Skip to main content
All CollectionsEvidence Library
Example Evidence for Not Monitored Controls (ISO 27001)
Example Evidence for Not Monitored Controls (ISO 27001)

Example Evidence for Not Monitored Controls (ISO 27001)

Updated over a month ago

The following is a list of example evidence for controls not monitored in Drata for ISO 27001.

Note: An auditor may request additional evidence for each control.

Code

Name

Example Evidence

DCF-5

Code Repository Controls

Upload evidence of the branch protection settings for relevant code repositories used in production.

Example: Screenshots showing configured rules and the repository they pertain to. If your organization configures repositories ruleset at the organization level, upload evidence of those global configurations. Auditors will generally request evidence that controls in the code repository are enforced through configurations to prevent users from bypassing standard change controls (e.g., requiring pull requests/merge requests for all changes, requiring at least one approval to merge a change, etc.)

DCF-5,DCF-155

Software Development Change Control

For an example change (e.g., software development change), upload evidence showing that the change was reviewed, tested, and approved with segregation of duties prior to deployment to production.

Example: Internal ticket showing requirements, acceptance criteria and testing performed, pull request showing peer-review, CI/CD tests performed, and approval, etc.

DCF-6

Change Deployers

Upload evidence showing users with access to deploy changes to production.

Example: Users with administrator access to a production server, users that can trigger deployments in CI/CD tools, code owners in the production repositories, etc.

Auditors will generally request to evidence of the final "gatekeepers" for production deployments.

DCF-7

Separate Testing and Production Environments

Upload evidence showing separate environments exist for development, testing, staging, and production as applicable

Example: Screenshots of the web environments showing different URLs, screenshots showing separate infrastructure such as different servers, databases, networks for production and lower environments, etc.

DCF-9

Internal Communication Channels

Upload examples of internal communication channels for employees to report failures, events, incidents, concerns, and other issues.

Example: Screenshot of internal channels dedicated to security event reporting in messaging apps (Slack, MS Teams, etc.), whistleblower channels, etc.

DCF-11

User Access Review

Upload documentation of the most recent user access and permissions review.

Example: Screenshots of the user lists and permissions reviewed, evidence of sign-offs or approvals by at least two individuals (SOD), documentation of changes requested if any, and evidence that the changes requested were implemented. The scope of the review should be discussed with your auditor as different auditors may have different expectations (based on the scope of the assessment, relevant framework(s), etc.) Auditors will generally require to see the following:

  • Evidence of the review inputs (what artifacts were reviewed?) such as screenshots of user lists with permissions.

  • Evidence that segregation of duties was maintained (e.g., two individuals sign-off the review so that no reviewer is approving their own access).

  • Changes identified were implemented (e.g., tickets documenting removal of accounts, updated user lists showing modifications in permissions, etc.)

Auditors would generally expect to see these review activities done at least annually, with quarterly frequency being the most common. Auditors may also expect that the user access review includes a review of physical access rights, if applicable (e.g., reviews of active personnel in the badge system, etc.)

DCF-12

Baseline Configuration and Hardening Standards

Upload evidence of your documented baseline security configuration and hardening standards such as industry-accepted hardening standards or vendor recommendations and evidence that these are implemented (for example, through infrastructure as code).

Examples of industry-accepted baseline security configurations and hardening standards include:

  • CIS Benchmarks

  • CIS Hardened Images

  • NIST Security Configuration Checklists for Commercial IT Products

DCF-14

Organizational Chart

Upload your current organizational chart (e.g., screenshot or export from HRMS showing personnel, their job title, department, reporting lines, etc).

DCF-16,DCF-17

Risk Assessment Results

Upload documentation of the most recent risk assessment activities performed (e.g., risk register, risk treatment plan) in accordance with company policies and compliance requirements.

The risk assessment drives the selection of controls to be implemented; therefore, a thorough risk assessment is necessary to ensure the selection of controls is appropriate and sufficient to mitigate the risks that threaten the organization's achievement of its goals and objectives.

DCF-19

Penetration Test

Upload evidence of the most recent penetration testing activities.

Example: Report(s) of the most recent penetration test(s) performed by a third-party or internal resource showing scope and results of the assessment, evidence of the internal tracking and remediation of findings (internal tickets, change documentation), etc.

Auditors will generally evaluate the pen testing activities against the against policy requirements (e.g., documentation of justification for vulnerabilities found by the pen testers accepted as risks or deemed non-exploitable, exploitable vulnerabilities resolved within company-defined SLAs, etc.).

DCF-20

Asset Inventory

1. Formal, documented listing of all assets (workstations, mobile devices, servers, databases, etc.)
- and -
2. For cloud infrastructure, screenshots from cloud environments listing all infrastructure

DCF-22

Network Diagram

Upload evidence of your current network diagram(s) and evidence of updates/reviews within the past year for accuracy (e.g., emails from responsible personnel confirming the accuracy and completeness of the network diagram(s), etc.)

Network diagram is defined as a representation of system components and boundaries, as well as connections within a networked environment.

DCF-26

Business Continuity/Disaster Recovery Test

Upload evidence of your most recent business continuity and/or disaster recovery test.

Example: Documentation of the activities performed, results, and lessons learned, calendar invites showing participants and dates, etc.

DCF-28,DCF-30

Incident Documentation

For an example security event deemed an incident, upload the incident documentation including evidence of internal tracking (e.g., internal ticket), root-cause analysis (RCA)/post-mortem, lessons learned, etc.

DCF-29

Incident Response Roles and Responsibilities

Upload evidence of your documented roles and responsibilities for incident response.

Example: Documentation of your internal incident response processes and procedures outlining the roles and responsibilities for incident management such as:

  • Incident managers

  • Incident handlers

  • Communication coordinators

  • Advisors

DCF-35

Security Team Communicates in a Timely Manner

Screenshots from communication tools (Slack, PagerDuty) showing the process for security events to be communicated to appropriate personnel.

