💡 Still using the classic Drata experience? Refer to Framework Readiness for the original UI.
What framework readiness shows
Framework readiness shows the current status of each in-scope framework in your environment. It reflects whether the requirements and controls in that framework meet the conditions for being Ready.
Use readiness to:
Track progress toward compliance
Identify gaps in evidence or approvals
Focus efforts on what’s needed to reach audit readiness
Readiness is layered:
A framework is ready when its requirements or controls are ready (depending on how you choose to measure)
A requirement is ready when all its mapped controls are ready
A control is ready when all of its readiness conditions are met
View framework readiness
You can measure readiness by Controls or Requirements:
Controls (default): Based on the number of in-scope controls that are Ready
Requirements: Based on the number of in-scope requirements that are Ready
To switch the readiness view:
Go to Frameworks.
Use the Controls / Requirements toggle at the top of the page.
Choose how you want to measure readiness:
Controls – focuses on control-level readiness
Requirements – focuses on requirement-level readiness
When you change this toggle, Drata updates:
The Frameworks page
Individual framework detail pages
The Readiness overview on the Dashboard
Figure 1 shows the Frameworks page with readiness measured by controls and then by requirements.
Your selection applies only to your user account; it does not affect other users.
When a requirement is Ready
A requirement is considered Ready when all of its mapped controls are ready. If any mapped control is not ready—or if there are no mapped controls—the requirement is Not Ready.
On a specific framework page, you can filter requirements by readiness status (Ready / Not Ready) to see what needs attention.
Figure 2 shows a specific framework page with requirement readiness.
Requirement readiness rules
Scenario | Requirement status |
Requirement is mapped to multiple controls and at least one control is Not Ready | Not Ready |
Requirement is mapped to zero controls | Not Ready |
Requirement is mapped to multiple controls and all controls are Ready | Ready |
Only in-scope requirements contribute to framework readiness. Out-of-scope requirements are excluded from readiness calculations.
When a control is Ready
A control is considered Ready when:
It meets all required approval conditions (if approvals are required).
Its mapped evidence is valid (tests, policies, and artifacts meet their own conditions).
It is in scope for at least one in-scope requirement in the framework.
On the Controls page, you can filter by Ready / Not Ready to focus on controls that still need work.
Control readiness rules
Scenario | Control status |
Control is mapped to multiple pieces of evidence and one or more pieces are Not Ready | Not Ready |
Control is not mapped to any evidence | Not Ready |
Control requires approval and has not been approved | Not Ready |
Control is mapped to multiple pieces of evidence and all are valid/approved as required | Ready |
When evidence is valid or invalid
Evidence mapped to a control is considered valid when all of the following are true:
All mapped tests are in a Passing state
All mapped policies have a published version
Mapped Evidence Library artifacts are within their renewal date
Mapped miscellaneous evidence (files or URLs) is within its renewal date
If the control requires approval, the approval has been completed
Evidence is considered invalid if any of the following is true:
One or more mapped tests are in a Failing state
A mapped policy is not published
A mapped Evidence Library artifact is past its renewal date
A mapped miscellaneous evidence file or URL is past its renewal date
A required control approval is missing
SOC 2 readiness
SOC 2 readiness uses the same readiness logic but is often more sensitive to how you choose to measure:
When measuring by Controls, your SOC 2 readiness score reflects the ratio of in-scope, ready controls to all in-scope controls.
When measuring by Requirements, a requirement is Not Ready if any of its mapped controls are Not Ready. That can significantly lower the score, and in some cases yield 0% readiness even if many individual controls are already ready.
Use the toggle on the Frameworks page to compare control-based and requirement-based SOC 2 readiness so you can understand how control gaps roll up into requirements.