No two businesses are exactly alike, and neither are your GRC programs. While there’s no universal method for migrating your compliance program, these best practices aim to make the process smoother.
Step 1: Prepare to Migrate
Download all your compliance data
If your current access will expire before you begin with Drata, export all data and evidence. You own this information and may need it later for reference or upload.
Organizational Change Management and Awareness
Your GRC program involves stakeholders across your organization. For example, your CEO approves policies while employees and contractors acknowledge them. Make sure key stakeholders understand how migration changes where and how the program is managed. Not everyone manages the day-to-day, but key stakeholders should know how Drata improves operations.
Step 2: Begin with Drata
Access your Drata tenant
When you access your Drata tenant for the first time, the in-app welcome experience guides you through the onboarding steps. Your first task is to connect your in-scope systems to Drata.
Connect Tech Stack
These connections are required before you configure controls or evidence. They also power Drata’s automated monitoring tests. Once connected, Drata runs tests the same day to detect any configuration gaps so you can begin remediating failed tests and take action in your environment. Automated monitoring runs daily to support continuous compliance, not just during audits.
For a current list of integrations, visit drata.com/integrations.
Step 3: Import Data and Configure Controls
You can import data into Drata through direct uploads or by using CSV import templates:
Direct Upload: Best for small, frequent updates.
CSV Import Templates: Ideal for large-scale migrations.
To request templates, contact Technical Support via in-app chat or reach out to your Customer Success Manager.
Each template includes the required fields in the exact format needed to import your data into Drata. Templates contain a header row, followed by a second row with instructions and examples indicating which fields are required or optional. You can delete or replace the second row with your data, but the header row must remain unchanged. Header values must match exactly, as Drata validates them during the import process.
After you complete and submit the template, our team reviews them for accuracy. Once approved, the template is processed and uploaded. This process typically takes five to ten business days.
Supported Data Types
The following list outlines the types of data you can import into Drata using the template, along with key requirements for each.
Assets
The owner of the asset can be any current employee listed in Drata. This use case is specific to populating the Assets page with data Drata does not automatically import, such as virtual assets from GCP, globally deployed software, or other IT inventory.
You can also use this template to request a bulk change of existing asset ownership.
Controls
Drata includes pre-mapped controls for supported frameworks.
Use this template to create new controls in Drata.
Controls-to-Requirements
Use this template to map controls to requirements that already exist in Drata.
Requirements-to-Controls
Use this template to map requirements that already exist in Drata to controls that already exist in Drata.
Controls-to-Owners
We strongly recommend using the platform’s built-in bulk control ownership management. If you choose to use this import template, it must map controls that already exist in Drata to users that already exist in Drata. To learn more about control owners, refer to control ownership.
Security, HIPAA, and/or NIST Training
Proof of completion files must be submitted as standalone documents. If submitting multiple files, compile them into a single ZIP file.
Policy Acknowledgement
Policies must be active, approved, and assigned to relevant employees or groups before uploading acknowledgements.
Background Checks
Drata does not accept or host raw background check files. Provide links to background check records hosted in your system of record or a secure document repository.
Note: If you have elements of your compliance data or evidence that you plan to migrate into Drata and do not see them listed above, this is generally because Drata provides a built-in platform feature for managing them once you have access to your tenant. If you have questions about the options for migrating or managing your data, contact Technical Support via in-app chat or reach out to your Drata Account Team.
Step 4: Control Management
Drata has its own control framework, referred to as the DCF (Drata Control Framework). This framework was developed with auditors and compliance experts and is based on best practices. Within the Drata UI, these controls can be adjusted to meet your specific compliance and business requirements.
Have your own controls?
If you have your own controls, you have several options:
Opt to move to the DCF by adopting all Drata controls.
Compare your current controls to the DCF and determine the overlap or edits needed in the UI.
After identifying gaps, manually add the remaining controls in the Drata UI.
Alternatively, use the Drata import templates to format and upload additional controls.
Request to disable the DCF and import only your custom controls using the Drata template. This option is available, though not recommended, as it limits the value of compliance automation. Contact your Account Team to enable this option.
Important Considerations
A major advantage of using DCF controls is that they are already pre-mapped to the appropriate policies and control tests. If you upload custom controls, you must manually map policies and control tests.
When uploading custom controls, identify the DCF controls they replace and mark those out of scope to avoid duplication.
All DCF control fields are customizable except the control code (e.g., you cannot change DCF-46 to ABC-xx). If you need to preserve your existing control codes, import them as custom controls.
Step 5: Policy Management
The Policy Center page allows you to manage policy authoring, revisions, annual reviews, control mapping, and employee acknowledgement. Drata provides a comprehensive set of policy templates based on industry best practices developed by compliance experts and auditors. You can customize these policy templates to meet your specific needs.
Policy Migration Options
To use the policies you already have, you can:
Author Policy in Drata (Recommended): Start with a blank template and copy in your existing content. This option allows you to edit and update the policy directly in the platform without needing to re-upload it each time.
Upload Policy: Import your policy as a PDF. This is the best option if you want to retain your branding or logos. However, PDFs cannot be edited within Drata, so you must re-upload a new file for each revision.
Note: If your policy matches the title or general content of a Drata template, use the Replace Policy feature. This archives the original template and applies its control and control test mappings to your uploaded version.
Step 6: Auditor Alignment
Drata is auditor agnostic. If you are already working with an auditor, the Drata Auditor Alliances team will work with both you and your auditor to train them on how to use Drata’s Auditor Hub and support them during the audit, especially if they are new to the platform.
If you do not yet have an auditor, the Customer Success and Audit Alliance teams at Drata can provide guidance and make introductions. Drata also offers an Auditor Directory that customers can use to locate an auditor.