshots of system configurations showing that passwords must be different from the previous 4 passwords. |
DCF-352 | Unique First-time Passwords With One-Time Use | 1. Documented password procedures which define the following requirements:
Reset passwords must change after each use.
- and-
2. Screenshots documenting this process of setting first time and reset passwords. |
DCF-356 | Communication of Authentication Best Practices | 1. Screenshots showing where employees can find policies and procedures related to Authentication. -and- 2. Documented policies and procedures related to Authentication which include the following:
|
DCF-363 | Entry Controls in Place | For each computer room, data center, and other physical areas which contain systems:
|
DCF-365 | Secure Physical Access Control Mechanisms | Pictures showing how video cameras or access control mechanisms (or both) are protected from tampering and disabling. |
DCF-369 | Restricted Physical Access to Network Components | Observation of physical access to wireless access points, gateways, networking/communications hardware, and telecommunication lines within the company facilities being restricted |
DCF-374 | Visitors Authorized and Escorted | Observation of a visitor being escorted when entering company facilities
(Note: Observations should be performed by auditors on-site, or via virtual meeting) |
DCF-375 | Personnel and Visitor Badges | Observation of visitor obtaining a visitor badge and example of a visitor badge
(Note: Observations should be performed by auditors on-site, or via virtual meeting) |
DCF-378 | Visitor Log | Upload evidence to show that a visitor log is maintained to keep an audit trail of visitor activity to the company facilities, computer rooms or data centers where sensitive data may be stored or transmitted (such as scan or photograph of the visitor log for an example day) |
DCF-381 | Media Physically Secured or Encrypted |
Documented policies and procedures related to physically securing all media (including computers, removable media, paper receipts, paper records, and faxes). |
DCF-384 | Media Classification | Screenshots and/or pictures showing how media is classified including labels showing data sensitivity. |
DCF-385 | Media Transferred Securely | 1. Documented procedures related to media transfer which include acceptable methods of information transfer including authorized couriers and the ability to track media transfers. -and- 2. Screenshots or documentation showing how media transfers are logged. -and- 3. Documentation for a recent media transfer showing that tracking information was logged. |
DCF-386 | Management Approval for Media Transfer | Documentation from a recent media transfer (including media distribution to individuals) showing that the transfer was approved by an authorized member of management. |
DCF-388 | Media Inventory Logs | 1. Evidence of documented inventory all electronic media with sensitive data being maintained -and- 2. Evidence of annual review / verification of inventory being performed |
DCF-390 | Media Destruction | Documented policies and procedures related to Media Destruction. |
DCF-406 | Audit Logging | Screenshots showing that audit trails are enabled and active for in-scope systems |
DCF-407 | Audit Logs Data Points | System user access lists from in-scope systems showing that access is linked to individual user. |
DCF-409 | Audit Trail for Privileged Access | 1. Screenshots of audit log settings showing that all actions taken by root/admin users will be logged. -and- 2. Screenshots of an example log showing that these log settings are functioning correctly. |
DCF-411 | Audit Trail for Invalid Access Attempts |
1. Screenshots of audit log settings showing that invalid/failed login attempts are logged. -and- 2. Screenshots of an example log showing that these log settings are functioning correctly. |
DCF-412 | Audit Trail for Identification and Authentication Mechanism Changes | 1. Screenshots of audit log settings showing that the use of identification and authentication mechanisms are logged, elevation of privileges are logged, and that changes (addition, modification, or deletion) to accounts with administrator or root privileges are logged. -and- 2. Screenshots of example logs showing that these log settings are functioning correctly. |
DCF-414 | Audit Trail of System-Level Object Changes | 1. Screenshots of audit log settings showing that the creation or deletion of system-level objects are logged. -and- 2. Screenshots of an example log showing that these log settings are functioning correctly. |
DCF-421 | Clock Synchronization | Documented procedures for synchronizing time across in-scope system components which include the following elements:
|
DCF-422 | Time-related System Parameters | Screenshots showing that the documented process has been implemented (for example, that NTP has been configured and is being used by system components to synchronize time). Screenshots should show that:
|
DCF-423 | Time Server Peering | Screenshots showing that the documented process has been implemented (for example, that NTP has been configured and is being used by system components to synchronize time). Screenshots should show that:
|
DCF-424 | System Time Source | Screenshots showing that the documented process has been implemented (for example, that NTP has been configured and is being used by system components to synchronize time). Screenshots should show that:
|
DCF-429 | Limited Access to Audit Trails | Screenshots from the logging system or system user access lists showing that audit trails can only be accessed by individuals with a business need to access them. |
DCF-430 | Audit Trail Files Protected | Screenshots or pictures showing that audit trails are protected from unauthorized access/modification/deletion through access control mechanisms, physical segregation, and/or logical network segregation. |
DCF-434 | Policies and Procedures for Logging | Logging and Monitoring Policy |
