Framework Information

Understand the compliance frameworks supported within Drata

64 articles

General

Background information on compliance frameworks and their role in Drata.

FrameworksDrata is expanding into multiple security frameworks, navigate to yours

Framework RequirementsView and manage a framework's requirements.

Marking Requirements In and Out of ScopeHow to scope requirements to meet your needs

Framework ReadinessUnderstand how framework readiness is calculated and what you can do to keep your frameworks on track

Level Picker for Frameworks with Tiered RequirementsHow to scope frameworks with tiered requirements

HITRUST e1/i1 OverviewOverview of HITRUST

NIS2 Update: What ENISA’s New Guidance Means for You!

Custom Frameworks

Guidance on creating and managing custom frameworks.

Custom FrameworkThis article covers creating and managing Custom Frameworks.

ACSC Essential Eight

ACSC Essential Eight is a cybersecurity framework developed by the Australian Cyber Security Centre (ACSC) to help organizations protect themselves against common cyber threats.

ACSC Essential Eight OverviewOverview of the ACSC Essential Eight cybersecurity strategies.

ACSC Essential Eight: A Requirement-Level Guide

Example Evidence for Not Monitored Controls (Essential Eight)

CIS 8.1

Resources and instructions for meeting CIS 8.1 requirements with Drata.

CIS v8.1 Framework Overview

Example Evidence for Not Monitored Controls (CIS 8.1)The following is a list of example evidence for controls not monitored in Drata for CIS 8.1.

CCPA

Resources and instructions for meeting CCPA requirements with Drata.

2023: CCPA UpdatesWhat you need to know about the latest updates to the CCPA framework in Drata

CMMC

Resources and instructions for meeting CMMC requirements with Drata.

CMMC Framework UpdatesWhat you need to know about the CMMC framework updates releasing on 10/16/2024.

Cyber Essentials

Resources and instructions for meeting UK Cyber Essentials requirements with Drata.

Cyber Essentials v3.2: What’s Changed and How to PrepareCE is a UK government-backed certification that helps organizations protect themselves from cyber threats. It focuses on 5 key areas: firewalls, secure setup, keeping software updated, controlling who can access…

DORA

Resources and instructions for meeting DORA requirements with Drata.

DORA ICT Risk Management Framework (RMF)

EU DORA Framework Overview

DORA's Five Pillars of ComplianceThe Digital Operational Resilience Act (DORA) is an EU Regulation aimed at ensuring financial entities can withstand, respond to, and recover from information and communication technology (ICT) disruptions.

FedRAMP

Resources and instructions for meeting FedRAMP requirements with Drata.

FedRAMP 20x: A Modernized Path to Federal Cloud Security Overview

HIPAA

Resources and instructions for meeting HIPAA requirements with Drata.

HIPAA Checklist

Example Evidence for Not Monitored Controls (HIPAA)Example Evidence for Not Monitored Controls (HIPAA)

ISO 27001

Resources and instructions for meeting ISO 27001 requirements with Drata.

ISO 27001:2013 Example ISMS Plan

ISO 27001:2022 Example ISMS Plan

ISO 27001:2022What you need to know about the latest version of ISO 27001

Security Engineering Principles

Transition Guidance for ISO 27001:2013 to ISO 27001:2022

Question to ask a Potential ISO 27001 Certification Body (i.e. Auditor)

ISO 27001 Certification Review Template

ISO 27001 Background Check FAQs

Example Evidence for Not Monitored Controls (ISO 27001) - Revised (Following 5/7/2024 Updates)

ISO 27701:2019

Resources and instructions for meeting ISO 27701 requirements with Drata.

ISO 27701:2019 Framework UpdatesWhat you need to know about the ISO 27701:2019 framework updates released on 7/11/2024

ISO 42001

Resources and instructions for meeting ISO 42001 requirements with Drata.

ISO 42001 Framework Overview

Ready for ISO 42001? Let’s Talk Next Steps

Microsoft SSPA

Resources and instructions for meeting Microsoft SSPA requirements with Drata.

Microsoft Supplier Security & Privacy Assurance (SSPA) Program v11 Overview

Example Evidence Not Monitored Controls (Microsoft Supplier Security and Privacy Assurance (SSPA))

NIST CSF 2.0

NIST SP 800-171 Rev. 2

Resources and instructions for meeting 800-171 requirements with Drata.

NIST SP 800-171 Rev. 2 Framework Updates

Example Evidence for Not Monitored Controls (NIST 800-171 Rev 3)

NIST SP 800-53

Resources and instructions for meeting NIST 800-53 requirements with Drata.

NIST SP 800-53 (Rev. 5) Control & Policy Mapping UpdatesWhat you need to know about the latest updates to the NIST SP 800-53r5 framework in Drata

System Security Planning Policy Guidance

Example Evidence for Not Monitored Controls (NIST 800-53r5)

PCI DSS

PCI DSS v4.0

Required Documentation for PCI DSS

PCI DSS v4.0.1 Updates: What You Need to KnowThis article provides an overview of the updates in PCI DSS v4.0.1.

PCI DSS v4.0.1 Targeted Risk Analysis (TRA)

PCI DSS v4.0.1 ChecklistA checklist for achieving PCI DSS within Drata

PCI DSS v4.0.1 Responsibility Matrix Guidance

Example Evidence for Not Monitored Controls (PCI DSS v4.0.1 )

SOC 2 2017

Resources and instructions for meeting SOC 2 requirements with Drata.

SOC 2 Trust Services Categories Overview

SOC 2 Background Checks FAQs

Questions to ask a potential SOC 2 auditor

What to look for when reviewing your draft SOC 2 report

SOC 2 System Description

Reviewing Your Vendors' SOC 2 Reports Using Drata

SOC 2 Type 1 vs Type 2: Which Audit Type Should I Choose

SOC 2: All controlsTemplated controls pre-mapped to SOC 2 criteria spanning all 5 TSCs

Set SOC 2 Trust Service Criteria to Security Only

What Is a SOC 2 Bridge Letter? [+ Template]SOC 2 Bridge Letter Guidance and Template

Example Evidence for Not Monitored Controls (SOC 2)Example Evidence for Not Monitored Controls (SOC 2)

Evidence for SOC 2 Compliance: Managed Platforms and Application Configurations