New Experience
This article applies to the New Experience.
Drata’s Risk Library comes preloaded with over 200 risks based on industry-standard frameworks, including: NIST SP 800-30, ISO 27005, and OCR SRA. These built-in risks help you identify, assess, and manage common threats right out of the box.
You can also create and manage your own custom risks to fit your organization’s unique environment. Drata supports mapping custom risk fields to the columns in your file so your data stays consistent and easy to manage.
Add custom risks
Note: If you have supporting documents you’d like to attach to risks, you can upload them before uploading all of your risks. For more information, refer to the ‘Add supporting documents’ section below.
Prerequisite
for upload file Upload a file. Currently, CSV or XLSX file types are supported.
Step 1: Upload and Map Fields
In the Risks list section, select Upload a file.
Map your fields:
Match your Incoming fields to Drata’s Destination fields.
Fields marked with an asterisk (*) in the Destination fields column are required and must be mapped to avoid validation errors in the next step
There is a preview of your mapped data as well.
Click Continue once you’ve completed field mapping.
Step 2: Map Field Values (Optional)
If your data has enum values, review and adjust any mismatched values under Incoming Values → Destination Values.
Click Submit once you’ve finished mapping values for all fields.
💡 Pro tip: You can also select which destination values can be mapped to empty cells. This is useful especially for required fields so you do not have to fix the validation error for required fields in the Validation step.
Example:
If your Risk Status field uses values like Inactive, Active, and Pending, you’ll need to map these to Drata’s supported values, which are ACTIVE and CLOSED.
Step 3: Validate the Sync Data
After mapping your fields and values, Drata will begin syncing and applying validation rules for each field. The Submit button will become available once all invalid (red) values are resolved. Clicking Submit will add the custom risks to your Risk Register.
You can hover over each column to view the specific validation rules.
Drata will display the number of invalid cells directly in the spreadsheet.
Cells that don’t meet validation rules will appear in red.
Cells that are warning or info only will be highlighted in yellow. For example, if the Risk ID already exists in Drata, it will be highlighted in yellow with a message indicating that the record will be updated.
Validation rules
Field Name | Must be Mapped? | Validation Rules |
Risk ID | Optional | - Cannot have the same Risk ID multiple times within a column.
- If the Risk ID already exists in Drata, the risk will be updated with the new data.
- If the Risk ID does not exist, a new risk will be created.
- If the Risk ID is left bank, then Drata automatically generates a new risk ID.
- Preferred format: [PREFIX]-[NUMBER] (such as, PS-12)
|
Title | Required | - Up to 191 characters. |
Description | Required | - Up to 30,000 characters. |
Categories | Optional | - Select the categories available by Drata. See the list below. - For Risk Management Pro customers, you can add custom categories by simply adding them to your file before uploading it in Drata and it will be created and assigned to the corresponding risks. |
Treatment option | Optional | - Must map your treatment to one of the following values: Untreated, Accept, Transfer, Avoid or Mitigate. |
Treatment plan | Optional | - Only applicable for treatment options: Accept, Transfer, Avoid, or Mitigate.
- Up to 30,000 characters.
|
Completed Date | Optional | - Only applicable for treatment options: Accept, Transfer, Avoid, or Mitigate.
- Expected Formats for Dates: yyyy-mm-dd
|
Reviewers | Optional | - Must have one of the following Drata roles: Admin, Risk Manager, Workspace Admin - Only applicable for treatment options: Accept, Transfer, Avoid, or Mitigate. - Add one or multiple emails of Drata users as reviewers. |
Inherent impact | Optional | - (For Risk Management Pro customers) Must be within the range you defined in your Risk settings. - (For Risk Management Standard customers) Must be within the range of 1-5. |
Inherent likelihood | Optional | - (For Risk Management Pro customers) Must be within the range you defined in your Risk settings. - (For Risk Management Standard customers) Must be within the range of 1-5. |
Inherent score | Optional | - This is automatically calculated based on the inherent impact and likelihood values. |
Residual impact | Optional | - Only applicable for treatment options: Transfer or Mitigate.