DCF-441 | Audit Log Retention Period | 1. Documented policy related to Audit Log Retention which states a requirement that logs will be retained for at least 1 year. -and- 2. Screenshot showing that logs, archives or logs, or compressed log files are stored for at least one year. |
DCF-478 | Change Detection Mechanism | 1. Screenshots from the change detection solution (such as File Integrity Monitoring) and relevant change detection system configurations showing what is monitored. -and- 2. Documented list of files which are monitored by the change detection solution. |
DCF-503 | Multiple Methods for Security Awareness | Upload evidence showing that periodic security updates are provided to personnel through different mechanisms (such as screenshots of internal newsletters or intranet with security reminders, security updates sent through Slack or other internal communication channels) |
DCF-507 | Vendor Due Diligence | For any new service provider or vendor, you'll need to perform due diligence on (evaluate) them prior to engaging with them. Due diligence can consist of reviewing security questionnaires or obtaining confirmation that they have compliance certifications (such as a SOC 2). You should document the results of your due diligence as well as the day it was completed. |
DCF-527 | Designated Data Protection Officer | Upload evidence showing that a data protection officer has been officially appointed (such as internal privacy policies, RACI matrix, job descriptions,identifying the data protection officer). Additionally, upload evidence showing that a mechanism to contact the data protection officer is communicated to users/data subjects (such as screenshots of the online privacy/policy showing that an email address of the data protection officer is provided). |
DCF-535 | Organizational Context | Documentation that discusses how your company fits into the data processing ecosystem and includes each of the areas discussed in the 'Control Activities' section. Please see Appendix B of Drata’s latest Personal Data Management Policy template for helpful definitions. |
DCF-557 | Shared Account Management | System Access Control Policy |
DCF-558 | Restrictions on Software Installation | Upload evidence showing that the organization has implemented mechanisms to prevent the installation and use of unauthorized software in company-managed assets (such as screenshots from MDM tools showing rules preventing software installation are enforced on company devices, access controls limiting access to run executables) |
DCF-562 | Management of Utility Programs | 1. Any documented procedures covering who can access utility programs (admin consoles for tools like antivirus, MDM tools, logging systems) - and - 2. List of users who currently have access to utility programs. |
DCF-566 | Management of Nonconformities | ISMS Plan, Appendix C |
DCF-567 | Change Management Policy | Change Management Policy |
DCF-569 | Information Labeling | Data Protection Policy and Data Classification Policy |
DCF-570 | Disciplinary Process | Upload your company's documented disciplinary process. The disciplinary process may be an HR-owned process available and communicated to employees through employee handbooks, code of conduct, etc, or included within an information security policy document.
Note: This evidence should not be confused with disciplinary processes related to low performance or misconduct such as harassment. This is specific to disciplinary actions invoked against personnel and who have committed an information security breach or security policy violation. |
DCF-571 | Fire Detection and Suppression | 1. Observation of fire detection and suppression systems installed in critical locations (Note: Observations should be performed by auditors on-site, or via virtual meeting) -and- 2. Evidence of ongoing maintenance |
DCF-572 | Temperature Monitoring Systems | 1. Observation of systems in place to monitor and control air temperature and humidity at appropriate levels (Note: Observations should be performed by auditors on-site, or via virtual meeting) -and- 2. Evidence of ongoing maintenance |
DCF-573 | Uninterruptible Power Supply | 1. Observation of uninterruptible power supply (UPS) systems in place for data centers or server rooms (Note: Observations should be performed by auditors on-site, or via virtual meeting) -and- 2. Evidence of ongoing maintenance |
DCF-574 | Mobile Device Management Software | Upload evidence to show that a mobile device management (MDM) tool has been implemented to enforce security controls on mobile devices (such as screenshots from the MDM's centralized management console, screenshots of baseline configurations, security policies or blueprints enforced on devices per OS type) |
DCF-611 | Obscured Authentication Feedback | Screenshot of user interface during the authentication process to show authentication feedback is hidden (such as password entry fields displaying asterisks or limited visibility feedback) |
DCF-619 | Media Sanitization | For a sample of media sanitization and disposal actions, provide evidence that each sample was reviewed, approved, tracked and documented according to company policies and procedures |
DCF-637 | Secure Development Process | Software Development Life Cycle Policy |
DCF-678 | Network Security Policy | Network Security Policy |
DCF-681 | Phishing Simulations | Upload evidence showing phishing simulations are conducted as part of the company's security awareness initiatives (such as screenshots from phishing simulation campaign configurations, screenshots of dashboards showing results of the campaign, screenshot showing example simulated phishing email) |
DCF-684 | Redundancy of Processing | Provide evidence that redundancy strategies were implemented for equipment, systems and processes as deemed necessary per the business continuity plans |
DCF-687 | Phishing Detection Mechanisms | Upload evidence showing that phishing detection mechanisms have been implemented in your organization (such as screenshots showing SPF, DMARC, DKIM configurations enabled for email authentication) |