DCF-40

Contractor Requirements

1. Executed Agreement/contract between the entity and key vendors.

DCF-43

Termination/Offboarding Checklist

1. Formal documented termination checklist/help desk ticket for a recent terminated employee.

DCF-46,DCF-179

Formal Screening Process

Upload evidence of the formal interview/recruitment process for a recently hired personnel.

Example: Calendar invites for interviews, documented feedback notes from interviewers, exports from the candidate's profile within the applicant tracking system, evidence of evaluation of resume and professional credentials etc.

DCF-47,DCF-179

Job Descriptions

Upload documented job descriptions for both a recently hired personnel and an existing personnel.

Auditors will generally look for examples of job descriptions for personnel in information security roles or that have a role that may impact the confidentiality, integrity, or availability of data (engineers, IT personnel, etc.)

DCF-53

Cryptography Policies

List of all locations where data is transmitted or received over open, public networks.

Documented standards which detail the level of security protocols and cryptographic algorithms used to protect this data.

Screenshots from the system configurations of the systems receiving this data showing the implementation of these security protocols and encryption algorithms

DCF-56

DCF-132

Vendor Agreement

Upload evidence of an example executed agreement with a vendor or service provider.

DCF-57

Vendor Register and Agreements

1. Executed Agreement/contract between the entity and key vendors.

DCF-58

Authentication Protocol

1. If SSO is an option, screenshots of a user logging in with SSO.
2. If username and password is an option, screenshots of a user logging in with a username and password.
3. Screenshots of MFA being required for employee users.
4. If customer users have the option to enable MFA, screenshots showing they are provided the option to enable MFA.

DCF-59,DCF-326,DCF-562

Administrative Users

Upload screenshots or exports of user lists (with a screenshot of parameters used for exporting) showing the users with administrative or privileged access to the systems (e.g., super users, administrators, power users, etc.) for relevant systems.

Relevant systems may include cloud infrastructure provider, code repositories, identity provider, password vault systems, VPN clients, systems with stored customer data (e.g., database as a service), utility programs (e.g., antivirus consoles) and others based on the scope of the engagement. Discuss system scope with your chosen auditor.

DCF-60

Secure Password Storage

1. If username and password is required, screenshots from the database showing that password are stored using a salted hash.

DCF-62

Application Logoff

Upload evidence of automated logoff for relevant systems/applications. For example:
1. Screenshots of users being logged out of the application when browser/tab is closed and being forced to re-authenticate upon next login.
2. Screenshots showing that a user is logged out after pre-defined activity timeout and being forced to authenticate upon next login (including application messages, parameters in the application code defining the inactivity period, etc.)

Relevant systems may include company-developed web applications and any system or application in use that allows for configuration of automated logoffs. If applicable, discuss scope with your chosen auditor.

DCF-64

Commitments Communicated to Customers

1. Upload evidence of a recently executed service agreement with a customer.
- and -
2. Upload evidence of your terms of service available online, as well as screenshots of the account sign up process showing users are required to accept the terms of service prior to using the system.

DCF-65

DCF-115

Public Privacy Policy/Notice

Add a link to your publicly available privacy policy/notice.

The privacy policy should contain information including, but not limited to:

  • Purpose for collecting/processing personal information

  • Lawful basis for collecting/processing personal information

  • Types of personal information collected or processed

  • Choice and consent

  • Methods of collection (for example, use of cookies or other tracking techniques)

  • Use, retention, and disposal

  • Data subject rights

  • Use of subprocessors

  • Technical and organizational measure

  • Quality, including data subjects' responsibilities for quality

  • Monitoring and enforcement

Additional information may be required in the privacy policy to comply with privacy-specific legislation depending on the relevant jurisdiction. Consult with legal counsel.

DCF-67,DCF-355

Multi-Factor Authentication

Upload screenshots of the multi-factor authentication configurations for relevant systems (where not integrated with Drata). If MFA is enforced on a per-user level instead of a global setting, upload evidence showing all users have MFA enabled.

Auditors will evaluate multi-factor authentication requirements are in place for relevant systems. Relevant systems may include cloud infrastructure provider, code repositories, identity provider, password vault systems, VPN clients, systems with stored customer data (e.g., database as a service), and others based on the scope of the engagement. Discuss scoping with your chosen auditor.

DCF-68

Password Configurations

Upload evidence of the password requirements enforced for relevant systems to demonstrate are implemented in accordance with company policy.

Example: Screenshot showing minimum password requirements for relevant systems showing complexity and minimum length requirements.

Relevant systems may include cloud infrastructure provider, code repositories, identity provider, password vault systems, VPN clients, systems with stored customer data (e.g., database as a service), and others based on the scope of the engagement. Discuss scoping with your chosen auditor.

DCF-69

Access Provisioning

Upload an example record of access request and approval for a user to be granted permission to a system.

Example: Access request ticket with documented approval from system owner or manager, etc. A process to request and approve user accounts and permissions must be in place.

Auditors may request evidence of new hire access requests as well request for changes in permissions to existing users (e.g., transfers, new administrative users, additional permissions to specific resources such as databases or repositories).

DCF-70

Termination/Offboarding

Upload evidence showing the offboarding activities for one recently terminated personnel (e.g., offboarding checklist, IT or help desk ticket).

Upload evidence showing that system and physical access (as applicable) was revoked within the timelines set forth in company policy (e.g., screenshots of account logs showing disable date, etc.)

DCF-72

Root Password Login Disabled

Upload evidence showing that root password authentication to production resources (e.g., virtual machines, containers, etc.) is disabled.

Example: Screenshots of infrastructure as code configurations showing that password login has been disabled for root.

DCF-74

Communication of System Changes

1. Example emails communicating changes to customers.
- and -
2. Screenshots of banners warning customers of downtime prior to system maintenance.

DCF-76

Hot Fixes/Emergency Changes

For a hot fix or emergency change, upload evidence to show that the change followed the standard change management process (reviews, testing and approval) or that it was reviewed and approved by an authorized individual after implementation.

Example: Screenshots or exports of pull requests/merge requests showing change control, documentation such as internal tickets or emails showing post-implementation review and approval, etc.

