⚠️ Select your experience
Create, Edit, and Manage Controls depend on your interface version. Select a link to skip to the instructions for your version.
Customers who joined Drata on or after Feb 24, 2026 are automatically on the New Experience.
Instructions for the New Experience ⬇️
Controls implement and articulate the policies, processes, and activities your organization uses to meet compliance requirements.
In Drata, you can:
Create custom controls to meet specific needs.
Map controls to framework requirements.
Link evidence (policies, reports, external files).
Edit both Drata Common Framework (DCF) controls and your custom controls.
Assign control owners and approvers.
Add internal notes, tickets and tasks for context, collaboration, and management.
Prerequisites
Only Administrators and the Information Security Lead can create, edit, and annotate controls.
Control owners can be Administrators, Information Security Leads, Control Managers, or Workspace Managers.
Workspace Managers with read-only access cannot be control owners.
Assign roles to individuals with the necessary authority, context, and access to perform their duties effectively.
Ensure role assignments comply with your organization's internal governance and audit requirements.
Create a Control
Goal: Add a custom control to meet compliance needs.
Go to the Controls page.
Select Create Control < Create a single control.
In the Create control, complete required fields:
Name (required)
Code (required; supports letters, numbers, and symbols)
Description (required)
Map the control to one or more framework requirements.
Map the control to additional objects:
One or more framework requirements, automated tests, evidences, and policies
Select Save to create the control.
To learn how to add or update in bulk, go to Import or Update Controls in Bulk.
Edit a Control
Goal: Update existing DCF or custom controls.
Go to the Controls page.
Select a control to open its detail page.
Select the Edit icon on Info section.
Update required and optional fields:
Name (required)
Code (required, but only editable for custom controls)
Description (required)
Question (optional)
Activities (optional)
Select Save.
After saving:
Select See all updates to open the Events page and view full history.
Assign or Remove Control Owners
Goal: Manage responsibility for controls.
Control owners ensure evidence is linked, automated tests pass, and controls are audit-ready.
Owners can be assigned from the control detail page or the control list view on the Controls page.
Control owners do not necessarily need to be business stakeholders; they can be admins or analysts responsible for coordinating policy approvals and evidence collection.
This flexibility allows organizations to streamline control management while adhering to governance standards.
Assign an Owner
Open a control’s detail page
In the Control Owners section, click assign and select a person to assign them.
Remove an Owner
Open a control’s detail page
In the Control Owners section, select the X on the owner pill.
Bulk Assignment or Removal
From the Controls page, select one or more controls.
Select the Assign/remove control owners in the grey bar to open the modal.
Assign or remove control owners:
Assign: Add new owners to all selected controls.
Remove: Remove owners from all controls where the owner exists by selecting the X on the owner pill.
Confirm to save changes and close the modal.
Annotate a Control
Goal: Add internal notes, tickets, and tasks for control management.
Open a control detail page and the utilities panel within it.
Add, edit or delete notes in the Internal Notes section.
You can also create tickets from the panel.
Create tasks from the panel.
Notes / Troubleshooting
Scope requirement: Controls must be mapped to at least one requirement.
Evidence: Add or remove evidence at any time.
Control codes: Editable only for custom controls, not DCF controls.
History tracking: All updates are logged in the Events page.
Owner eligibility: Owners must hold a qualifying role. If a user’s role is removed, or they are marked “Former Employee/Contractor,” they are no longer a control owner.
Filtering: Filter controls by owner in the list view to find controls quickly.
Exports: Owners are included in CSV downloads in the Control Owners column.
Instructions for the Classic Experience ⬇️
The Controls page displays a table of all your controls, providing a centralized place to browse and manage them. When you select a control, you can view and manage all related information, including its evidence, monitoring tests, policies, framework mappings, and associated risks.
Before you begin
The following roles have access to this functionality in Drata:
Admins
Information Security Leads
Note: The Controls page is only visible to accounts with more than one framework enabled. For example, if you manage SOC 2 and ISO 27001 in Drata, you'll have access to this page.
Create a control
Go to the Controls page.
Select Create New Control at the top of the page. The Create New Control drawer opens.
Enter the required fields:
Name
Code — supports letters, numbers, and symbols
Description
Map the control to one or more framework requirements. Controls must be mapped to at least one requirement.
Optionally, add evidence by linking policies and reports within Drata or uploading external files.
You can always link or unlink evidence after the control is created. See Linking Evidence to Controls.
Select Save to create your control.
Edit a control
On the Controls page, select a control to open the control drawer.
Select the Edit icon in the top-right corner of the drawer.
Update any of the following fields:
Field | Required |
Name | Yes |
Code | Yes — only editable on controls you created; DCF control codes cannot be edited |
Control Owner(s) | No |
Description | Yes |
Question | No |
Activities | No |
Select Save to apply your changes.
