Skip to main content
All CollectionsComplianceExample Evidence for Not Monitored Controls
Example Evidence for Not Monitored Controls (SOC 2)
Example Evidence for Not Monitored Controls (SOC 2)

Example Evidence for Not Monitored Controls (SOC 2)

Jane Baik avatar
Written by Jane Baik
Updated over a week ago

The following is a list of example evidence for controls not monitored in Drata for SOC 2.

Note: An auditor may request additional evidence for each control.



Example Evidence


Separate Environments

Screenshots from test and production environments for the application


Internal Communication Channels

Screenshots from communication tools (Slack, PagerDuty) showing the process for security events to be communicated to appropriate personnel.


Periodic Access Reviews

1. Tickets documenting the access control lists that were reviewed for in scope cloud environments, SaaS applications, infrastructure as code tools, and security protection tools (as applicable)

- and -

2. Tickets should be marked as completed/closed and the reviewer should provide comments on the results of the reviews.


System Security Configuration and Hardening Standards

1. Evidence from infrastructure as code tools showing configurations that would be implemented when new infrastructure is deployed.

- and -

2. Any type of document that formally documents the configurations that should be implemented for newly deployed infrastructure.


Periodic Risk Assessment

Most recently completed risk assessment report.


Risk Treatment Plan

Documented remediation plans for risks identified during the risk assessment.


Penetration Tests

Most recently completed annual penetration test.


Asset Inventory

1. Formal, documented listing of all assets (workstations, mobile devices, servers, databases)

- and -

2. For cloud infrastructure, screenshots from cloud environments listing all infrastructure


Architectural Diagram

Approved Architectural Diagram


Network Diagram

Formal, documented network/architecture diagram evidencing network segmentation of your cloud environments.


BCP/DR Tests

Most recently completed BCP/DR test.


Incident Response Team

Provide the documented list of Incident Response team members who have the responsibility and authority to coordinate and execute incident response procedures.


Incident Response Lessons Learned Documented

For an example security event deemed an incident, provide the incident documentation including evidence of internal tracking (such as internal ticket), root-cause analysis (RCA)/post-mortem, lessons learned)


Vendor Register and Agreements

Executed Agreement/contract between the entity and key vendors.


Secure Password Storage

If username and password is required, screenshots from the database showing that password are stored using a salted hash.


Customer Data Segregation

1. Screenshots from the database showing that customers are assigned separate IDs.

- and -

2. Screenshots from the application showing that a customer cannot see data of another customer (attempt to show one customer trying to access data of another customer).


Inactivity and Browser Exit Logout

1. Screenshots of users being logged out of the application when browser/tab is closed and being forced to re-authenticate upon next login.

- and -

2. Screenshots showing that a user is logged out after pre-defined activity timeout and being forced to re-authenticate upon next login.


Terms of Service

Upload evidence of your terms of service available online, as well as screenshots of the account sign up process showing users are required to accept the terms of service prior to using the system.


Commitments Communicated to Customers

1. Upload evidence of a recently executed service agreement with a customer.

- and -

2. Upload evidence of your terms of service available online, as well as screenshots of the account sign up process showing users are required to accept the terms of service prior to using the system.


Access Provisioning

Formal, documented access request form/help desk ticket for a recent new hire.


Root Access Control

1. Screenshots of a user logging into the production systems, showing that they have to use a unique SSH account.

- or -

2. Screenshot of the setting from the production servers showing that the "root" account cannot be used to login to production.


Communication of System Changes

1. Example emails communicating changes to customers.

- and -

2. Screenshots of banners warning customers of downtime prior to system maintenance.


Critical Change Management

Formal, documented emergency change procedures for critical changes.


Logging System

Screenshots from the location where logs of system activity are stored.


Intrusion Detection/Prevention System

1. Screenshots from AWS GuardDuty, Azure Sentinel, GCP Security Command Center or equivalent monitoring tool showing that the service is enabled.