DCF-77

Backup and Retention Configurations

Upload evidence showing back-up and retention configurations for production databases (e.g., screenshots showing backup frequency and window, retention period, etc.).

DCF-79

Logging System

Screenshots from the location where logs of system activity are stored.

DCF-80

Log Management System

1. Screenshots of logging software alert configuration
- and -
2. Screenshots from the location where logs of system activity are stored.
- and -
3. Evidence of corrective action being taken when alerted

DCF-85

Network Security Configurations

Upload evidence of network security configurations.

Example: Screenshot of firewall rules, security groups including inbound/outbound rules) showing network security configurations for inbound/outbound traffic to production resources.

DCF-88

Web Application Firewall (WAF)

Upload evidence of web application firewall (WAF) configurations (for example, screenshots showing active WAF rulesets, etc. )

DCF-91

Intrusion Detection/Prevention System

1. Screenshots from AWS GuardDuty, Azure Sentinel, GCP Security Command Center or equivalent monitoring tool showing that the service is enabled.
- and -
2. Screenshots from the mentioned applications/tools/services showing the types of threats that would be detected.
- and -
3. Screenshots from the mentioned applications/tools/services showing how personnel would be alerted and who would be alerted when threats are detected.

DCF-92

Encrypted Connections for Remote Access

Upload evidence that remote access to production resources is only available through an encrypted connection.

Example: Screenshot showing access to production servers or databases is not available if a user is not connected to the internal network via encrypted VPN.

DCF-95

Processing Capacity Monitoring

Upload evidence of processing capacity monitoring (e.g., screenshots from observability and telemetry tools showing dashboards for utilization metrics, screenshot of alert configurations for resource utilization, etc).

DCF-97

Autoscaling

Screenshot of auto scaling configurations for EC2 instances.

DCF-98

Daily Backup Statuses Monitored

1. Tickets showing that backup failures were monitored and resolved.

DCF-99

Backup Monitoring

1. Automated configurations from the backup service for notifying personnel when backup processes fail.
- and -
2. Example email for a failed backup and ticket documenting resolution.

DCF-100

Backup Restoration Test

Upload evidence of your most recent test restore of backed-up data completed within the past year.

Example: Documentation of the backup restoration process showing steps taken and associated evidence, results, date completed, etc. The evidence should include the steps taken to restore the data from a backup and validation of the completeness and accuracy of the restored data.

DCF-103,DCF-253

Customer Data Deletion

For a recently churned customer, upload evidence showing that customer data disposal was conducted in accordance with the contractual agreements with the customer.

Example: Screenshots of logs showing data was disposed of, screenshots from production resources such as storage buckets and databases showing customer-specific resources were decommissioned, etc.

Upload evidence of the agreement with the former customer to show the specific data disposal requirements and commitments.

Contractual agreements may specify a time window for data disposal (e.g., within 30 days of termination of services). Customer offboarding processes should include steps to ensure data disposal is conducted in accordance with the contractual agreements.

DCF-104

Test Data in Lower Environments

Upload evidence showing that production data is not used in testing, staging or other lower environments.

Example: Screenshots from testing databases showing mock data is used, data anonymization or mock data generation scripts, etc.

DCF-105,DCF-763

Employee NDA

Upload an example executed agreement addressing confidentiality with recently hired employee (e.g., NDA, PIIA, employment agreement including confidentiality clauses, etc.)

DCF-105

Third Party NDA

Upload an example executed agreement with a third party (e.g., vendor, contractor, business partner, etc.) addressing confidentiality.

DCF-106

Clean Desk and Clear Screen Policies and Procedures

1. Acceptable Use Policy
- and -
2. Acknowledgement of the Acceptable Use Policy (if applicable)

DCF-107

Disposal of Sensitive Data on Paper

1. Observation of hard copy material being disposed

Note: This can be performed by auditors on-site, or via virtual meeting.

DCF-108

Secure Storage Mechanisms

1. Pictures of secure storage bins from office locations.

DCF-109

DCF-253

DCF-390

DCF-619

Disposal of Data on Hardware

Upload evidence for one instance of data disposal on hardware showing that data was disposed securely.

Examples: one example certificate of destruction of hardware, screenshots showing that hard drive data on an endpoint were wiped prior to reuse of the device, etc.

DCF-112

Explicit Acknowledgement of Privacy Policy/Notice

Upload screenshots of the account sign up process for your system or application(s) showing users are required to accept the privacy policy/notice prior to using the system.

DCF-113

Review Privacy Notice Annually

1. Meeting minutes from management's annual meeting to review privacy practices.

DCF-114

Privacy Policy Publicly Available

1. Screenshot of privacy practices posted on the entity's website.

DCF-116

Acknowledge The Privacy Policy

1. Screenshots of the new user registration process showing that users are required to explicitly agree to the notice of privacy practices prior to the completion of the registration process.

DCF-117

Minimal Information Required

1. Screenshot of all information that the user can enter when providing data through the application.

DCF-118

Third Party Reliability

1, For all third parties in which personal information is collected from, evidence that management performed appropriate due diligence to ensure that data from third parties was collected fairly and lawfully.

DCF-119

Allowable Use and Disclosure

1. Section from privacy practices/policy that covers this item.

DCF-120

Privacy Policy Changes Communication

For any recent changes to the public privacy policy, upload evidence showing customers were notified of such changes (Example: screenshots of email notifications sent to customers notifying them of changes to the privacy policy, etc.) and that the privacy policy includes the date the privacy policy was last updated (Example: screenshot or export of the public privacy policy showing last update date).

DCF-120

Review of Privacy Policy

Upload evidence of the most review of the online privacy policy/notice to show the policy has been reviewed within the past year.

Example: records of emails, meeting minutes, draft versions with redlines, etc. showing reviews and updates to the policy.

DCF-121

Purposeful Use Only

1. Section from privacy practices/policy that covers this item.

DCF-123,DCF-253

Procedures for Information Disposal

Upload your documented procedures for erasure or destruction of information that has been identified for disposal.

