⚠️ Select your experience
The steps depend on your interface version. Select a link to skip to the instructions for your version.
Customers who joined Drata on or after Feb 24, 2026 are automatically on the New Experience.
Instructions for the New Experience ⬇️
Overview
When a control requires approval, it must be reviewed and approved by designated approvers before it can be marked Ready. Required approvals add a governance step to ensure controls are not only implemented, but formally reviewed.
The goal is to confirm that a control is ready, reviewed, and auditable.
With required approvals, you can:
Require approval before a control becomes Ready
Assign approvers and approval deadlines
Track approval stages and history
Remove approvals if they are no longer needed
Prerequisite
Only users with write access to the Controls page can manage required approvals.
Eligible roles: Administrators, Information Security Leads, Workspace Managers, Control Managers
Approvers: Only assigned approvers can approve a control or request changes
Owner and approvers: Control owners and approvers may be the same person
Auditors: Auditors with read-only access can view approvals but cannot take action
Required Approval Stages
When a control requires approval, it moves through the following stages.
Prepare for approvers
Needs approval
Changes requested
Approved
Select a control and scroll to the Review and approval section to view its current stage.
Prepare for approvers
What this means: The control is being prepared and is not yet ready for review.
What to look for: Evidence, policies, tests, and mappings are complete; readiness indicators are addressed.
What to do: Control owners finalize updates and send the control to approvers when it is ready. Once the control is sent for approval, the approver is notified and a task is assigned to review the control. You can view assigned tasks on the Tasks page.
Needs approval
What this means: The control is ready for review and awaiting approval.
What to look for: Assigned approvers and any remaining readiness gaps.
What to do: Approvers review the control and either approve it or request changes.
Changes requested
What this means: An approver has requested changes that must be addressed before approval. The request details are recorded in Internal notes for visibility and accountability.
What to look for: Request details in Internal notes and an associated Drata task
What to do: Control owners make the requested updates in the Evidence tab and resubmit the control for approval.
Approved
What this means: The control has been reviewed and approved
What to look for: Approval deadline and upcoming re-approval reminders
What happens next:
14 days before the deadline, the control returns to Needs approval
If a scheduled update fails, an event is logged
Mapping a new policy resets the control to Prepare for approvers
Set up required approvals for a single control
Go to the Controls page.
Select a control to open its details.
In the Review and approval section, select Set up.
Verify the control has at least one control owner. If no owner is assigned, you must add one before proceeding.
Add one or more approvers. If multiple approvers are added, only one approval is required.
Set an approval deadline.
Select Save.
When ready, select Send to approvers to begin review.
Bulk required approvals setup for multiple controls
From the Controls page, select one or more controls.
Ensure all selected controls have owners assigned.
Filter by No approvers assigned, if needed.
Select Add approvals.
Assign approvers and set approval deadlines.
Select Save.
⚠️ If any selected control does not have an owner, an error message identifies it. Add owners before retrying.
Delete required approvals
You can remove required approvals if they are no longer needed.
Open the control.
Go to the Review and approval section.
Select the trash icon.
When selecting controls in bulk, you can choose to Delete approvals rather than select Add approvals.
Deleting approvals:
Does not remove internal notes, events, or approval history
Removes the approval requirement for readiness
Allows the control to follow standard readiness rules
You can reapply required approvals at any time.
How approvals affect control readiness
Controls without required approvals follow standard readiness rules. Controls with required approvals must:
Meet all readiness requirements and
Be approved by assigned approvers
👉 Only after both conditions are met does the control status update to Ready.
This ensures readiness reflects both implementation and governance. You can filter controls on the Controls page to see which are Ready or not.
Common scenarios and what happens
Adding evidence after approval
Adding evidence to an approved control changes its approval stage depending on where the update is made.
From the Controls page:
Send to approvers: Resets to Needs approval and notifies approvers
Still working: Resets to Prepare for approvers without notifying approvers
Missing approvers
If all approvers are removed or leave the organization:
A banner indicates a new approver is required
The control cannot be approved until an approver is assigned
You can find these controls by filtering for:
No approvers assigned
Select any of these stages: Prepare for approvers, Needs approval, Changes requested, Approved
Key takeaways
Required approvals add a review layer before controls become Ready
Only approvers can approve controls or request changes
Approval status directly affects readiness
Changes after approval often require re-approval
All activity is logged for audit transparency
Instructions for the Classic Experience ⬇️
Here's why
It is crucial for organizations to both maintain and determine control readiness. With Drata, you can set up internal reviews and approvals for your controls, reducing complex processes and various tools.
Before diving in
Roles with write-access to the Control page will have access to act on and manage Required Approvals. The roles include admins, information security leads, workspace managers, and control managers.
