Drata Quick Start Guide

We know that an upcoming audit can be daunting, so we’ve pulled together a short guide to explain how to set up your SOC 2 audit on Drata.

Have a read, and if you have any other questions drop us a line!

hello@tempoaudits.com

What is the Purpose of this Guide?

This guide is designed to help you get audit-ready quickly and confidently. Our goal at Tempo Audits is to keep things moving, and make the audit process as smooth (and stress-free) as possible. Our partners, Sensiba, have created the below guide for you to help you set up your SOC 2 Audit on Drata.

How do we connect our Key Systems?

Head into Drata and select the “Quick Start” button in the top left corner - this will help streamline your intial system connections.

Essential System Integrations:

  • Cloud Providers (AWS, Azure, GCP)

  • Databases (PostgreSQL, MySQL, MongoDB)

  • Version Control (GitHub, GitLab, Bitbucket)

  • Identity Providers (Microsoft, Okta, Azure AD, Google Workspace)

  • Mobile Device Management (Jamf, Kandji, Intune)

A tip from your Tempo team: Coordinate your IT team early—you'll need admin-level access for each integration. Identify system owners and schedule connection sessions to avoid delays.

How do we scope the right controls?

Drata comes with a broad set of default controls, but you don’t need all of them for your audit. Your audit with Tempo only requires a subset of controls. There are approximately 50 controls relevant for Security, Availability, and Confidentiality Trust Service Criteria. Other subsets include Processing Integrity & Privacy, however these are optional and are scoped separately. You can also safely descope/exclude any controls that aren't relevant to your audit.

A tip from your Tempo team: In-Scope can consist of items such as: production systems, databases containing sensitive data, and any infrastructure processing customer information. Out-of-Scope can consist of items such as: Development, testing, and sandbox environments.

How do we set up our Audit Package?

Setting up your audit in Drata and granting auditor access early allows us to provide targeted guidance, streamline your preparation, and accelerate your audit readiness.

First, navigate to the “Audit Hub” tab and select “Create Audit”. From here you will be able to configure your audit parameters by completing the below:

  • Audit Type: SOC 2 Type 1 or Type 2

  • Audit Period: Select your observation timeframe (dates can be adjusted later if needed)

Once this is completed, you can no invite your auditors using the dropdown menu or send new invitations as needed. To do this, navigate to the “Audit Hub” tab and select “Open Audit”. Then select the edit icon under “Assigned Auditors”, this is where you will add your auditors using their email addresses (which will be provided to you by Tempo during your onboarding). At this stage, please remember to enable the ‘Read-only access’ and the ‘Download Controls, Tests and Requirements” permissions for all auditors.

How do we complete our System Description?

Creating a System Description is a key step for your audit, as it defines the boundaries of your audit and forms the basis of your final report by clearly defining what is in scope and helps us understand how your systems and processes work together.

You can complete it by following the instructions linked here.

How do we configure our Compliance Foundation?

Once your systems are connected, it is time to build the operational backbone of your compliance program.

SOC 2 Type 1 audits evaluate whether your controls are properly designed at a specific point in time. The below four foundational areas are best to focus on:

  • Personnel: Add all employees within your audit scope. Include contractors only if they have privileged access to critical systems or sensitive data.

  • Policies: Upload and assign your security policies, then track employee acknowledgments. You can use Drata's pre-built templates or create custom policies through Sensiba’s Policy Tree tool.

  • Automated Monitoring: Turn on automated testing for your most critical controls to maintain continuous visibility into your compliance posture.

  • Drata Agent: Install the Drata Agent for all applicable personnel to track device compliance (e.g., disk encryption, antivirus).

These items represent the minimum required to get your Type 1 audit underway.

To strengthen your foundation, you should also look into the below:

  • Risk Management: Identify and document organisational risks, assign ownership, and create mitigation plans. Focus on high and critical risks first. See Sensiba’s Risk Assessment Guide for step-by-step instructions.

  • Vendor Management: Build your vendor register, classify vendors by risk level, and review security documentation for high-risk third parties.

A tip from your Tempo team: The stronger these foundational areas are from day one, the faster and smoother your audit will run.

How do we transition from Type 1 to Type 2?

If you have already completed a Type 1 audit, most of the heavy lifting has been done through configuring the necessary systems, publishing policies, and personnel onboarding. The focus for Type 2 is maintaining and demonstrating ongoing operational effectiveness.

To transition from Type 1 to Type 2, the first thing you need to do is set up your audit period in Drata. Below are some recommended timelines to work from:

  • Audit Period Length: We recommend starting with a 3-month observation period for your first Type 2 audit. If you have completed a Type 2 audit already, we typically advise that clients move into a 12 month observation period.