DCF-124

Require Authentication for Access

1. Screenshots of a user authenticating to the application prior to seeing their information.

DCF-125

Users Can Access All Their Information

1. Screenshots of where a user can find their information within the platform (i.e. user profile).

DCF-126

Personal Information Accessible Through System Authentication

1. Screenshots of a user modifying their personal information within the application.

DCF-127

Privacy Requirements Communicated to Third parties

1. Evidence to support that third parties with whom PII is sent to, were provided requirements for how PII should be handled, according to your requirements.

DCF-128

Disclosure with 3rd Parties

1. Example executed contracts with third parties that receive PII showing that contracts included provisions for third parties to protect personal information.

DCF-129

PII with 3rd Parties and Vendors

1. Formal, documented authorized list of third parties that can receive or access PII.

DCF-130

Documentation of Breaches or Unauthorized Disclosures of PII

1. Screenshots of the incident tracking system used to track breaches or security incidents involving PII.

DCF-131

Incident Report Template and Process

1. Formal, documented incident response procedures.

DCF-133

Unauthorized Disclosures by 3rd Parties

1. Example executed contracts with third parties that receive PII showing that contracts included provisions for third parties to protect personal information.

DCF-134

3rd Parties and Vendors Given Instructions on Breach Reporting

1. Executed contracts with third parties that are provided access to PII to confirm that third parties are provided with information on how to report breaches of PII to the entity.

DCF-135

Notification of Incidents or Breaches

For one example security incident or breach, upload evidence showing that notification of the incident or breach was given to affected parties and authorities (as applicable) in accordance with company policies and procedures and contractual and legal obligations.

DCF-136

Use of Subprocessors Communicated

1. Section from privacy practices on your website showing that 3rd parties that receive PII are listed.

DCF-137

Data Entry Field Completion Automated

1. Screenshots of a user enter information into the application to confirm that edit checks are included in fields.

DCF-142

Quarterly Review of Privacy Compliance

1. Meeting minutes from quarterly management meetings for tracking compliance with privacy practices and privacy regulations.

DCF-143

Board Oversight Briefings Conducted

1. Meeting minutes from the Board of Directors meeting showing that the state of cybersecurity and privacy risks were discussed.

DCF-144

Board Charter Documented

1. Copy of Board Charter

DCF-145

Board Expertise Developed

1. Board of Directors Backgrounds or Bios

DCF-147

Physical Access to Facilities is Protected

1. Physical Access Control Policy

DCF-148

Regression Testing in Place

1. Example of regression testing that was performed prior to a recent major product release.

DCF-149

Removable Media Device Encryption

1. If removable media devices are issued by the company to employees, provide evidence that removable media devices are encrypted.

DCF-150

Data Leakage Prevention

Upload evidence of the data leakage prevention (DLP) measures implemented in the organization (e.g., screenshots of DLP rules implemented in corporate email service, configurations from DLP tools in place, etc.)

DCF-151

FIM (File Integrity Monitoring) Software in Place

1. Screenshots of FIM software.
- and -
2. Examples of FIM detecting changes.

DCF-152,DCF-677

Automated Operating System Upgrades

Upload evidence showing that automated mechanisms have been implemented to install security upgrades to operating systems (e.g., screenshots showing unattended upgrades, apt-get-update / apt-get-upgrades within infrastructure as code configuration files, screenshots of management console for patch management tools such as Automox, etc.)

DCF-153

Conduct Control Self-Assessments

1. Annual internal control assessment report with any identified findings
(Note: Drata can also be used as evidence for continuous control assessment)
- and -
2. Evidence that corrective actions were taken for the identified findings

DCF-154

Incident Response Test

Upload evidence of your most recently completed incident response test.

Example: Documentation of the activities performed, results, and lessons learned, calendar invites showing participants and dates, etc.

DCF-156

Change Release

For an example change release, upload evidence showing that the release was approved by authorized personnel prior to deployment to production (e.g., screenshot of a pull request/ticket showing approval for a release candidate by an authorized personnel).

DCF-158

MFA Available for External Users

1. Screenshots from the application showing that customers have the option of using MFA for their accounts.

DCF-161

Management System Scope

ISMS Plan (2013 and 2022)

DCF-162

ISO Statement of Applicability

If not managed within Drata's Policy Center, upload your Statement of Applicability (SOA) in conformance with ISO requirements.

The statement of applicability defines the controls deemed necessary by the organization as a result of the risk assessment to implement the risk treatment plan. It is possible for an organization to design its own necessary controls or to select them from any source, including ISO standards.

The statement of applicability's version and date will be included in your certificate of registration.

DCF-163

Interested Parties and Legal Requirements

ISMS Plan (2013 and 2022),AI Governance Policy

DCF-164

ISO Management Reviews

Upload evidence of your most recent documented management review for your ISO management system(s)

As outlined in the management system standards, the organization must perform management reviews at periodic intervals. The reviews must address all requirements outlined in the ISO standard and the inputs and outputs of the management review must be documented.

DCF-165

ISO Internal Audits

Upload evidence showing the organization performs internal audits at planned intervals as required by ISO to confirm the management system(s) conforms to the organization's requirements and the referenced standards, and is effectively implemented and maintained (e.g., documentation of the most recent internal audit program(s) and report(s) of audit results for the management system(s), etc.).

DCF-166

Business Continuity Plan

1. Business Continuity Plan.

DCF-167

Business Impact Analysis

Upload evidence of your most recent business impact analysis (BIA) activities (e.g., documentation of the identification mission/business processes and recovery criticality, resource requirements, established recovery time and recovery point objectives (RTOs, RPOs), etc.).

The purpose of the BIA is to identify and prioritize system components by correlating them to the mission/business process(es) the system supports, and using this information to characterize the impact on the process(es) if the system were unavailable.

