Skip to main content

Marking Requirements In and Out of Scope

How to scope framework requirements to match your environment.

⚠️ Select your experience

The steps to manage your requirements scope depend on your interface version. Select a link to skip to the instructions for your version.

Customers who joined Drata on or after Feb 24, 2026 are automatically on the New Experience.

Instructions for the New Experience ⬇️

Mark framework requirements as In Scope or Out of Scope to ensure your readiness calculations reflect only what applies to your organization. Only in-scope requirements contribute to a framework's readiness percentage.

Prerequisites

  • Required Drata role: Admins, Information Security Leads, or Workspace Managers with write access to Frameworks can update requirement scope. This permission allows them to modify requirements and change scope for the frameworks they manage.

Open Framework page

  1. In the left navigation, go to Compliance > Frameworks.

  2. Select a framework to open its detail page.

  3. Use the Requirements table to view all requirements, mapped controls, readiness status, and scope.

Mark Requirements Out of Scope

Use this process when one or more requirements do not apply to your environment, for example, a data center requirement for a cloud-only organization.

  1. Go to Compliance > Frameworks.

  2. Select a framework and scroll to the requirements table.

  3. Filter the table by Scope: In Scope.

  4. To mark a single requirement out of scope, select the ellipsis next to the requirement.

  5. To select multiple requirements, select the checkbox in the column header to select all requirements currently visible in the table.

  6. Select Mark Out of Scope.

  7. In the confirmation dialog, review the number of requirements being updated.

  8. Provide a business rationale. This field is required. If multiple requirements are selected, the same rationale is applied to all of them.

  9. Select Confirm.

Drata removes these requirements from readiness calculations and treats them as excluded for the selected framework.

Controls Affected by Scope Changes

When you mark requirements Out of Scope, Drata evaluates controls mapped to those requirements. If a control is mapped to only one requirement and that requirement is marked Out of Scope, the control is automatically marked Out of Scope.

Mark Requirements In Scope

Use this process to include requirements in readiness calculations and treat them as applicable to your environment.

  1. In the framework's Requirements table, filter by Scope: Out of Scope.

  2. Select the requirements to include.

  3. From the table actions, select Mark In Scope.

  4. Confirm the change.

How Requirement Scope Affects Framework Readiness

  • Only in-scope requirements count toward a framework's readiness percentage.

  • A control is considered in scope if it is mapped to at least one in-scope requirement.

  • If all requirements mapped to a control are marked Out of Scope, the control is marked Out of Scope.

Instructions for the Classic Experience ⬇️

Drata allows flexibility for your company to make each framework your own, and determine which requirements (and controls) are appropriate for your needs. The functionality to mark requirements 'In Scope' and 'Out of Scope' will help you to do the same directly in the Drata platform.

Additionally, If a control is only mapped to one requirement, whenever that requirement is marked in or out of scope, the control gets marked in or out of scope as well. You'll have the option to review and confirm this before any changes are made.

NOTE: Only 'In Scope' requirements will count towards a framework's readiness.

BEFORE DIVING IN

Only account administrators or information security leads have access to this section within Drata.

HERE'S HOW

Use the tick box next to a requirement or a group of requirements (select multiple or all on the page) to select the requirement(s) then click on the 'Mark out of scope' link.

You will be required to provide business rationale for why the selected requirement(s) do not apply to your company. If you've selected multiple requirements at once, you will only need to provide one business rationale and it will be applied to all requirements.

The business rationale will display in the requirement drawer.

To mark requirement(s) 'In Scope' you will follow the same process. Select the requirement(s) using the tick box or utilize the 'Select All' box to select all out of scope requirements on that page and click the 'Mark in scope' link.

After marking requirements out of scope, you will be prompted to review all of the controls that have been marked out of scope. These are controls that are uniquely associated to the requirements being marked out of scope.

If you would like to make any changes to any of the controls, click the 'Controls' link to go to the Controls page, where you can make any individual changes that have not been automated.

Related Articles
Framework Requirements
Level Picker for Frameworks with Tiered Requirements
Custom Framework
Mark Controls In or Out of Scope
Framework Readiness
Did this answer your question?