Find controls by search terms and filters

List Controls given the provided search terms and filters

Securitybearer
Request
query Parameters
page
number >= 1
Default: 1

Which page of data are you requesting

limit
number [ 1 .. 50 ]
Default: 20

How many items are you requesting

q
string

Filter data by searching for control names, codes, or descriptions

Example: q=Least-Privileged Policy for Customer Data Access
frameworkTags
Array of strings

Filter data by controls associated with these framework tags

Items Enum: "NONE" "SOC_2" "ISO27001" "CCPA" "GDPR" "HIPAA" "PCI" "SCF" "NIST80053" "NISTCSF" "CMMC" "NIST800171" "MSSSPA" "FFIEC" "ISO27701" "COBIT" "SOX_ITGC" "ISO270012022" "CCM" "CYBER_ESSENTIALS" "ISO270172015" "ISO270182019" "FEDRAMP" "NISTAI" "PCI4" "NISTCSF2" "NIS2" "DORA" "CUSTOM"
Example: frameworkTags=SOC_2&frameworkTags=ISO27001
frameworkSlug
string

Filter data by controls associated with these custom framework Slug

Example: frameworkSlug=soc2
trustServiceCriterion
string

Filter controls on their Trust Service Criteria

Enum: "AVAILABILITY" "CONFIDENTIALITY" "SECURITY" "PRIVACY" "PROCESS_INTEGRITY" "GENERAL_RULES" "ADMINISTRATIVE_SAFEGUARDS" "PHYSICAL_SAFEGUARDS" "TECHNICAL_SAFEGUARDS" "REQUIREMENTS_ORGANIZATION" "REQUIREMENTS_POLICIES_PROCEDURES" "BASIC" "DERIVED" "NIST80053_PRIVACY"
Example: trustServiceCriterion=AVAILABILITY
trustServiceCriteria
Array of strings

Filter controls on their Trust Service Criteria

Items Enum: "AVAILABILITY" "CONFIDENTIALITY" "SECURITY" "PRIVACY" "PROCESS_INTEGRITY" "GENERAL_RULES" "ADMINISTRATIVE_SAFEGUARDS" "PHYSICAL_SAFEGUARDS" "TECHNICAL_SAFEGUARDS" "REQUIREMENTS_ORGANIZATION" "REQUIREMENTS_POLICIES_PROCEDURES" "BASIC" "DERIVED" "NIST80053_PRIVACY"
Example: trustServiceCriteria=AVAILABILITY&trustServiceCriteria=CONFIDENTIALITY
ismsCategory
Array of strings

Filter controls on their ISMS requirements

Items Enum: "CONTEXT_OF_THE_ORGANIZATION" "LEADERSHIP" "PLANNING" "SUPPORT" "OPERATION" "PERFORMANCE_EVALUATION" "IMPROVEMENT"
Example: ismsCategory=CONTEXT_OF_THE_ORGANIZATION&ismsCategory=LEADERSHIP
isms2022Category
Array of strings

Filter controls on their ISMS requirements

Items Enum: "ISO_27001_2022_4_CONTEXT_OF_THE_ORGANIZATION" "ISO_27001_2022_5_LEADERSHIP" "ISO_27001_2022_6_PLANNING" "ISO_27001_2022_7_SUPPORT" "ISO_27001_2022_8_OPERATION" "ISO_27001_2022_9_PERFORMANCE_EVALUATION" "ISO_27001_2022_10_IMPROVEMENT"
Example: isms2022Category=ISO_27001_2022_4_CONTEXT_OF_THE_ORGANIZATION&isms2022Category=ISO_27001_2022_5_LEADERSHIP
isAnnexA2022
boolean

Filter controls on if they are an Annex A requirement

Example: isAnnexA2022=true
rules
Array of strings

Filter controls on their Hipaa rules

Items Enum: "SECURITY" "BREACH_NOTIFICATION" "PRIVACY"
Example: rules=BREACH_NOTIFICATION&rules=PRIVACY
subRules
Array of strings

Filter controls on their Hipaa rules

Items Enum: "GENERAL_RULES" "ADMINISTRATIVE_SAFEGUARDS" "PHYSICAL_SAFEGUARDS" "TECHNICAL_SAFEGUARDS" "REQUIREMENTS_ORGANIZATION" "REQUIREMENTS_POLICIES_PROCEDURES"
Example: subRules=GENERAL_RULES&subRules=ADMINISTRATIVE_SAFEGUARDS
pciRequirements
Array of strings