A template to perform a document the BIA is available through the National Institute of Standards and Technology at https://csrc.nist.gov/files/pubs/sp/800/34/r1/upd1/final/docs/sp800-34-rev1_bia_template.docx

DCF-168

Vendor Management Policy

Vendor Management Policy

DCF-170

Management System Objectives

Information Security Policy,ISMS Plan (2013 and 2022)

DCF-171

Documented Operating Procedures

Upload examples of your documented operating procedures for information security activities/controls.

Documented procedures should be prepared for the organization’s operational activities associated with information security, for example:

  • when the activity needs to be performed in the same way by many people;

  • when the activity is performed rarely and when next performed the procedure is likely to have been forgotten;

  • when the activity is new and presents a risk if not performed correctly; and,

  • prior to handing over the activity to new personnel.

DCF-172

Organizational Change Management

1. ISMS Plan / SDLC Policy / Change Management Policy

DCF-173,DCF-763

Employment Contracts

For one example personnel, upload executed employment contracts/agreements outlining the terms and conditions of employment as well as responsibilities during and after employment (e.g., duty of confidentiality, return of assets, protection of intellectual property, etc.).

DCF-174

Telework and Endpoint Devices

1. Information Security Policy

DCF-175

Communications Plan

1. ISMS Plan (2013 and 2022)

DCF-176

Measurement and Monitoring Plan

1. Will be a part of your ISMS policy.

DCF-177

Event Logging

1. Section from the Data Protection Policy

DCF-178

Record Management and Control

1. Evidence showing that policy documents are versioned control.
2. Change log from the ISMS policy for the ISMS document.

DCF-179

ISO Evidence of Competence

Upload evidence for an example personnel with assigned roles within the management system(s) showing that they have the necessary competence to fulfill their duties on the basis of appropriate education, training, or experience.

Example evidence may include, but is not limited to:
- records of education, certifications, and professional credentials
- records of training programs, courses and educational activities
- records of actions taken to acquire and retain the necessary competence as it relates to the management system

To meet ISO requirements, appropriate documented information is required as evidence of competence. The organization should therefore retain documentation about the necessary competence affecting the management system(s) and how this competence is met by relevant persons.

DCF-180

Secure Information Transfer

Data Protection Policy

DCF-182

Asset Management Policy

Asset Management Policy

DCF-184

Management System Plan

ISMS Plan

DCF-185

Threat Intelligence

Upload evidence showing that the organization has implemented mechanisms to collect threat information and produce threat intelligence.

Example: Screenshots from commercial cyber threat intelligence tools, security product/vendor intelligence feeds, open source feeds, etc.

DCF-186

Data De-identification

1. Data Classification Policy
- and -
2. Data Protection Policy

DCF-188

Contact with Special Interest Groups

Upload evidence showing that the organization and members of management maintain contact with special interest groups (e.g., security groups, privacy groups, etc.). For example, screenshots or exports showing members of management receive newsletters and updates from professional association groups, email alerts from security advisories such as CISA, participation in conferences, threat advisories, etc.

DCF-229

Vendor Default Accounts Disabled, Removed or Changed

1. Any policy or procedures documenting a requirement stating that ALL vendor supplied default account information must be changed.

2. Screenshots showing that vendor default accounts have been removed, had their default configurations changed, or are disabled.

DCF-271

Key Storage Locations Limited

Upload evidence of where your organization stores cryptographic keys.

Example: Screenshot from the console of your infrastructure provider's key management service.

DCF-273

Strong Key Generation Policies and Procedures

1. Documented key management procedures which specify how to generate strong cryptographic keys.

2. Screenshots showing the strong cryptographic key generation process.

DCF-284

Key and Certificate Validation

1. Documented policies and procedures which specify processes for accepting only trusted keys and certificates (Encryption Policy).

2. Screenshots showing that keys and certificates used in the environment are trusted.

DCF-293

Anti-Malware Capabilities and Automatic Updates

Upload evidence showing that the deployed anti-malware solution is kept via automatic updates and configured to detect all known types of malware and to remove, block, or contain all known types of malware.

Examples: Screenshots from the anti-malware solution console showing configurations for automated updates and detection and containment actions.

DCF-294

Anti-malware Tools Behavior

Upload screenshots from your anti-malware solution console showing it is configured to perform periodic scans and active/real-time scans (e.g., scanning files from external sources as they are downloaded, opened, or executed) or to perform continuous behavioral analysis of systems or processes.

DCF-305

Production Components Change Control Procedures

For a non-software development change, upload documentation showing that the change was implemented in accordance with formal change management policies and procedures. For example, documentation of change description, justification, evaluation of security requirements and impact, approval by authorized parties, rollback procedures, etc., and records of testing (for example, acceptance and security impact testing).

Examples of changes include: infrastructure, network, configuration changes, etc.

DCF-312

Secure Code Development Training Record

Upload evidence of secure code development training completed by a member of personnel within the past year.

Example: Training content (videos, presentations, agenda) showing topics covered, and records of completion for one personnel.

The secure code development training program may be implemented through a third party or delivered in-house (e.g., team training session by engineering leadership, etc.).

DCF-350

Password History Enforcement

Upload evidence showing that system configuration settings are in place to prevent password reuse in accordance with company policy and compliance requirements for relevant systems.

Example: Screenshots showing password history enforcement configurations for relevant systems (not every relevant system will offer this as a configurable attribute). Relevant systems may include cloud infrastructure provider, code repositories, identity provider, password vault systems, VPN clients, systems with stored customer data (e.g., database as a service), and others based on the scope of the engagement. Discuss scoping with your chosen auditor.

DCF-352

Unique First-time Passwords With One-Time Use

Upload evidence showing that for organization systems passwords are set to a unique value for first-time use and upon reset and temporary initial passwords are forced to be changed immediately after the first use.

Example: Screenshots of system configurations or screenshots from a walkthrough of the password reset process.

DCF-356

Communication of Authentication Best Practices

  1. Screenshots showing where employees can find policies and procedures related to Authentication.

  2. Documented policies and procedures related to Authentication which include the following:

    1. Guidance on selecting strong authentication credentials.

    2. Guidance for how users should protect their authentication credentials.

    3. Instructions to not use previously used passwords.

    4. Instructions stating to change a password if the password is suspected to be compromised.

DCF-363

Entry Controls in Place

  1. For each computer room, data center, and other physical areas which contain systems:

    1. Pictures showing that access is controlled using badge readers or other devices including authorizing badges and lock and key.

