⚠️ Select your experience
The steps to export control-to-requirement mappings vary depending on your interface version. Select a link below to jump to the instructions for your version.
Customers who joined Drata on or after Feb 24, 2026 are automatically on the New Experience.
Instructions for the New Experience ⬇️
Auditors and internal teams often request a clear view of how controls map to framework requirements. Drata allows you to export control and requirement mappings as a CSV file, making it easy to share, review, or include in audit documentation.
Export control mappings
To download a CSV file with your control and requirement mappings:
Go to the Frameworks page.
Select a framework to open.
Select Downloads.
Choose one of the following export options:
Requirements to controls
Controls to requirements
Export options explained
Requirements to controls
This export starts from the framework requirements (for example, SOC 2 Trust Services Criteria).
Each requirement appears as a separate row
Mapped controls are listed for each requirement
A single control may appear multiple times if it maps to multiple requirements
This format is useful when auditors want to review coverage starting from the framework.
Controls to requirements
This export starts from the Drata Control Framework.
Each control appears once
All mapped requirements are listed for that control
This format is useful when reviewing how individual controls support compliance requirements.
Download all requirements
What it does: Downloads every requirement in the framework, regardless of any filters you currently have applied.
Use this when:
An auditor asks for the full framework mapping
You want a complete, authoritative export
You’re preparing for an audit or external review
Download filtered view
What it does: Downloads only the requirements based on your applied filters.
Use this when:
You’re reviewing a subset of requirements
You want to share only what’s relevant (for example, out-of-scope exclusions, specific domains, or statuses)
You don’t need the full framework
What’s included in the export
The file downloads as a CSV
Only in-scope controls are included
Controls marked Out of Scope are excluded from the export
When to use this export
Use control mapping exports when you need to:
Share control coverage with auditors
Perform internal compliance reviews
Validate mappings across frameworks
Support audit preparation and evidence requests
Key takeaways
Control mappings can be exported at any time
Two export formats support different audit and reporting needs
Out-of-scope controls are automatically excluded
CSV exports make sharing and review simple
Instructions for the Classic Experience ⬇️
Often, your auditor or internal team will request a mapping of your controls and requirements. Drata allows you to export them for easy distribution.
BEFORE DIVING IN
Only Administrators and the Information Security Lead have access to this section within Drata.
HERE'S HOW
In the upper right corner of your 'Frameworks' page, select the settings icon.
You will then be given the option to download 'Requirements to controls' or 'Controls to requirements'.
Requirements to controls shows data starting from the SOC 2 Trust Services Criteria (TSC).
It maps each SOC 2 requirement to the relevant controls, with a separate line item for every requirement.
Because a single control can map to multiple requirements, some controls may appear multiple times in column F.
Controls to Requirements shows data starting from the Drata Control Framework.
It lists each control and shows the requirements it maps to.
Each control appears once, with its corresponding mapped requirements.
Upon downloading, you will be provided a CSV file including your controls and requirements. Any controls that have been marked as 'Out of Scope' will not be included in the CSV download.