- and -

2. Screenshots from the mentioned applications/tools/services showing the types of threats that would be detected.

- and -

3. Screenshots from the mentioned applications/tools/services showing how personnel would be alerted and who would be alerted when threats are detected.


Encrypted Remote Production Access

1. Screenshots of a user trying to access production systems without being connected to a VPN and providing access is denied.

- and -

2. Screenshots of a user accessing production after connecting to a VPN to show a successful connection.


Monitoring Processing Capacity and Usage

Evidence that management reviewed processing capacity and usage reports on a quarterly basis.



Screenshot of auto scaling configurations for EC2 instances.


Backup Monitoring

1. Automated configurations from the backup service for notifying personnel when backup processes fail.

- and -

2. Example email for a failed backup and ticket documenting resolution.


Backup Restore Testing

1. Screenshots showing a backup snapshot was restored completely and accurately.

- and -

2. Evidence from the annual DR tests showing that backups were restored completely and accurately.


Customer Data Deletion Upon Termination

1. For a recently churned customer, upload evidence showing that customer data disposal was conducted in accordance with the contractual agreements with the customer (such as evidence of logs showing data was disposed of, screenshots from production resources such as storage buckets and databases showing customer-specific resources were decommissioned).


2. Upload evidence of the agreement with the former customer to show the specific data disposal requirements and commitments.


Test Data

Screenshots from the test environment showing that "real" data is not used.


Personnel Non-Disclosure Agreements (NDA)

Example new hire employee agreement, with NDA included.


Disposal of Sensitive Data on Paper

Observation of hard copy material being disposed

Note: This can be performed by auditors on-site, or via virtual meeting.


Secure Storage Mechanisms

Pictures of secure storage bins from office locations.


Disposal of Sensitive Data on Hardware

Data Retention Policy or equivalent policy documenting this policy and procedure.


Acceptable Input Ranges

Screenshots of users entering data into the application to confirm that the application limits input values to only valid values.


Mandatory Fields

Screenshots of user entering data into the application to confirm that the application requires mandatory data to be entered.


Notice and Acknowledgement of Privacy Practices

Screenshots of the new user registration process where new users are provided the notice of privacy practices before completing the registration process.


Privacy Policy Content

Formal, documented privacy practices from the entity's website.


Periodic Review of Privacy Policy

Meeting minutes for management's annual review of privacy policies


Requests for Deletion of PII

Example requests for deletion of personal information and evidence that the data was deleted timely.


Procedures for Information Disposal

Formal, documented data deletion policy.


Personal Information Accessible Through System Authentication

Screenshots of a user modifying their personal information within the application.


Privacy Requirements Communicated to Third parties

Evidence to support that third parties with whom PII is sent to, were provided requirements for how PII should be handled, according to your requirements.


Documentation of Breaches or Unauthorized Disclosures of PII

Screenshots of the incident tracking system used to track breaches or security incidents involving PII.


Privacy and Security Requirements in Third-Party Agreements

Executed agreements (such Data Processing Agreements, Business Associates Agreements, Service Provider Agreements) with third parties and vendors that are provided access to personal data.


Notification of Incidents or Breaches

1. Formal, documented breach notification procedures.

- and -

2. Breach Notification Template


Use of Subprocessors Communicated

Section from privacy practices on your website showing that 3rd parties that receive PII are listed.


Point of Contact for Privacy Inquiries

Screenshots of how a customer can submit inquiries, complaints or disputes about privacy issues.


Privacy Inquiries Tracked

1. Screenshots of the incident tracking system used to track users' complaints, inquiries and disputes.

- and -

2. Example submitted inquiries, complaints or disputes and evidence that resolution was communicated to the customer and corrective actions were performed, as necessary.


Board Charter Documented

Copy of Board Charter


Board Meetings

Meeting minutes from Board meetings


Removable Media Device Encryption

If removable media devices are issued by the company to employees, provide evidence that removable media devices are encrypted.


