⚠️ Select your experience
The steps to create and add auditors to an audit depend on your interface version. Select a link to skip to the instructions for your version.
Customers who joined Drata on or after Feb 24, 2026 are automatically on the New Experience.
Instructions for the New Experience ⬇️
Custom Frameworks allow you to generate your own framework and associated requirements. Once created, custom frameworks support the same functionality as regular frameworks.
Drata provides tools to manage and customize frameworks according to organizational compliance needs, enabling alignment with various standards, including standards like HITRUST CSF that are not natively integrated.
Step 1: Create a Custom Framework
In Drata, go to the Frameworks page.
In the upper-right corner, select Create new custom framework.
Enter your framework details:
Name: This name appears on the Frameworks page.
Short name: This short name is used for filters on the Controls page.
Description: This description appears at the top of the specific framework overview page.
(Optional) Upload your requirements. You can also add them later.
Download and review the provided template.
Replace the template data with your own requirements.
Ensure that your template data follows the requirements and control mapping guidelines.
Step 2: Upload Requirements and Map Controls
Note: Control mappings are optional.
Use the template provided during the custom framework creation flow. When uploading requirements or mapping controls, you must:
Use the exact column headers from the template. The spelling, spacing, and capitalization must match exactly.
The following special characters aren't allowed anywhere in the CSV file:
< > \Code and Name columns are required.
The Code must be unique — both within the file and compared to any existing requirements in Drata. Rows with duplicate codes will be skipped.
Category (Optional): Only one category is allowed per requirement.
Control Mapping (Optional):
To map controls during import, add a comma-separated list of control codes (for example, DCF-1, DCF-2, DCF-3) in the Control Mapping column.
All control codes you want to map must meet all of the following criteria before importing:
The control exists in Drata.
The control is enabled. (If you can't find a control, contact Drata Support.)
The control is in scope.
If a control that you would like to map does not meet all these criteria, the entire requirement row will be skipped. That requirement won't be created, and no controls in that row will be mapped.
Step 3: Confirm
Save and upload the CSV file.
Select Next.
Confirm the upload:
Review the number of requirements that will be imported.
Review any skipped requirements and fix formatting issues as needed.
Select Save.
Your custom framework is now ready. You can begin mapping additional controls or adding more requirements.
Add Requirements
To add a requirement to your custom framework:
Go to your custom framework page.
Select the Add Requirements button.
In the dropdown, select Add requirement or Add/update in bulk.
If you select Add/update in bulk, download and review the provided template.
Then update and upload the template with your own requirements.
Your template data must follow the Requirements and control mapping guidelines above.
Confirm the upload:
Review how many requirements will be imported.
Review any skipped requirements and address formatting issues as needed.
Select Save.
Note: Re-uploading will only add requirements that do not already exist in Drata. Any updates to existing requirements should be done within Drata.
Edit a Requirement
To edit a requirement in your custom framework:
Go to your custom framework.
Select the requirement you want to edit.
Select the edit button and update the requirement details as needed.
Select Save.
Update, Delete, or Mark Multiple Requirements Out of Scope
To perform a bulk action on multiple requirements:
Go to your custom framework.
Select the checkboxes next to the requirements you want to update.
Select Change category, Delete, or Mark out of scope.
For Change category: Each requirement can only have one category. This action updates the category for all selected requirements.
Select Save.
Mark, Delete, or Change Category for an Individual Requirement
To perform an action on a single requirement:
Go to your custom framework.
Select the ellipsis (...) next to the requirement.
Select Mark out of scope, Delete, or Change category.
If marking out of scope, enter a business rationale and select Submit.
Edit Framework Details
To update the details of a custom framework:
Go to your custom framework.
In the upper-right corner, select the gear icon.
Select Edit details.
Update the framework details as needed.
Select Save.
Delete a custom framework
⚠️ Warning: Deleting a custom framework is permanent. Drata does not restore a deleted custom framework or its associated audit history, auditor comments, or mapped requirements. Make sure you export or document any information you need before proceeding.
Before deleting a custom framework, we recommend:
Exporting your requirements and any mapped controls
Saving any auditor comments or evidence associated with the framework
Confirming with your team that the framework is no longer needed
Go to your custom framework.
Select the gear icon in the upper-right corner of the list.
Select Edit details.
In the framework details pane, select the More options icon (⋮).
Select Delete framework.
Confirm the deletion.
Removing a framework can affect your overall compliance readiness. Retain a record of progress or requirements before proceeding, as re-enabling the framework later will typically require starting over.
Troubleshooting tip:
If you're unable to delete the framework, verify your existing dependencies. A framework can't be deleted if it's linked to:
Auditors
Mapped controls
Requirements
Utilize a Custom Framework
Explore the Frameworks section for more information
For example, users can create Custom Frameworks to align with the HITRUST CSF and manage the compliance process effectively in Drata, even though HITRUST audits themselves are conducted in the MyCSF platform.
