⚠️ Select your experience
The steps depend on your interface version. Select a link to skip to the instructions for your version.
Customers who joined Drata on or after Feb 24, 2026 are automatically on the New Experience.
Instructions for the New Experience ⬇️
You can create custom policies in Drata to meet your organization’s specific requirements. You can also replace a Drata-provided policy template with a custom policy while preserving control mappings and audit coverage.
Prerequisites
Admins, Information Security Leads, and Workspace Managers can create, approve, and update policies.
You can’t create or replace policies in Drata if you use an external policy manager such as BambooHR or Confluence. If an external policy manager is connected, you’ll see Import external policy instead of Create custom policy.
How policy replacement works
You can replace only Drata template policies with custom policies.
When you replace a policy:
Control and test mappings are preserved
Controls and related monitoring tests automatically transfer to the custom policy.The original policy is archived
The replaced Drata template is archived and no longer active.Replacement takes effect immediately
The replacement applies even if the custom policy is not yet published.Unpublished policies may affect readiness
If the custom policy is not published, related controls may appear as Not Ready until publishing is complete.SLAs may require configuration
If the replaced policy includes Service Level Agreements (SLAs), additional settings may appear during replacement.
Archived policies can’t be used for replacement. Restore an archived policy only if you intend to use it again.
Create and replace a policy
Step 1: Open Policies
Open Governance → Policies.
Select Create policy.
Note: Verify whether the Drata Policy Builder or an external policy manager interface (e.g., BambooHR) is active before proceeding. If the Drata Policy Builder is not visible, ensure that external integrations are disconnected.
Step 2: Choose how to create the policy
Select a policy source:
Upload policy: Upload a policy file (up to 25 MB).
Author policy in Drata: Use Drata’s editor to write and manage the policy directly.
Step 3: Enter policy details
Enter required policy details, including:
Policy name
Description
Renewal date
Owner (Policy owner)
Disclaimer (optional)
You can configure approval workflows after creation.
Step 4: Select personnel groups
Choose which personnel must acknowledge the policy, or indicate if the policy does not apply to personnel.
Option 1: All personnel
All employees and contractors must acknowledge the policy.
Default for existing Drata policies
The monitoring test fails if any required personnel don’t acknowledge
Option 2: Specific groups
Only members of selected IdP groups must acknowledge the policy.
Only group members see the policy during onboarding
Monitoring tests apply only to assigned group members
Tests fail only if members of the assigned groups don’t acknowledge
Group membership changes
New members are assigned after the next Autopilot sync
Removed members are no longer required to acknowledge the policy
If all members are removed from assigned groups, the Policy Owner is notified
You can choose to notify new group members automatically when they’re added.
Option 3: Policy doesn’t apply to personnel
No personnel acknowledgment is required.
Use this option for policies that don’t require employee sign-off but still need to be stored and tracked.
Important
If the policy has an acknowledgment-based monitoring test, that test will fail after the next Autopilot run
You must disable the related test after changing this setting
If someone other than the Policy Owner sets a policy to this option, the Policy Owner is notified
Step 5: Replace a Drata policy (optional)
In the Replace policies section, select the Drata template you want to replace. The selected Drata policy is archived and replaced by your custom policy.
Replacing a default policy with this policy will:
transfer any control and test mapping
transfer any applied SLAs
archive the default policy
Next steps
If you authored the policy in Drata, draft the policy content and finalize it when ready. Once finalized, you can initiate the approval process.
After the policy is created, select the Policy tab to add or edit the policy content as needed.
Instructions for the Classic Experience ⬇️
Create and Replace a Policy with Your Custom Policy
Upload or create your custom policy directly in Drata. Additionally, discover how to replace Drata policy templates with a custom policy.
Drata allows you to replace its built-in policy with your custom policies, giving you flexibility to align policies with your organization's specific requirements while maintaining compliance. Custom policies are particularly essential for organizations with unique requirements that differ from standard templates, as they help meet specific compliance obligations and ensure alignment with organizational objectives.
BEFORE DIVING IN
Admins, information security leads, and workspace managers will have access to create, approve, and update policies within Drata.
You cannot be using an external policy manager like BambooHR or Confluence.
If using an external policy manager, you will see an Import External Policy button rather than a Create Custom Policy button.
Replacing policies
When you replace a Drata template policy with a custom policy, the replacement takes effect immediately, even if the custom policy is unpublished. You can only replace a built-in policy with a custom policy. To revert and restore the original built-in policy, refer to Restore Replaced Policies.
Here’s is what happens when you replace a policy:
Automatic control and test mapping: Replacing a built-in policy provided by Drata automatically transfers all control mappings and monitoring tests.
If the custom policy is not published, the controls may be marked as “Not Ready”.
Archived policy: The replaced policy is automatically archived.
Unpublished Policies: You can use unpublished custom policies to replace a built-in policy, but this may result in controls being marked as “Not Ready” until the custom policy is finalized and published.
SLAs (Service Level Agreements): If the policy being replaced has SLAs, you may need to configure additional settings during the replacement process to ensure compliance.
Troubleshooting: If replacement options are unavailable, check that the custom policy is not archived. Archived policies cannot replace active templates; restore archived policies only if you intend to use them for replacement.
Create and replace a policy
To replace a policy in Drata, you must first create a custom policy. During the policy creation process, you’ll have the option to select which Drata template policy you’d like to replace.
Step 1: Navigate to the Policy Center
Go to the Policy Center page and select Create Custom Policy to begin creating your custom policy.
Step 2: Provide Policy Details
Provide details for your custom policy in the drawer.
Policy Source:
Upload policy: Select and upload a file from your computer (up to 25MB).
Author policy in Drata: Use Drata’s built-in editor to create and finalize your policy, after filling out the rest of the details in the drawer.
Details: Enter policy details such as name, description, renewal date, owner of the policy, and disclaimer.
After creating the policy, you can configure multi-tier approvals as part of the approving process.
Step 3: Select personnel groups
You must also choose who will acknowledge this policy or if it does not apply to personnel.
Step 4: Replace Drata policies (optional)
Select policies to replace.
A modal will appear with a list of policies eligible for replacement. Select the policy you want to replace.
SLA Settings:
If the selected policy has Service Level Agreements (SLAs), additional settings will appear in the modal for configuration.
After you’re done filling out the required fields, select Create.
Next steps: Author Policy in Drata
Note: If you selected Upload policy as the policy source, the file is uploaded and created without further action needed.
If you choose to Author Policy in Drata, you’ll be directed to Drata’s built-in editor to draft and finalize the policy. You can also have the ability to upload a custom policy file as well.