Data Loss Prevention (DLP) Mechanisms

1. Screenshots of DLP software.

- and -

2. Example of emails being blocked when they contain sensitive data


Automated Security Updates

Evidence from servers or patching systems showing that operating systems were patched monthly.


Incident Response Test

Most recently completed incident response tabletop test.


Testing of Changes

Screenshots from the ticketing system for a few changes showing that changes were tested.


Change Releases Approved

Screenshots from the ticketing system for a few changes showing that changes were approved by appropriate personnel.


Cybersecurity Insurance

Cybersecurity insurance certificate.


Business Continuity Plan

Business Continuity Plan.


Vendor Management Policy

Vendor Management Policy


Employment Terms & Conditions

For one example personnel, provide executed employment contracts/agreements outlining the terms and conditions of employment as well as responsibilities during and after employment (e.g., duty of confidentiality, return of assets, protection of intellectual property, etc.).


Asset Management Policy

Asset Management Policy


Dataflow Diagram

Upload evidence of your current dataflow diagram(s) and evidence of updates/reviews within the past year for accuracy (such as emails from responsible personnel confirming the accuracy and completeness of the dataflow diagram(s))


Data Secure Disposal

Policies and procedures for data disposal.


Strong Key Generation Policies and Procedures

1. Documented key management procedures which specify how to generate strong cryptographic keys.


2. Screenshots showing the strong cryptographic key generation process.


Key Retirement Policies and Procedures

Documented key management procedures which include guidance for:

Replacement of known or suspected compromised keys.


Anti-Malware Capabilities and Automatic Updates

Screenshots from the anti-virus configurations. including the master installation, showing how the anti-virus and virus definitions are kept current and updated.


Anti-Malware Tools Behavior

Screenshots from the anti-virus configurations. including the master installation, showing that periodic scans are performed.


Production Components Change Control Procedures

1. Documented Change Control procedures which list a requirement to document the impact of proposed changes.


2. Screenshots or change documentation showing that the impact of the change was documented for a recent change


Secure Code Development Training

Upload evidence of secure code development training completed by an engineer/developer within the past year


Need-to-Know Principle

System-generated list of appropriate users with access to system components and data.


Account Lockout after Failed Logins

Upload evidence of the account lockout configurations after failed login attempts for relevant systems where this is a configurable attribute, showing number of attempts that trigger the lockout and lockout duration.


Lockout Duration

Upload evidence of the account lockout configurations after failed login attempts for relevant systems where this is a configurable attribute, showing number of attempts that trigger the lockout and lockout duration.


Password History Enforcement

Screenshots of system configurations showing that passwords must be different from the previous 4 passwords.


MFA for Remote Network Access

Upload screenshots of the multi-factor authentication configurations for relevant systems (where not integrated with Drata). If MFA is enforced on a per-user level instead of a global setting, upload evidence showing all users have MFA enabled.


Communication of Authentication Best Practices

1. Screenshots showing where employees can find policies and procedures related to Authentication.


2. Documented policies and procedures related to Authentication which include the following:

  • Guidance on selecting strong authentication credentials.

  • Guidance for how users should protect their authentication credentials.

  • Instructions to not use previously used passwords.

  • Instructions stating to change a password if the password is suspected to be compromised.


Entry Controls in Place

For each computer room, data center, and other physical areas which contain systems, provide:

  • Pictures showing that access is controlled using badge readers or other devices including authorizing badges and lock and key.

  • Screenshots or video showing an administrator’s attempt to log into system consoles showing that these systems are “locked” to prevent unauthorized access.


Secure Physical Access Control Mechanisms

Pictures showing how video cameras or access control mechanisms (or both) are protected from tampering and disabling.


Restricted Access to Badge System

User access lists for the identification system showing that access is limited to authorized personnel (such as user access lists for the systems which provision ID badge access).


