💡 Still using the classic Drata experience? Refer to Controls: Manage Control Details and Mappings, Edit a Control, or Create a Control for the original UI.
Overview
Controls implement and articulate the policies, processes, and activities your organization uses to meet compliance requirements.
In Drata, you can:
Create custom controls to meet specific needs.
Map controls to framework requirements.
Link evidence (policies, reports, external files).
Edit both Drata Common Framework (DCF) controls and your custom controls.
Assign control owners and approvers.
Add internal notes, tickets and tasks for context, collaboration, and management.
Prerequisites
Only Administrators and the Information Security Lead can create, edit, and annotate controls.
Control owners can be Administrators, Information Security Leads, Control Managers, or Workspace Managers.
Workspace Managers with read-only access cannot be control owners.
Create a Control
Goal: Add a custom control to meet compliance needs.
Go to the Controls page.
Select Create Control < Create a single control.
In the Create control, complete required fields:
Name (required)
Code (required; supports letters, numbers, and symbols)
Description (required)
Map the control to one or more framework requirements.
Map the control to additional objects:
One or more framework requirements, automated tests, evidences, and policies
Select Save to create the control.
To learn how to add or update in bulk, go to Import or Update Controls in Bulk.
Edit a Control
Goal: Update existing DCF or custom controls.
Go to the Controls page.
Select a control to open its detail page.
Select the Edit icon on Info section.
Update required and optional fields:
Name (required)
Code (required, but only editable for custom controls)
Description (required)
Question (optional)
Activities (optional)
Select Save.
After saving:
Select See all updates to open the Events page and view full history.
Assign or Remove Control Owners
Goal: Manage responsibility for controls.
Control owners ensure evidence is linked, automated tests pass, and controls are audit-ready.
Owners can be assigned from the control detail page or the control list view on the Controls page.
Assign an Owner
Open a control’s detail page
In the Control Owners section, click assign and select a person to assign them.
Remove an Owner
Open a control’s detail page
In the Control Owners section, select the X on the owner pill.
Bulk Assignment or Removal
From the Controls page, select one or more controls.
Select the Assign/remove control owners in the grey bar to open the modal.
Assign or remove control owners:
Assign: Add new owners to all selected controls.
Remove: Remove owners from all controls where the owner exists by selecting the X on the owner pill.
Confirm to save changes and close the modal.
Annotate a Control
Goal: Add internal notes, tickets, and tasks for control management.
Open a control detail page and the utilities panel within it.
Add, edit or delete notes in the Internal Notes section.
You can also create tickets from the panel.
Create tasks from the panel.
Notes / Troubleshooting
Scope requirement: Controls must be mapped to at least one requirement.
Evidence: Add or remove evidence at any time.
Control codes: Editable only for custom controls, not DCF controls.
History tracking: All updates are logged in the Events page.
Owner eligibility: Owners must hold a qualifying role. If a user’s role is removed, or they are marked “Former Employee/Contractor,” they are no longer a control owner.
Filtering: Filter controls by owner in the list view to find controls quickly.
Exports: Owners are included in CSV downloads in the Control Owners column.