⚠️ Select your experience
The steps to mark controls in or out of scope vary depending on your interface version. Select a link below to jump to the instructions for your version.
Customers who joined Drata on or after Feb 24, 2026 are automatically on the New Experience.
Instructions for the New Experience ⬇️
Not all controls are required for every audit. Drata allows you to mark controls as In Scope or Out of Scope so your audit reflects only the controls your organization plans to use.
Marking controls out of scope helps you:
Focus on relevant audit requirements
Reduce noise during audit preparation
Clearly document which controls are intentionally excluded
Prerequisites
Only the following roles can mark controls in or out of scope:
Administrators
Information Security Leads
Mark controls out of scope
To mark one or more controls as out of scope:
Go to the Controls page.
Select one or more controls from the list.
Mark the selected controls as Out of Scope.
The selected controls are excluded from audit scope and readiness calculations where applicable.
Mark controls in scope
To mark controls back in scope:
Go to the Controls page.
Select one or more controls.
Mark the selected controls as In Scope.
Once marked in scope, controls are included again in audit preparation and readiness tracking.
What to expect after changing scope
Out-of-scope controls remain visible but are excluded from audit scope
In-scope controls contribute to readiness and audit workflows
Control scope is global.
When you mark a control In/Out of Scope from the Controls page, it affects all frameworks that control is mapped to
If the control is mapped to multiple frameworks, the scope change applies to all of them.
Framework behavior is driven by mappings and requirements.
A framework’s control count and readiness are based on in‑scope controls that are mapped to in‑scope requirements in that framework.
Adding or removing a control from a framework’s requirements only affects that specific framework.
Instructions for the Classic Experience ⬇️
Drata allows your company the flexibility to customize the framework and determine which controls are appropriate for your audit. You can mark controls as 'In Scope' or 'Out of Scope' directly in the Drata platform.
BEFORE DIVING IN
Only Administrators and Information Security Leads have access to this section within Drata.
Mark controls out of scope
Use the tick box next to a control or group of controls (you can select multiple or all on the page), then click the file box icon on the far right of the screen to mark the controls 'Out of Scope'.
Mark controls in scope
To mark controls 'In Scope', follow the same process. Select the controls using the tick box or utilize the 'Select All' box to select all out of scope controls on that page and use the file box icon on the far right to mark the selected controls 'In Scope'.
Troubleshooting Tip: Access Issues to the Audit Hub
If you're experiencing issues accessing the Audit Hub (e.g., the page keeps loading without progressing), try the following troubleshooting steps:
Check whether the issue persists on different browsers or in an incognito window.
Clear your browser's cache and cookies, then attempt to sign in again.
Restart your system and try accessing the Audit Hub again. These general steps help address common browser-related issues, ensuring smoother access to the Audit Hub.