Compliance requirements – especially in frameworks like ISO 27001, SOC 2, HIPAA, and GDPR – can be lengthy and complex, often containing multiple expectations within a single written requirement.
That can make it challenging to track whether you're fully meeting what's being asked.
To make compliance more manageable, we break down these large, complex requirements into smaller, more focused controls or DCFs. This helps:
Add clarity around what's needed
Make it easier to track completeness
Support cross-mapping of controls across multiple frameworks
Reuse the same controls modularly where they apply in different contexts
What is a Requirement?
A requirement is a formal expectation set by a standard, regulation, or framework that an organization must meet to demonstrate compliance. It sets the objective or expectation, often around reducing risk, protecting data, or maintaining security.
Requirements define what must be achieved – but not necessarily how to achieve it. That’s where controls come into play. Think of requirements as the goals, and controls as the actions taken to meet those goals.
Examples:
Personal data shall be: (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’). (GDPR Article 5(1)(a)
Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. (SOC 2, CC1.3)
Actions to address risks and opportunities - Information security risk assessment (ISO 27001:2022, Clause 6.1.2)
What is a Control?
A control is a measure that is modifying risk. Controls include any process, policy, device, practice, or other actions which modify risk.
Examples:
A formal Access Control Policy
Enabling MFA (Multi-Factor Authentication)
Conducting annual security training
Maintaining a vendor risk assessment process
What is a DCF?
The Drata Control Framework (DCF) is Drata’s proprietary control catalog.
It is a comprehensive set of security and compliance activities that help satisfy the requirements of numerous frameworks, standards, and regulations, while acting as the primary “nodes” for Drata’s compliance and automation elements to which they are connected: requirements, risks, policies, monitoring tests, and other features.
DCF controls are framework-agnostic and are developed in such a way that they would address similar requirements across the widest range of frameworks.
The DCF catalog helps accelerate and standardize your ongoing compliance efforts and reduce compliance fatigue. The DCF catalog is therefore neither prescriptive nor exhaustive in nature. Organizations are encouraged to evaluate their selection of controls through the context of their business and customize as needed.
Drata will periodically add new DCF controls to the catalog or revise or deprecate existing ones. Factors that drive these changes include:
Addition of new frameworks to Drata
New updates or versions of frameworks, standards and regulations published by the authoritative sources
Realignment of DCF Controls with other connected Drata features (e.g., monitoring tests, policies, etc.)
Administrative maintenance and standardization
Alignment with industry standards and definitions
Industry developments and emerging technologies (e.g., AI)
Scope calibration and removal of redundancies
Please note that DCFs are still CONTROLS that meet the definition and fit into the categories described in the section above.
Why Multiple DCFs for One Requirement?
Certain requirements are made up of several components, so instead of trying to meet all of them with one control, we use multiple controls – each one targeting a specific part of the requirement to ensure complete coverage. In other words, the entirety of the requirement must be fully satisfied with either one or a combination of multiple DCFs.
For example:
A SOC 2 requirement might state:
The entity demonstrates a commitment to integrity and ethical values. (CC1.1)
This could map to several DCFs such as:
DCF-32 (Security Policies)
DCF-38 (Performance Evaluations)
DCF-39 (Background Checks)
DCF-44 (Code of Conduct)
Another example here is the below requirement mapped to ISO 27001:2022:
Actions to address risks and opportunities - Information security risk assessment (Clause 6.1.2)
This could map to several DCFs such as:
DCF-15 (Risk Assessment Policy)
DCF-16 (Periodic Risk Assessment)
DCF-17 (Risk Treatment Plan)
DCF-143 (Board Oversight Briefings Conducted)
Is this Common or Best Practice?
Yes, it’s a common and accepted practice in compliance to map multiple controls to a single requirement, especially when those controls address different aspects of that requirement.