Only the assigned approvers have the ability to Approve or Request Changes.
Control owners and approvers can be the same person.
Auditors with read_only access will not be able to see the internal notes section, but have read_only access to the Required Approvals component.
Set Up Required Approvals For Each Control
Go to the Controls page and select your desired control. In the control drawer, verify that there is a Control Owner and select the Set up button next to REQUIRED APPROVALS.
The following image shows there are multiple approvers, and December 15, 2023 is the approval deadline.
You can add one or multiple approvers. If you add multiple approvers, only one approval is required. Next, select an approval deadline and select Save.
Bulk Set Up Required Approvals for Multiple Controls
To add Required Approvals to multiple controls, go to the Controls page and select No approvals assigned under the Required approvals filter to select the desired controls. Ensure that each selected control has a control owner. If a control does not have a control owner, an error message will appear indicating which control needs a control owner.
To begin bulk adding control approvals, select Add approvals.
After selecting Save, the selected controls are located under Prepare for approvers instead of No approvals assigned.
Required Approvals Stages
Once a required approval for a control is set up, there are 4 different review stages the control can go through.
Prepare for approvers
Needs approval
Changes requested
Approved
In the left sidebar of the Controls page, you can filter controls based on the desired review stage. If a control does not have a required approval, the control will be under the No approvals assigned filter.
Prepare for approvers
During the Prepare for approvers stage, control owners prepare and manage the control information, mapping, and evidence for the approvers. Once the control is ready to be reviewed, any role with write access to the Control page, including the control owner, can select Send to approvers.
The approvers are notified and assigned the task of reviewing the control.
Needs approval
In the Needs approval stage, only approvers can approve or request changes.
Added approvers will be notified and the required approval will automatically update to show the latest approvers.
Removed approvers will see the non-approvers view.
You can add or remove approvers by selecting the edit icon.
Non-approver view
Approver view
Changes requested
When approvers request changes, they can select the evidence that needs to be updated and enter the request details. The reason for change request will be added into the internal notes section for that control, ensuring transparency and accountability.
After the approver sends the request, the control owner is notified, a Drata task is created, and the required approval status is updated to Changes requested.
These details are added to the internal notes section for that control.
Approved
For the review stage to be approved, the required approval must be approved and then the next approval deadline will be set. The following must occur for a control stage to be updated to Approved:
The approvers must approve the required approvals.
The approver must set the next approval date.
When the next approval deadline is set, 14 days prior to the approval deadline, the required approval stage changes to Needs approval and the approver is notified. The control will now move to Not Ready, given that it is not approved.
If the scheduled task fails to update the status, an event is created in Event Tracking to notify the control owner of the failed task.
Only approvers can submit a change request by selecting the Request changes button. After a change is requested, the control owner is notified.
Note: When you map an approved control that has required approvals to a policy, the control owners are notified, and the control's review status reverts to Prepare for approvers. To learn more, see Policy Center: Link your policies to your controls.
Delete Required Approvals
To delete an approval, select the edit icon in the Required Approvals section.
After selecting the Delete approval button, a confirmation modal will appear to ensure that this is the action you want to take.
After selecting Remove approval, the control will no longer require approval to be marked as Ready.
Delete a required approval after a control has been approved
You can delete an approval even after it has been approved. Deleting an approval does not remove internal notes, Event Tracking history, or previous approval records.
FAQ
How can you add evidence after a required approval is approved?
There are 3 ways evidence can be added to a control, however this will impact an approved required approval.
Add evidence from the control drawer in the Controls page. When evidence is added, edited, or deleted from a required approval that's approved, the required approval is no longer approved and you will be prompted to select one of the following options:
Yes, send to approvers: The approver is notified and the required approval review stage is updated to Needs approval.
No, I'm still working on it: The approver is not notified, and the required approval review stage is updated to Prepare for approvers.
Add evidence to the Evidence Library or Policy Center. When evidence is added, a new version is created, or evidence is linked/unlinked to a control that has a required approval approved, the required approval review stage is updated to Prepare for approvers. Control owners are notified that they must review changed evidence in their control drawer before sending the control for approval.
Add evidence from the control drawer in Audit Hub. When evidence is added in the control drawer from the Audit Hub, the required approval updates to the Needs approval stage.
How does adding required approvals impact Control Readiness?
When controls do not have a required approval set up, they follow the same readiness calculation as standard controls.
When a control has a required approval set up, the control must pass the requirements for readiness and needs to be approved for the control readiness status to go from Not Ready to Ready.
What happens when the approver is no longer at the organization?
If there are no approvers, a red banner is displayed indicating that an approver is needed.
To view controls that do not have approvers, select No approvers assigned. You can also filter controls based on the required approvals review status:
Approved
Changes requested
Needs approval
Prepare for approvers