    2. Screenshots or video showing an administrator’s attempt to log into system consoles showing that these systems are “locked” to prevent unauthorized access.

DCF-365

Secure Physical Access Control Mechanisms

1. Pictures showing how video cameras or access control mechanisms (or both) are protected from tampering and disabling.

DCF-369

Restricted Physical Access to Network Components

1. Observation of physical access to wireless access points, gateways, networking/communications hardware, and telecommunication lines within the company facilities being restricted

DCF-374

Visitors Authorized and Escorted

1. Observation of a vistor being escorted when entering company facilities

(Note: Observations should be performed by auditors on-site, or via virtual meeting)

DCF-375

Personnel and Visitor Badges

1. Observation of visitor obtaining a visitor badge and example of a visitor badge

(Note: Observations should be performed by auditors on-site, or via virtual meeting)

DCF-378

Visitor Log

Upload evidence to show that a visitor log is maintained to keep an audit trail of visitor activity to the company facilities, computer rooms or data centers where sensitive data may be stored or transmitted (e.g., scan or photograph of the visitor log for an example day, etc.)

DCF-381

Media Physically Secured or Encrypted

Documented policies and procedures related to physically securing all media (including computers, removable media, paper receipts, paper records, and faxes).

DCF-384

Media Classification

Screenshots and/or pictures showing how media is classified including labels showing data sensitivity.

DCF-386,DCF-385

Management Approval for Media Transport

For one instance of media moved outside or within the facilities, upload evidence of management's documented approval for the movement of media.

DCF-388

Media Inventory Logs

If your organization manages electronic media with sensitive data, upload evidence of your media inventory.

Without careful inventory methods and storage controls, stolen or missing electronic media could go unnoticed for an indefinite amount of time.

DCF-406

Audit Logging

Screenshots showing that audit trails are enabled and active for in-scope systems

DCF-407

Audit Logs Data Points

Upload evidence showing that audit logs have been configured to contain user or identity, type of event, date and time, success and failure indication, origination of event, affected data, and system component, resource, or service.

Example: Screenshot or export of a sample log showing the relevant attributes.

By recording these details for the auditable events, a potential compromise can be quickly identified, with sufficient detail to facilitate following up on suspicious activities.

DCF-409

Audit Trail for Privileged Access

Upload evidence showing that audit trails or logs are implemented for system components to capture all actions taken by any identities with administrative access, including execution of privileged functions and any interactive use of application or system accounts.

Example: Screenshot or export of a sample log showing the relevant log contents.

Identities with increased access privileges, such as “administrator” or “root” accounts, have the potential to significantly impact the security or operational functionality of a system. Without a log of the activities performed, an organization is cannot trace any issues resulting from an administrative mistake or misuse of privilege back to the specific action and account.

DCF-411

Audit Trail for Invalid Access Attempts

Upload evidence showing that audit trails or logs are implemented for system components to capture invalid access attempts.

Example: Screenshot or export of a sample log showing the relevant log contents.

Malicious individuals will often perform multiple access attempts on targeted systems. Multiple invalid login attempts may be an indication of an unauthorized user’s attempts to “brute force” or guess a password.

DCF-412

Audit Trail for Identification and Authentication Mechanism Changes

Upload evidence showing that audit trails or logs are implemented for system components to capture changes to identification and authentication credentials (e.g., creation of new accounts, elevation of privileges, changes, additions, or deletions to accounts with administrative access, etc.).

Example: Screenshot or export of a sample log showing the relevant log contents.

Logging changes to authentication credentials (including elevation of privileges, additions, and deletions of accounts with administrative access) provides residual evidence of activities. Malicious users may attempt to manipulate authentication credentials to bypass them or impersonate a valid account.

DCF-414

Audit Trail of System-Level Object Changes

Upload evidence showing that audit trails or logs are implemented for system components to capture capture all creation and deletion of system-level objects.

Example: Screenshot or export of a sample log showing the relevant log contents.

Malicious software, such as malware, often creates or replaces system-level objects on the target system to control a particular function or operation on that system. By logging when system-level objects are created or deleted, it will be easier to determine whether such modifications were authorized.

DCF-421

Clock Synchronization

Upload evidence showing that the organization synchronizes all critical system clocks and times using time-synchronization technology (such as Network Time Protocol (NTP)).

DCF-422,DCF-423,DCF-424

System Time Source

Upload evidence showing that internal systems receive time information only from designated central time server or servers that are configured to receive time from industry-accepted external sources based on International Atomic Time or Coordinated Universal Time (UTC).

If there is more than one designated time server, upload evidence showing that the time servers peer with one another to keep accurate time.

DCF-429

Access to Audit Trails

Upload evidence of the users with elevated access to log systems and log data.

Example: Screenshots of the users with administrative or privileged access to log systems and log data.

DCF-430

Audit Trail Files Protected

1. Screenshots or pictures showing that audit trails are protected from unauthorized access/modification/deletion through access control mechanisms, physical segregation, and/or logical network segregation.

DCF-434

Policies and Procedures for Logging

Logging and Monitoring Policy

DCF-441

Audit Log Retention Period

Upload evidence of your configured retention periods for audit logs.

Example: Screenshots showing retention configurations for audit logs from logging system.

DCF-478

Change Detection Mechanism

1. Screenshots from the change detection solution (such as File Integrity Monitoring) and relevant change detection system configurations showing what is monitored.

2. Documented list of files which are monitored by the change detection solution.

DCF-503

Periodic Security Updates

Upload evidence showing that periodic security updates are provided to personnel through different mechanisms (e.g., screenshots of internal newsletters or intranet with security reminders, security updates sent out via Slack or other internal communication channels, etc.)