Visitors Authorized and Escorted

Observation of a visitor being escorted when entering company facilities

(Note: Observations should be performed by auditors on-site, or via virtual meeting)


Personnel and Visitor Badges

Observation of visitor obtaining a visitor badge and example of a visitor badge

(Note: Observations should be performed by auditors on-site, or via virtual meeting)


Visitor Badge Control

Pictures showing how visitors are required to surrender their visitor badges upon leaving the facility.


Visitor Log

Upload evidence to show that a visitor log is maintained to keep an audit trail of visitor activity to the company facilities, computer rooms or data centers where sensitive data may be stored or transmitted (such as scan or photograph of the visitor log for an example day)


Media Physically Secured or Encrypted

Documented policies and procedures related to physically securing all media (including computers, removable media, paper receipts, paper records, and faxes).


Audit Logging

Screenshots showing that audit trails are enabled and active for in-scope systems


Audit Logs Data Points

System user access lists from in-scope systems showing that access is linked to individual users.


Audit Trail for Privileged Access

1. Screenshots of audit log settings showing that all actions taken by root/admin users will be logged.


2. Screenshots of an example log showing that these log settings are functioning correctly.


Audit Trail for Invalid Access Attempts

1. Screenshots of audit log settings showing that invalid/failed login attempts are logged.


2. Screenshots of an example log showing that these log settings are functioning correctly.


Audit Trail for Identification and Authentication Mechanism Changes

1. Screenshots of audit log settings showing that the use of identification and authentication mechanisms are logged, elevation of privileges are logged, and that changes (addition, modification, or deletion) to accounts with administrator or root privileges are logged.


2. Screenshots of example logs showing that these log settings are functioning correctly.


Audit Trail of System-Level Object Changes

1. Screenshots of audit log settings showing that the creation or deletion of system-level objects are logged.


2. Screenshots of an example log showing that these log settings are functioning correctly.


Change Detection Mechanism

1. Screenshots from the change detection solution (such as File Integrity Monitoring) and relevant change detection system configurations showing what is monitored.


2. Documented list of files which are monitored by the change detection solution.


Multiple Methods for Security Awareness

Upload evidence showing that periodic security updates are provided to personnel through different mechanisms (such as screenshots of internal newsletters or intranet with security reminders, security updates sent out via Slack or other internal communication channels)


Vendor Due Diligence

For any new service provider or vendor, you'll need to perform due diligence on (evaluate) them prior to engaging with them. Due diligence can consist of reviewing security questionnaires or obtaining confirmation that they have compliance certifications (such as a SOC 2). You should document the results of your due diligence as well as the day it was completed.


Anti-Malware Scans of Media

Provide screenshots of the anti-malware solutions configuration used to to perform automatic scans or continuous behavioral analysis of systems or processes when removable electronic media is inserted, connected, or logically mounted


Designated Data Protection Officer

Upload evidence showing that a data protection officer has been officially appointed (such as internal privacy policies, RACI matrix, job descriptions , identifying the data protection officer).

Additionally, upload evidence showing that a mechanism to contact the data protection officer is communicated to users/data subjects (such as screenshots of the online privacy/policy showing that an email address of the data protection officer is provided).


Data Subject Consent

1. Documentation that details how consent is obtained from Data Subjects prior to processing their PII.


2. Screenshots of automated consent mechanisms that are built into processes that collect PII, such as a consent checkbox on a marketing webinar registration form.


3. Records of where/how consent was obtained, such as records in the CRM system used by marketing and sales.


Notification of Disclosures to Third Parties

1. Documentation or templates that describes processes for notifying appropriate stakeholders regarding the disclosure of PII to third parties

  • Ensure that Control Activities 1-3 are addressed.


2. Records of disclosures that include each area described in Control Activity 4.


Record of Processing Activity (ROPA)

Upload your documented records of processing activities (ROPA).


Data Processing Agreements

Upload one example of an executed data processing agreement (DPA) with a subprocessor.


Timely Response to Data Subject Requests or Inquiries

For an example privacy inquiry/request or reported suspected incident, upload evidence showing that the organization provided confirmation of receipt and responded to the request/inquiry or incident report within the timeframes established by regulatory requirements.