  • Scheduling Best Practices: Begin your audit period on the first day of the month and end on the last day of the month. If transitioning from Type 1, start your Type 2 period as close to or before your Type 1 report date as possible.

  • Backdating Option: You have the option to backdate the observation period, as long as the necessary Drata configurations were in place during that time. Consult with your auditor if you're unsure whether backdating is appropriate.

To create you audit in Drata you follow the same steps as outlined above in “How do we set up our Audit Package?”. If you already have a Type 2 audit set up in Drata, you can simply update the dates of that existing audit rather than creating a new one. Once this is complete, you can then download your Type 2 control requirements. Type 2 requires additional evidence for the controls outlined in this spreadsheet. Review these requirements carefully to ensure you're collecting the right evidence throughout your audit period.

Please also ensure that you maintain evidence throughout your audit period. Type 2 requires continuous evidence collection across your entire observation period, with sample evidence needed for population-based and period controls. Key areas of focus include:

  • Population-Based Controls, for which you should maintain documentation for all instances that occur during your audit period including the following:

    • New hires: Background checks, policy acknowledgments in Drata, onboarding checklists documenting system access approval

    • Terminations: Offboarding checklists, system access revocation documentation, device return confirmation

    • Code changes: Change tickets with documented testing, approval, and resolution for all production releases

    • Incidents: Tickets with clear response, resolution, and RCA documentation in your ticketing system

    • Personnel Compliance: Ensure that all in scope employees are compliant with policies, hard disk encryption and anti virus

  • Periodic Controls, for which you should maintain documentation for all instances that occur during your audit period including the following:

    • Business Continuity / DR test: Annual testing of disaster recovery and business continuity plans. Specifically, showing the restoration of IT systems and critical data after a hypothetical disaster.

    • Incident Response test: Annual testing of incident response procedures through the simulation of the response to an example scenario (eg Phishing attack) and the documentation of the lessons learned.

    • Risk assessment: Annual organisational risk assessment

    • Penetration test: Annual penetration testing (if applicable).

    • Security awareness training: Annual completion of security training by all employees.

    • Access reviews: Documented reviews per the frequency defined in your access policies.

    • Vendor reviews: Annual review of SOC 2 reports for critical sub-service organisations.

What should we expect during our Type 2 Audit?

Your Type 2 audit will consist of the following that you should be aware of:

  • AI Assessment: Your auditor will run the AI review of your Drata instance and share the Type 2 workpaper with all outstanding controls.

  • Evidence Requests: Your auditor will request evidence for population-based controls approximately 2 weeks before your audit period ends to ensure accurate sampling.

  • Sampling Methodology: Sample sizes are determined by population size.

  • Non-Occurrences: If no instances of a population-based control occurred during your audit period (e.g., no new hires, terminations, or security incidents), the control will be marked as a "non-occurrence" in your report. This is a standard audit notation and does not reflect negatively on your compliance.

Tip from your Tempo team: You should leverage Drata's monitoring and compliance dashboard weekly to identify issues early, as well as schedule annual controls early in your audit period; and always remember that we are here to help, so please contact your auditor if you have questions about specific control requirements!

What are some Frequently Asked Questions?

Below are answers to the most common questions we get about preparing for and completing your audit in Drata. If anything’s unclear or feels overcomplicated — just shout. That’s what we’re here for.

Do I need to implement all 200+ controls in Drata?

Definitely not! The Drata platform is designed to provide comprehensive for companies of all sizes and stages. Sensiba/ Tempo’s Drata Control Framework focuses on the ~50 most important controls that generally meet the expectations of enterprise, audit firms, and the practical needs of hundreds of clients that have worked through this program before. This focus helps achieve faster compliance outcomes, makes best use of your limited resources and time, and provides a strong foundation that you can build on over time.

 

What's included in the ~50 Drata controls?

The full list of controls can be shared with you if requested, but the most important thing to note is that the controls are categorised in three types:

  1. Automated tests: By connecting your infrastructure and tools, these controls will be automatically verified by Drata's autopilot continuous monitoring. 

  2. Policies: By using Drata policy templates or Sensiba’s PolicyTree tool and loading policies into the Drata Policy Centre, these policy controls will be addressed automatically.

  3. Documents: The remaining items require document uploads or set up of the risk and vendor functions in Drata.

Will this Drata Control Framework work if I choose to use a different audit firm?