DCF-507

Vendor Due Diligence

For any new service provider or vendor, you'll need to perform due diligence on (evaluate) them prior to engaging with them. Due diligence can consist of reviewing security questionnaires or obtaining confirmation that they have compliance certifications (such as a SOC 2). You should document the results of your due diligence as well as the day it was completed.

DCF-527

Designated Data Protection Officer

Upload evidence showing that a data protection officer has been officially appointed (e.g., internal privacy policies, RACI matrix, job descriptions, etc. identifying the data protection officer, etc.).
Additionally, upload evidence showing that a mechanism to contact the data protection officer is communicated to users/data subjects (e.g., screenshots of the online privacy/policy showing that an email address of the data protection officer is provided, etc.).

DCF-535

Organizational Context

1. Documentation that discusses how your company fits into the data processing ecosystem and includes each of the areas discussed in the 'Control Activities' section. Please see Appendix B of Drata’s latest Personal Data Management Policy template for helpful definitions.

DCF-537,DCF-132

Data Processing Agreements with Subprocessors

Upload one example of an executed data processing agreement (DPA) with a subprocessor.

The data processing agreement should include the minimum technical and organizational measures that the subprocessor is expected to implement to meet the objectives of your organization's privacy program.

DCF-557

Shared Account Management

For any highly privileged shared accounts, upload evidence of the business justification and evidence of how these shared accounts are securely managed.

Example: Documentation of the business purpose of the shared account(s) with management approval and screenshots showing how the shared accounts are securely managed (e.g., through password vaults restricted to specific personnel, etc.).

DCF-558

Restrictions on Software Installation

Upload evidence showing that the organization has implemented mechanisms to prevent the installation and use of unauthorized software in company-managed assets (e.g., screenshots from MDM tools showing rules preventing software installation are enforced on company devices, access controls limiting access to run executables, etc.)

DCF-566

ISO Management of Nonconformities

Upload evidence showing that your organization is managing nonconformities in accordance with ISO requirements.

Examples: Nonconformity tracker, internal tickets raised to track nonconformities to resolution, etc.

ISO defines nonconformities as the "non fulfillment of a requirement". Requirements include ISO requirements as well as the organization's policies and procedures. Nonconformities can be identified through different sources, including internal audits, external audits, personnel reporting, continuous monitoring, etc.

Per the requirements outlined in Clause 10 of ISO management system standards, when a nonconformity is identified, the organization must review the nonconformity, perform a root-cause analysis, implement any actions needed, and evaluate the effectiveness of those actions.

Your organization must retain documented information as evidence of the nature of the nonconformities and any subsequent actions taken, and the results of any corrective action.

DCF-567

Change Management Policy

Change Management Policy

DCF-569

Information Labeling

1. Data Protection Policy and Data Classification Policy

DCF-570

Disciplinary Process

Upload your company's documented disciplinary process. The disciplinary process may be an HR-owned process available and communicated to employees through employee handbooks, code of conduct, etc, or included within an information security policy document.

This evidence should not be confused with disciplinary processes related to low performance or misconduct such as harassment. This is specific to disciplinary actions invoked against personnel and who have committed an information security breach or security policy violation.

The formal disciplinary process should provide for a graduated response that takes into consideration factors such as: a) the nature (who, what, when, how) and gravity of the breach and its consequences;
b) whether the offense was intentional (malicious) or unintentional (accidental); c) whether or not this is a first or repeated offense;
d) whether or not the violator was properly trained.

The response should take into consideration relevant legal, statutory, regulatory contractual and business requirements as well as other factors as required. The disciplinary process should also be used as a deterrent to prevent personnel and other relevant interested parties from violating the information security policy, topic-specific policies and procedures for information security. Deliberate information security policy violations can require immediate actions.

DCF-571

Fire Detection and Suppression

1. Observation of fire detection and suppression systems installed in critical locations

(Note: Observations should be performed by auditors on-site, or via virtual meeting)

2. Evidence of ongoing maintenance

DCF-572

Temperature Monitoring Systems

1. Observation of systems in place to monitor and control air temperature and humidity at appropriate levels

(Note: Observations should be performed by auditors on-site, or via virtual meeting)

2. Evidence of ongoing maintenance

DCF-573

Uninterruptible Power Supply

1. Observation of uninterruptible power supply (UPS) systems in place for data centers or server rooms

(Note: Observations should be performed by auditors on-site, or via virtual meeting)

2. Evidence of ongoing maintenance

DCF-574

Mobile Device Management Software

Upload evidence to show that a mobile device management (MDM) tool has been implemented to enforce security controls on mobile devices (e.g., screenshots from the MDM's centralized management console, screenshots of baseline configurations, security policies or blueprints enforced on devices per OS type, etc.)

DCF-611

Obscured Authentication Feedback

1. Screenshot of user interface during the authentication process to show authentication feedback is hidden (e.g. password entry fields displaying asterisks or limited visibility feedback)

DCF-637

Documented Secure Development Process

Upload documentation of your organization's secure development processes.

Example: Internal wikis or other documentation that includes references to industry standards and/or best practices for secure development, security requirement considerations (for example, secure authentication and logging, etc.), and consideration of information security issues during each stage of the software development life cycle.

DCF-678

Network Security Policy

Network Security Policy

DCF-681

Phishing Simulations

Upload evidence showing phishing simulations are conducted as part of the company's security awareness initiatives.

Example: Screenshots from phishing simulation campaign configurations, screenshots of dashboards showing results of the campaign, screenshot showing example simulated phishing email, etc.

DCF-684

Redundancy of Processing

1. Provide evidence that redundancy strategies were implemented for equipment, systems and processes as deemed necessary per the business continuity plans

DCF-687

Email Authentication/Phishing and Spam Detection

Upload evidence showing that phishing and spam detection mechanisms have been implemented in your organization.

Example: Screenshots showing SPF, DMARC, DKIM configurations enabled for email authentication.

DCF-688

Return of Assets

For one recently terminated personnel, upload evidence showing that assets were returned to the company.