Procedures for Management of Data Subject Rights

Upload your documented policies and procedures for handling and responding to requests from data subjects to exercise their data subject rights with regards to personal information (such as documented procedures for responding to access rights requests, deletion requests)


Communication of Changes in Subprocessors

For any recent changes in subprocessors, upload evidence showing that changes were communicated to customers (such as screenshots of email communications sent to notify customers of changes in subprocessors, screenshots of announcements in web page or customer portal)


Identity Verification for Data Subject Requests

1. Documented procedure for for verifying data subject

- and -

2. Provide an example of a privacy right request made from a data subject. Additionally, provide documentation to evidence that the data subject's identity was confirmed

(Note: Auditors may request a population and samples)


Shared Account Management

System Access Control Policy


Restrictions on Software Installation

Upload evidence showing that the organization has implemented mechanisms to prevent the installation and use of unauthorized software in company-managed assets (such as screenshots from MDM tools showing rules preventing software installation are enforced on company devices, access controls limiting access to run executables)


Management of Utility Programs

1. Any documented procedures covering who can access utility programs (admin consoles for tools like antivirus, MDM tools, logging systems)

- and -

2. List of users who currently have access to utility programs.


Change Management Policy

Change Management Policy


Disciplinary Process

Upload your company's documented disciplinary process. The disciplinary process may be an HR-owned process available and communicated to employees through employee handbooks, code of conduct, etc, or included within an information security policy document.

This evidence should not be confused with disciplinary processes related to low performance or misconduct such as harassment. This is specific to disciplinary actions invoked against personnel and who have committed an information security breach or security policy violation.


Fire Detection and Suppression

1. Observation of fire detection and suppression systems installed in critical locations

(Note: Observations should be performed by auditors on-site, or via virtual meeting)


2. Evidence of ongoing maintenance


Temperature Monitoring Systems

1. Observation of systems in place to monitor and control air temperature and humidity at appropriate levels

(Note: Observations should be performed by auditors on-site, or via virtual meeting)


2. Evidence of ongoing maintenance


Uninterruptible Power Supply

1. Observation of uninterruptible power supply (UPS) systems in place for data centers or server rooms

(Note: Observations should be performed by auditors on-site, or via virtual meeting)


2. Evidence of ongoing maintenance


Mobile Device Management Software

Upload evidence to show that a mobile device management (MDM) tool has been implemented to enforce security controls on mobile devices (such as screenshots from the MDM's centralized management console, screenshots of baseline configurations, security policies or blueprints enforced on devices per OS type)


Software Update and Patch Management

For a sample of critical patches and software updates, provide evidence of successful installation in accordance with SLAs established in company policies.


Phishing Simulations

Upload evidence showing phishing simulations are conducted as part of the company's security awareness initiatives (such as screenshots from phishing simulation campaign configurations, screenshots of dashboards showing results of the campaign, screenshot showing example simulated phishing email)


Redundancy of Processing

Provide evidence that redundancy strategies were implemented for equipment, systems and processes as deemed necessary per the business continuity plans


Return of Assets

For one recently terminated personnel, upload evidence showing that assets were returned to the company (such as offboarding checklists or internal tickets showing tracking of return of devices, badges, tokens, upon termination, evidence of pre-paid labels sent to remote personnel for asset return and tracking).


On-Call Team

Upload evidence of on-call rotation schedule (such as screenshots from tools like PagerDuty or equivalent tool showing on-call schedule and teams assigned).


Marketing Express Consent

Upload evidence showing that consent for marketing and advertising purposes is optional and not a condition for use of the system or service (such as screenshots of the user/account registration process for your system/service showing separate checkboxes for consenting to receiving marketing or advertisement and accepting terms of service)


Static Application Security Testing

Upload evidence that static application security testing (SAST) is conducted for software development testing (such as screenshots from the CI/CD pipeline for relevant code repositories showing a SAST scan automatically executes every time new code is committed, screenshots of configurations and dashboards from SAST tools such as SonarCloud).