- (For Risk Management Pro customers) Must be within the range you defined in your Risk settings.
- (For Risk Management Standard customers) Must be within the range of 1-4. |
Residual likelihood | Optional | - Only applicable for treatment options: Transfer or Mitigate.
- (For Risk Management Pro customers) Must be within the range you defined in your Risk settings.
- (For Risk Management Standard customers) Must be within the range of 1-4. |
Residual score | Optional | - This is automatically calculated based on the residual impact and likelihood values. |
Anticipated completion date | Optional | - Only applicable for treatment options: Transfer or Mitigate. - Can be any date present, past or future. |
Risk identified date | Optional | - Can be any date present, past or future.
|
Risk source | Optional | - Only for Vendor Risk Management Pro customers.
- Select if it is an internal or external source for Risks.
Note: Drata’s out-of-the-box risks do not allow changes to the Risk source field.
|
Vendor | Required | - Only for Vendor Risk Management Pro customers.
- Only applicable for external risk sources.
- Must select a vendor from your defined vendor lists in Drata.
|
Risk status | Required | - Must be assigned as one of active, closed or archived. |
Internal notes | Optional | - Up to 768 characters. - Only new Internal notes can be added. Existing Internal notes cannot be modified or deleted. |
Supporting documents | Optional | - Attach new supporting documents to the risk. - Supporting documents already attached to an existing risk cannot be replaced or deleted.
- For more information, refer to the ‘Add supporting documents’ section below.
|
Owners | Optional | - Owners must have the following Drata Roles: Admin, Risk Manager or Workspace Manager.
- Add the emails of one or more assigned owners.
|
Controls | Optional | - The mapped control codes must exist in Drata. - If you have multiple workspaces, the mapped control codes must exist in your primary workspace. |
Custom fields | Optional | - Only available for those who have Custom fields and formulas enabled.
- Refer to your custom field settings for the validations rules for these custom fields. |
Add supporting documents
You can optionally attach relevant files to your custom risks to provide additional context or evidence.
Go to the Upload supporting documents section.
Upload any documents you want to attach to risks.
File size limits:
Up to 25 MB for most files
Up to 100 MB for .zip files
Supported file types:.pdf, .docx, .odt, .xlsx, .ods, .pptx, .odp, .gif, .jpeg, .jpg, .png, .csv, .txt, .json, .zip
Drata’s standard risk categories
Fields Name | Value Name |
Standard categories | - Assessments & Audits - Access Control - Artificial Intelligence - Asset Management - Governance - Awareness & Training - Governance - Compliance/Legal - Governance - Context/Scope - Governance - Finance - Governance - Planning - Governance - Policies - Incidents - Breach, Compliance, UA Modification - Incidents - Environmental - Incidents - Recovery & Remediation - Physical - Access - Physical - Site - People - Personnel - People - Third Party - Privacy - Access - Privacy - Awareness & Training - Privacy - Data Protection - Privacy - Management - Privacy - Monitoring - Privacy - Non-Compliance - Privacy - TPA - Privacy - Lawfulness - Privacy - Transparency - Privacy - Data Subject Rights - Privacy - Accuracy - Privacy - Accountability - Privacy - Storage Limitation - Privacy - Purpose Limitation - Privacy - Data Minimization - Software Development - Systems - Configurations - Systems - Data Protection - Systems - Monitoring & Logging |
Update risks in bulk
You can update Drata’s out-of-the-box (Risk Library) or custom risks in bulk.
To update, follow the same steps as ‘Add Custom Risks’ but instead of providing new Risk IDs or blank Risk IDs, provide existing Risk IDs. Our import process will detect the existing Risk IDs and update the corresponding risks with the values provided in your file.
Important callouts
All field values, even if they are not being updated, will need to be provided.
If left blank, the update process will assume that the field needs to be updated with a blank value.
Existing Risk IDs will be highlighted in yellow with a text indicating that this Risk will be updated.
NOTE: For Drata’s out-of-the-box risks, you cannot update the ‘Risk source’ from internal to external or set a vendor.