Using Custom Frameworks for SOC 2
⚠️ Important: If you are pursuing SOC 2, we strongly recommend using Drata's native SOC 2 framework instead of building a custom one. If SOC 2 is not yet visible on your Frameworks page, contact your Customer Success Manager to enable it.
Drata's native SOC 2 framework offers several advantages over a custom framework:
It cannot be deleted, protecting your audit history and progress
It is pre-mapped to SOC 2 criteria, reducing manual setup time
It receives ongoing updates from Drata as SOC 2 requirements evolve
To get started, go to the Frameworks page and select the SOC 2 framework.
Custom frameworks are best suited for compliance standards that Drata does not natively support, or for organizations that need a highly tailored control structure outside of a standard framework.
Instructions for the Classic Experience ⬇️
Create a Custom Framework
In Drata, go to the Frameworks page.
In the upper-right corner, select Create new custom framework.
Enter your framework details:
Name: This name appears on the Frameworks page.
Short name: This short name is used for filters on the Controls page.
Description: This description appears at the top of the specific framework overview page.
(Optional) Upload your requirements. You can also add them later.
Download and review the provided template.
Replace the template data with your own requirements.
Ensure that your template data follows the requirements and control mapping guidelines.
Requirements and control mapping guidelines
When uploading requirements or mapping controls, you must:
Use the exact column headers from the template. The spelling, spacing, and capitalization must match exactly.
The following special characters aren't allowed anywhere in the CSV file:
< > \
Code and Name columns are required.
The Code must be unique—both within the file and compared to any existing requirements in Drata.
Rows with duplicate codes will be skipped.
Category (Optional) column:
Only one category is allowed per requirement.
Control Mapping (Optional) column:
To map controls during import, add a comma-separated list of control codes (for example,
DCF-1, DCF-2, DCF-3) in the Control Mapping column.All control codes you want to map must meet all of the following criteria before importing:
The control exists in Drata.
The control is enabled. (If you can't find a control, contact Drata Support.)
The control is in scope.
If a control that you would like to map does not meet all these criteria, the entire requirement row will be skipped. That requirement won't be created, and no controls in that row will be mapped.
Upload and confirm
Save and upload the CSV file.
Select Next.
Confirm the upload.
Review the number of requirements that will be imported.
Review any skipped requirements and fix formatting issues as needed.
Select Save.
Your custom framework is now ready. You can begin mapping additional controls or adding more requirements.
Add individual requirement
To add a requirement to your custom framework:
Go to your custom framework.
Near the upper-right corner of the table, select the gear icon.
Select Add requirement.
Enter the requirement details.
Select Save.
Upload multiple requirement
To bulk upload requirements to a custom framework:
Go to your custom framework.
Near the upper-right corner of the table, select the gear icon.
Select Upload requirements.
Download and review the provided template.
Replace and upload the template data with your own requirements.
Your template date must follow the previous Requirements and control mapping guidelines section.
Select Next.
Confirm the upload.
Review how many requirements will be imported.
Review any skipped requirements and address formatting issues as needed.
Select Save.
Note: Re-upload will only upload requirements that do not already exist in Drata. Any updates to existing requirements should be done within Drata.
Edit a requirement
To edit a requirement in your custom framework:
Go to your custom framework.
Select the requirement you want to edit.
Select the edit icon and update the requirement details as needed.
Select Save.
Update multiple requirement categories
To change the category for multiple requirements:
Go to your custom framework.
Select the checkboxes next to the requirements you want to update.
At the top of the table, select Change category.
Each requirement can have only one category.
This action updates all the existing category for all selected requirements.
Save your changes.
Mark an individual requirement out of scope
To mark a requirement as out of scope:
Go to your custom framework.
Select the requirement you want to update.
In the upper-right corner, select the trash bin icon (the tooltip will display Mark out of scope).
Enter a business rationale.
Select Submit.
Delete requirements
To delete one or more requirements from a custom framework:
Go to your custom framework.
Select the checkboxes next to the requirements you want to delete.
At the top of the table, select Delete.
Confirm the deletion.
Edit framework details
To update the details of a custom framework:
Go to your custom framework.
In the upper-right corner of the list, select the gear icon.
Select Edit details.
Update the framework details as needed.
Select Save.
Remove a custom framework
Go to your custom framework.
Select the gear icon in the upper-right corner of the list.
Select Edit details.
In the framework details pane, select the More options icon (⋮).
Select Delete framework.
Confirm the deletion.
Removing a framework can affect your overall compliance readiness. Retain a record of progress or requirements before proceeding, as re-enabling the framework later will typically require starting over.
Troubleshooting tip:
If you're unable to delete the framework, verify your existing dependencies. A framework can't be deleted if it's linked to:
Auditors
Mapped controls
Requirements
Utilize a Custom Framework
Explore the Frameworks section for more information
For example, users can create Custom Frameworks to align with the HITRUST CSF and manage the compliance process effectively in Drata, even though HITRUST audits themselves are conducted in the MyCSF platform.