Logging and Monitoring Policy

Logging and Monitoring Policy


Privacy Training

Upload evidence showing that a training program related to protection of personally identifiable information (PII) has been implemented (such as records of training materials such as presentations, videos, screenshots of the training content, and records of completion for one example personnel).


Secure Log-on for Customers

Upload evidence to show that customers are provided with the capabilities for secure log-on for any user accounts under their control (such as screenshots showing that customers can enable single sign-on, multi-factor authentication, and complex password requirements, screenshots showing passwords are masked when users attempt to login, screenshots showing minimal information disclosures in authentication error messages)


Segmentation of Networks

Upload evidence showing that network segmentation or other techniques are used to split the network in security boundaries and to control traffic between them based on business and security needs.


Leak Detection System

Observation of leak detection systems at critical facilities

(Note: Observations should be performed by auditors on-site, or via virtual meeting)


Mechanisms to Object to PII Processing

Screenshots showing that data subjects have the ability to object to the processing of their PII (e.g. objections relating to the processing of PII for direct marketing purposes).


Right to Access

For a request from a data subject, provide evidence that data subjects information was located, retrieved, and a copy of the PII that is collected and/or processed was provided to the data subject

(Note: An auditor may request a sample of requests)


Dual Opt-In for Consent to Sell PII

Screenshots to show that a dual opt-in mechanism for consent to sell or share personal information was implemented


User and System Guides

Upload evidence showing that your organization provides user guides, help articles, system documentation or other resources to users to provide information about the design and operation of the system, functional and nonfunctional requirements related to system processing, information specifications required to support the use of the system (such as links to external documentation portal or help center, documented user guides).


Limit Collection of PII

Screenshots showing that optionality in the collection and processing of PII exists with default option being "disabled"


Consulting with Customer Prior to PII Disclosures

For an example data right request, provide documentation to evidence that data subject provided the agent authorization permission to submit the request prior to fulfilling the request and retains supporting documentation.


Data Processing Monitoring

1. Example system logs to evidence that processing is done completely and accurately


2. For an application / data processing error, provide evidence that the error was documented, investigated, escalated and corrected in accordance with policies and procedures.

(Note: Auditors may request a population and samples for this control)


Cloud Deletion Protection

Screenshots of the configuration enabled for deletion protection for cloud resources


Principle of Least Privilege

For each in-scope system / application, provide the user access listing with roles & permissions assigned to show that principle of least privilege has been implemented.


Cloud Resource Tagging

Inventory listing with tags assigned


Cryptographic Key Rotation

Upload evidence of cryptographic key rotation processes implemented in accordance with defined company procedures (such as screenshots of automated key rotation configurations in a key management system, tickets or other documentation showing manual key rotation processes are carried out periodically)


Secure Login Procedures

Screenshot of user interface during the login process to show in-house developed systems were configured to deter enumeration or brute-force attacks (such as displaying limited information in login error messages without indicating which data is correct or incorrect)


Cloud Storage Lifecycle

Upload evidence of any cloud storage lifecycle rules in place to delete data automatically after expiration of specified retention periods (such as screenshots from cloud storage showing configured expiration actions)


Credentials Rotation

Upload evidence of secrets rotation processes implemented in accordance with defined company procedures (such as screenshots of automated secrets rotation configurations in a secrets management systems, tickets or other documentation showing manual secrets rotation processes are carried out periodically)


Software Composition Analysis (SCA)

1. For a vulnerability identified in software components or libraries, provide evidence that fixes were implemented in accordance with the company's vulnerability management policies.

(Note: An auditor may request a population and samples for this control)


Secure Runtime Configurations

1. Asset Management Policy


2. Screenshots of run configuration standards for in-scope applications and platforms


Defined Company Objectives

Security Team OKRs / meeting minutes with documented objectives / goals


Fraud Risk Assessment

Annual risk assessment documentation containing evaluation of fraud risks

Did this answer your question?