A timestamp showing when the control was last updated will appear at the top of the control. Select See all updates to view the full history on the Events page.
Manage control owners
Assign one or more control owners to each control to ensure the right people are responsible for collecting evidence, keeping monitoring tests passing, and supporting audits. Control owners are optional.
Before you begin
The following roles can be assigned as a control owner, and can assign or remove control owners:
Admins
Information Security Leads
Control Managers
Workspace Managers
Note: Workspace Managers with read-only access cannot be assigned as a control owner, even for workspaces they manage.
Assign or remove a single control owner
Select a control to open the control drawer.
In the Control Owners section, select a person to assign them as an owner.
To remove an owner, select the X on the owner pill.
If a control owner's role is removed or their employment status changes to Former Employee or Former Contractor, they are automatically removed as a control owner.
Assign or remove owners across multiple controls
From the Controls or Framework page list view, select one or more controls.
Select the Control Owner icon to open the Control Owners modal.
If a person owns only some — but not all — of the selected controls, they will not appear in the modal.
Use the Assign tab to add owners to all selected controls, then select Assign to save.
Use the Remove tab to remove owners from all selected controls, then select Remove to save.
View and filter by control owner
To view owners for a specific control from the list view, hover over the owner icon. If there are more than three owners, open the control to see the full list.
Use the Filter option on the Controls page to filter by control owner and see which controls have assigned owners or are owned by a specific person.
Control owners are included in all control-related CSV downloads in the Control Owners column, including framework-specific and general controls downloads.
Manage control details
💡 This section applies to accounts created on or after July 2, 2025, or accounts that opted into Early Access (Control and Monitoring 2.0).
When you select a control, a detail page opens with the following tabs: Overview, Evidence, Monitoring, Policies, Frameworks, and Risks.
Overview tab
On the Overview tab, you can do the following:
Top-Level Cards: View a high-level summary of factors related to your control, including Evidence, Monitoring, Policies, and Approvals.
Info: Edit the details of your control.
Owners: Assign or remove Control Owners.
Required Approvals: Manage required approvals for this control.
Top-Level Cards
Each top-level card provides details about your control’s readiness. You can select any card to view more information.
In the following example, the control’s status is marked as Not Ready. The top-level cards display that the control’s evidence is not ready. To address this, select the Evidence card and add an artifact. For instance, a control might remain 'Not Ready' if there is a lack of positive supporting evidence, such as passing test results or linked artifacts, despite there being no error states associated.
The top-level cards clearly indicate which items are not factored into readiness.
For example, in the Monitoring section shown, the mapped test that is linked is inactive; therefore, it is not factored into readiness and does not affect the control’s readiness score. "Not factored" means these states or objects do not positively or negatively impact readiness. Drata emphasizes the need for positive evidence like passing tests or valid artifacts to determine readiness. Without such evidence, controls remain marked as 'not ready,' regardless of error states being disregarded.
For Monitoring, tests that are inactive, not tested or disabled, non-production, or erroring are not factored into readiness.
The following test states are not factored into readiness (they do not positively or negatively impact readiness):
Inactive
Not tested or disabled
Non-production
Erroring
These tests neither contribute positively nor negatively to the readiness status, enabling a focus on actionable issues.
Examples of Issues That Do Affect Readiness:
The following issues can negatively impact your control’s readiness:
The evidence shows a missing artifact.
The policy is not published.
Required approvals are still pending.
Info
Update the Name and Description so your team and auditors clearly understand what this control covers. You can also view the control’s Code.
Owners
Select one or more Control Owners who are responsible for keeping your control effective, collecting evidence, monitoring tests, and preparing for audits.
Required Approvals
Add and track Required Approvals to confirm your control has been reviewed and approved by key stakeholders. Approvals show auditors that your organization has strong control governance.
Evidence tab
The Evidence tab provides an at-a-glance view of all evidence attached to your control. Here, you can:
Link or unlink evidence to the control.
Add new evidence, which will be automatically linked to the control.
Download evidence for reference or record-keeping.
Select evidence to be redirected to the Evidence Library for more details.
Monitoring tab
The Monitoring tab displays all monitoring tests and their pass/fail history. You can download the displayed tests, select the tests for more information, or map additional tests to the control.
Policies tab
The Policies tab displays all policies attached to the control. Here, you can:
Download policies.
Link additional policies to the control.
Unlink policies from the control.
Select the policy to be redirected to the Policy page for more details.
Frameworks tab
The Frameworks tab will show you every framework requirement attached to this control. You can map requirements from a framework as well.
Risks tab
The Risks tab will show you all risks attached to the control. You can map additional risks, update the Impact and Likelihood score, unlink risks, and select the risks to view more information.
Manage internal notes, tasks, and tickets
The Controls page includes a right-hand navigation panel, where you can manage internal notes, tasks, and tickets.