Drata allows flexibility for your company to make each framework your own, and determine which requirements (and controls) are appropriate for your needs. The functionality to mark requirements 'In Scope' and 'Out of Scope" will help you to do the same directly in the Drata platform.

Additionally, If a control is only mapped to one requirement, whenever that requirement is marked in or out of scope, the control gets marked in or out of scope as well. You'll have the option to review and confirm this before any changes are made.

NOTE: Only 'In Scope' requirements will counts towards a framework's readiness.

Only account administrators or information security leads have access to this section within Drata.

Use the tick box next to a requirement or a group of requirements (select multiple or all on the page) to select the requirement(s) then click on the 'Mark out of scope' link.

You will be required to provide business rationale for why the selected requirement(s) do not apply to your company. If you've selected multiple requirements at once, you will only need to provide one business rationale and it will be applied to all requirements.

The business rationale will display in the requirement drawer.

To mark a requirement(s) 'In Scope' you will follow the same process. Select the requirement(s) using the tick box or utilize the 'Select All' box to select all out of scope requirements on that page and click the 'Mark in scope' link.

After marking requirements out of scope, you will be prompted to review all of the controls that have been marked out of scope. These are controls that are uniquely associated to the requirements being marked out of scope.
​

If you would like to make any changes to any of the controls, click the 'Controls' link to go to the Controls page, where you can make any individual changes that have not been automated.