Example: Screenshots of offboarding checklists or internal tickets showing tracking of return of devices, badges, tokens, etc., upon termination, evidence of pre-paid labels sent to remote personnel for asset return and tracking, etc.

DCF-689

On-call Team

Upload evidence of on-call rotation schedule.

Example: Screenshots from tools lIKe PagerDuty or equivalent tool showing on-call schedule and teams assigned.

DCF-694

Approved Usage of Unencrypted Media

For any unencrypted physical media and/or portable devices used, upload evidence of documented business justification and approval from management for its use.

DCF-698

Automated Mechanisms for Audit Log Reviews

Screenshot of the configuration from audit log review solutions such as centralized log management systems, event log analyzers, security information and event management (SIEM) solutions, etc.

DCF-707

Credentials for System Accounts Not Hard-Coded

Upload evidence showing that the organization has implemented mechanisms to validate that authentication credentials for any application and system accounts are not hard coded in scripts, configuration/property files, or bespoke and custom source code.

Example: Screenshots from source code repositories showing secret scanning is conducted as part of the CI/CD pipeline.

DCF-708

Software and Third Party Libraries Inventory

Upload evidence of your organization's software and third party libraries Inventory (i.e., software bill of materials).

Example: Screenshots from software composition analysis tools showing software bill of materials (SBOM).

DCF-712

Static Application Security Testing

Upload evidence that static application security testing (SAST) is conducted for software development testing.

Example: Screenshots from the CI/CD pipeline for relevant code repositories showing a SAST scan automatically executes every time new code is committed, screenshots of configurations and dashboards from SAST tools such as SonarCloud, etc.

DCF-741

Logging and Monitoring Policy

1. Logging and Monitoring Policy

DCF-744

Contact with Authorities

Upload evidence of incident response procedures/playbooks or documented communication plans showing that your organization has identified and documented authorities to be contacted (such as law enforcement, regulatory bodies, supervisory authorities) as well as the events or circumstances that would require communication and the methods and responsibilities for communication with authorities.

Maintaining such contacts can be a requirement to support information security incident management or the contingency planning and business continuity processes. Contacts with regulatory bodies are also useful to anticipate and prepare for upcoming changes in relevant laws or regulations that affect the organization.

DCF-745

Segregation of Duties

Upload evidence showing that your organization has identified conflicting duties and conflicting areas of responsibility that must be segregated and implemented mechanisms for segregation of duties.

Your organization should determine which duties and areas of responsibility need to be segregated to reduce the risk of fraud, error, and bypassing of information security controls. The following are examples of activities that can require segregation:

  • initiating, approving and executing a change

  • requesting, approving and implementing access rights

  • initiating and approving transactions

  • using applications and administering databases

It is recommended that the organization's approach to managing segregation of duties is documented, including the identified activities to be segregated and how segregation of duties is achieved for each (e.g., through role-based access control, assigning duties to different individuals, etc.).

DCF-748

Segregation of Networks

Upload evidence showing that network segmentation or other techniques are used to split the network in security boundaries and to control traffic between them based on business and security needs.

DCF-749

Leak Detection System

1. Observation of leak detection systems at critical facilities

(Note: Observations should be performed by auditors on-site, or via virtual meeting)

DCF-760

Control of Audit Activities

Upload evidence showing that audit requirements and activities involving verification of operational systems are planned and agreed-upon by management to minimize disruptions to business processes and security risks.

Examples Screenshots or exports of communications and agreements with penetration tests vendors discussing and agreeing on the scope of the test, access requirements, availability considerations, etc.

DCF-762

Managing Changes to Supplier Services

1. For a change to the provision of services by a vendor, provide documentation to evidence that a review and due diligence activities were required and authorized by management

(Note: Auditors may request a population and samples for this control)

DCF-775

Cloud Deletion Protection

1. Screenshots of the configuration enabled for deletion protection for cloud resources

DCF-776

Principle of Least Privilege

For each in-scope system / application, provide the user access listing with roles & permissions assigned to show that principle of least privilege has been implemented

DCF-777

Cloud Resource Tagging

1. Inventory listing with tags assigned

DCF-779

Cryptographic Key Rotation

Upload evidence of cryptographic key rotation processes implemented in accordance with defined company procedures.

Example: Screenshots of automated key rotation configurations in a key management system, tickets or other documentation showing manual key rotation processes are carried out periodically, etc.

DCF-780

Web Filtering

Upload evidence showing that the organization has implemented web filtering mechanisms to enforce the company's internet usage policies (e.g., screenshots of web filtering configurations showing access to known malicious sites are blocked, access to prohibited web resources per the company's acceptable use policy is prohibited, etc.)

DCF-781

Secure Login

For internally-developed systems, upload evidence showing that access to the system is done through a secure login procedure.

Examples: Screenshots showing successful and failed login attempts on internally-developed systems showing any or some of the following:

No help messages during the log-on procedure are provided that would aid an unauthorized user


The log-on information is validated only on completion of all input data. If an error condition arises, the system does not indicate which part of the data is correct or incorrect


The system does not display a password being entered

DCF-782

Cloud Storage Lifecycle Rules

Upload evidence of any cloud storage lifecycle rules in place to delete data automatically after expiration of specified retention periods (e.g., screenshots from cloud storage showing configured expiration actions, etc.)

DCF-783

Secrets Rotation

Upload evidence of secrets rotation processes implemented in accordance with defined company procedures (e.g., screenshots of automated secrets rotation configurations in a secrets management systems, tickets or other documentation showing manual secrets rotation processes are carried out periodically, etc.)

DCF-784

Software Composition Analysis (SCA)

Upload evidence to show that your organization checks software components and libraries for policy and license compliance, security risks, and supported versions.

Example: Screenshots showing that software composition analysis tools are used as part of your CI/CD pipeline to check for vulnerabilities in third party libraries.

DCF-785

Secure Runtime Configurations

1) Asset Management Policy
2) Screenshots of run configuration standards for in-scope applications and platforms

DCF-789

Expectations of Interested Parties

ISMS Plan (2013 and 2022)

Did this answer your question?