DCF-688 | Return of Assets | For one recently terminated personnel, upload evidence showing that assets were returned to the company (such as offboarding checklists or internal tickets showing tracking of return of devices, badges, tokens, upon termination, evidence of pre-paid labels sent to remote personnel for asset return and tracking). |
DCF-689 | On-Call Team | Upload evidence of on-call rotation schedule (such as screenshots from tools like PagerDuty or equivalent tool showing on-call schedule and teams assigned). |
DCF-694 | Use of Unencrypted Portable Storage | For any unencrypted physical media and/or portable devices used, upload evidence of documented business justification and approval from management for its use. |
DCF-698 | Automated Mechanisms for Audit Log Reviews | Screenshot of the configuration from audit log review solutions such as centralized log management systems, event log analyzers, security information and event management (SIEM) solutions, etc. |
DCF-707 | Credentials for System Accounts Not Hard-Coded | Screenshots of the configuration to validate that authentication secrets for any application and system accounts are not hard coded in scripts, configuration/property files, or bespoke and custom source code. |
DCF-708 | Software and Third Party Libraries Inventory | Inventory list of bespoke and custom software and third-party software components (such as software bill of materials), is maintained and kept up to date (such as through the use of software composition analysis tools or other mechanisms). |
DCF-712 | Static Application Security Testing | Upload evidence that static application security testing (SAST) is conducted for software development testing (such as screenshots from the CI/CD pipeline for relevant code repositories showing a SAST scan automatically executes every time new code is committed, screenshots of configurations and dashboards from SAST tools such as SonarCloud). |
DCF-741 | Logging and Monitoring Policy | Logging and Monitoring Policy |
DCF-748 | Segmentation of Networks | Upload evidence showing that network segmentation or other techniques are used to split the network in security boundaries and to control traffic between them based on business and security needs. |
DCF-749 | Leak Detection System | Observation of leak detection systems at critical facilities
(Note: Observations should be performed by auditors on-site, or via virtual meeting) |
DCF-744 | Contact with Authorities | Incident Response Plan |
DCF-745 | Segregation of Duties | Segregation of duties outlined in the Information Security Policy and System Access Control Policy |
DCF-760 | Control of Audit Activities | Upload evidence showing that audit requirements and activities involving verification of operational systems are planned and agreed-upon by management to minimize disruptions to business processes and security risks (such as screenshots of communications and agreements with penetration tests vendors discussing and agreeing on the scope of the test, access requirements, availability considerations). |
DCF-762 | Managing Changes to Supplier Services | For a change to the provision of services by a vendor, provide documentation to evidence that a review and due diligence activities were required and authorized by management
(Note: Auditors may request a population and samples for this control) |
DCF-763 | Requirements for Protection of Intellectual Property Rights | Acceptable Use Policy |
DCF-775 | Cloud Deletion Protection | Screenshots of the configuration enabled for deletion protection for cloud resources |
DCF-776 | Principle of Least Privilege | For each in-scope system / application, provide the user access listing with roles & permissions assigned to show that principle of least privilege has been implemented |
DCF-777 | Cloud Resource Tagging | Inventory listing with tags assigned |
DCF-779 | Cryptographic Key Rotation | Upload evidence of cryptographic key rotation processes implemented in accordance with defined company procedures (such as screenshots of automated key rotation configurations in a key management system, tickets or other documentation showing manual key rotation processes are carried out periodically) |
DCF-780 | Web Filtering | Upload evidence showing that the organization has implemented web filtering mechanisms to enforce the company's internet usage policies (such as screenshots of web filtering configurations showing access to known malicious sites are blocked, access to prohibited web resources per the company's acceptable use policy is prohibited) |
DCF-781 | Secure Login Procedures | Screenshot of user interface during the login process to show in-house developed systems were configured to deter enumeration or brute-force attacks (such as displaying limited information in login error messages without indicating which data is correct or incorrect) |
DCF-782 | Cloud Storage Lifecycle | Upload evidence of any cloud storage lifecycle rules in place to delete data automatically after expiration of specified retention periods (such as screenshots from cloud storage showing configured expiration actions) |
DCF-783 | Credentials Rotation | Upload evidence of secrets rotation processes implemented in accordance with defined company procedures (such as screenshots of automated secrets rotation configurations in a secrets management systems, tickets or other documentation showing manual secrets rotation processes are carried out periodically) |
DCF-784 | Software Composition Analysis (SCA) | For a vulnerability identified in software components or libraries, provide evidence that fixes were implemented in accordance with the company's vulnerability management policies.
(Note: An auditor may request a population and samples for this control) |
DCF-785 | Secure Runtime Configurations | 1) Asset Management Policy -and- 2) Screenshots of run configuration standards for in-scope applications and platforms |
DCF-789 | Expectations of Interested Parties | ISMS Plan (2013 and 2022) |