Absolutely! All audit firms will have nuances in the way they conduct audits, and the controls they recommend or expect from their clients. However, there is general consensus in the industry on the most important controls. Our framework is designed to focus on these. Working with Tempo and Sensiba, or any other audit firm, you will still receive some audit queries as you work towards completion of your audit. The purpose of this clear path and focus, the tools and guides, and our expert support, is to ensure you are well placed to address the audit requirements whichever firm you choose to work with.

 

What should I put as my audit period?

For Type 2 engagements, you will select an audit period that the SOC 2 report covers. We recommend this commences from the end of the last Type 2 period or the Type 1 report date; depending on which report was last issued. If it's a first time report going straight to Type 2; you should generally start the period from the earliest date you had completed implementation of your controls. The length of the period can be between 3-12 months. Annual recurring Type 2 reports becomes the norm after your first Type 2 report.

 

When does Tempo start the audit?

We can get started whenever you are ready. We recommend booking in set dates with us, as this will give everyone involved a goal deadline to work towards, especially if you are on a bit of a time crunch!

 

How long does the audit take?

We're always working towards completing your Type 1 audit and reporting in a 2-4 week timeframe. This is dependent on whether you've completed all items, the quality of evidence provided, and your team providing timely responses to any audit queries we have.

 

What if some of the controls are not applicable or different in our context?

The intent of our program is to focus on controls that should apply to all companies. We apply generic control descriptions that are flexible to various ways you might actually operate the controls. If you do come across controls you believe are not applicable, or that do not accurately reflect how you operate, it's best to add a note to the controls for our audit team.

 

What are examples of where the controls may vary?

A common example we see is there's no Board of Directors. The same type of governance and oversight is expected, but it may instead be performed by your Senior Management Team, or co-founders. We see clients have varying ways of defining incidents, the scope of third-party vendors they monitor, or how they assess and manage risks. These types of variances generally do not require adjusting the controls as the purpose of the control is still satisfied in each case.

 

Do I need to have performed all controls before a Type 1 report?

For a Type 1 report, there is some flexibility in the timing of when controls are conducted. This is particularly relevant for DR/BCP testing, and penetration testing that can be costly and time-consuming exercises. A Type 1 report can be achieved by proving you have plans in place for those, before they are actually conducted.

 

How do we address failing auto-tests? 

It's best to investigate and resolve the cause of the failure in Drata that has guidance for each monitor. In some cases you may find the failure to be appropriate based on the context or nature of your environment. You can adjust the scope of the auto-tests to align to your reporting scope. For example, you may have databases that are public, without encryption, where they do not hold any sensitive data. These can be excluded from the tests with commentary added accordingly, in the “Monitoring” section of Drata.

 

I use a third-party to manage my infrastructure. How does this impact the audit and the evidence I need to provide?

Our audit procedures typically only cover the controls you own or are involved in managing. Where you rely on a third-party to manage your infrastructure, like full service database-as-a-service platforms, we will reference those as sub-service organisation controls. There's no additional evidence required from you unless you play a part in managing controls.

 

I've added Privacy trust services criteria to my scope. How do I understand some of the terms used in Privacy?

The Privacy trust services criteria refers to specific terms that can be confusing the first time around. Here are some helpful definitions below, but when in doubt, reach out to your audit team for additional support.

  • Data controller: An entity that (alone or jointly with others) determines the purposes for and the means by which personal data is processed. So, if your company/organisation decides ‘why’ and ‘how’ the personal data should be processed it is the data controller.

  • Data processor: An entity that processes personal data at the direction of a data controller. In many cases, a service organization may process personal data for its business-to-business (B2B) customers (user entities), which in turn may function as data controllers. In other cases, a service organisation may function as a data controller, depending on the facts and circumstances.

  • Data subject: The individual about whom personal information is collected.

 

How do I know which policies to prioritise finalising for the audit?

This varies based on which specific policies you document the procedures, requirements or topics in. The policies we typically reference for Drata Starter audits are:

  1. Access Control Policy

  2. Incident Management Policy

  3. Information Security Policy

  4. Risk Assessment Policy

  5. Vulnerable Management Policy

  6. Disaster Recovery Plan

  7. Change Management Policy

  8. Acceptable Use Policy

  9. Code of Conduct

  10. Network Security Policy

  11. Password Policy

  12. Data Classification, Handling, and Retention Policy

  13. Business Continuity Policy

  14. Vendor Management Policy

  15. Backup Policy

  16. Asset Management Policy

We have also put together some Pre-Audit FAQs for your SOC 2 audit that you can check out here.

We hope this short guide helps you when setting-up your SOC 2 audit on Drata, but if you have any more questions - just shout!