Filter controls on their PCI requirements

Items Enum: "FIREWALL" "PASSWORDS" "DATA_AT_REST_PROTECTION" "DATA_IN_TRANSIT_ENCRYPTION" "MALWARE_PROTECTION" "SECURE_SYSTEM_MANAGEMENT" "ACCESS_RESTRICTION" "SYSTEM_ACCESS_CONTROL" "PHYSICAL_ACCESS_CONTROL" "NETWORK_ACCESS_MONITORING" "VULNERABILITY_TESTING" "INFORMATION_SECURITY_POLICY"
Example: pciRequirements=FIREWALL&pciRequirements=ACCESS_RESTRICTION
chapters
Array of strings

Filter controls on their GDPR chapters

Items Enum: "PRINCIPLES" "RIGHTS_OF_THE_DATA_SUBJECT" "CONTROLLER_AND_PROCESSOR" "TRANSFERS_OF_PERSONNEL_DATA_TO_THIRD_COUNTRIES_AND_INTERNATIONAL_ORGANIZATIONS"
Example: chapters=CONTROLLER_AND_PROCESSOR&chapters=PRINCIPLES
statutes
Array of strings

Filter controls on their CCPA statutes

Items Enum: "CCPA_INDIVIDUAL_RIGHTS" "CCPA_SERVICE_PROVIDER" "CCPA_SECURITY"
Example: statutes=CCPA_INDIVIDUAL_RIGHTS&statutes=CCPA_SERVICE_PROVIDER
regulations
Array of strings

Filter controls on their CCPA regulations

Items Enum: "CCPA_NOTICES_TO_CONSUMERS" "CCPA_BUSINESS_PRACTICES_FOR_HANDLING_CONSUMER_REQUESTS" "CCPA_VERIFICATION_OF_REQUESTS" "CCPA_SPECIAL_RULES_REGARDING_CONSUMERS_UNDER_16_YEARS_OF_AGE" "CCPA_NON_DISCRIMINATION" "CCPA_GENERAL_PROVISIONS" "CCPA_REQUIRED_DISCLOSURES_TO_CONSUMERS" "CCPA_SERVICE_PROVIDERS_CONTRACTORS_AND_THIRD_PARTIES" "CCPA_TRAINING_AND_RECORD_KEEPING"
Example: regulations=CCPA_BUSINESS_PRACTICES_FOR_HANDLING_CONSUMER_REQUESTS&regulations=CCPA_NON_DISCRIMINATION
functions
Array of strings

Filter controls on their NIST CSF Functions

Items Enum: "IDENTIFY" "PROTECT" "DETECT" "RESPOND" "RECOVER"
Example: functions=RECOVER&functions=RESPOND
functions2
Array of strings

Filter controls on their NIST CSF 2.0 Functions

Items Enum: "NIST_CSF_2_0_GOVERN_GV" "NIST_CSF_2_0_IDENTIFY_ID" "NIST_CSF_2_0_PROTECT_PR" "NIST_CSF_2_0_DETECT_DE" "NIST_CSF_2_0_RESPOND_RS" "NIST_CSF_2_0_RECOVER_RC"
Example: functions2=NIST_CSF_2_0_GOVERN_GV&functions2=NIST_CSF_2_0_IDENTIFY_ID
sections
Array of strings

Filter controls on their MSSSPA Section

Items Enum: "MANAGEMENT" "NOTICE" "CHOICE_AND_CONSENT" "COLLECTION" "RETENTION" "DATA_SUBJECTS" "DISCLOSURE_TO_THIRD_PARTIES" "QUALITY" "MONITORING_AND_ENFORCEMENT" "MS_SSPA_SECURITY"
Example: sections=DATA_SUBJECTS&sections=CHOICE_AND_CONSENT
controlFamilies
Array of strings

Filter controls on their NIST SP 800-171 Control Family

Items Enum: "NIST_800_171r2_AUDIT_AND_ACCOUNTABILITY" "NIST_800_171r2_CONFIGURATION_MANAGEMENT" "NIST_800_171r2_IDENTIFICATION_AND_AUTHENTICATION" "NIST_800_171r2_INCIDENT_RESPONSE" "NIST_800_171r2_MEDIA_PROTECTION" "NIST_800_171r2_PERSONNEL_SECURITY" "NIST_800_171r2_PHYSICAL_PROTECTION" "NIST_800_171r2_SECURITY_ASSESSMENT" "NIST_800_171r2_SYSTEM_AND_COMMUNICATIONS_PROTECTION" "NIST_800_171r2_SYSTEM_AND_INFORMATION_INTEGRITY" "NIST_800_171r2_ACCESS_CONTROL" "NIST_800_171r2_AWARENESS_AND_TRAINING" "NIST_800_171r2_MAINTENANCE" "NIST_800_171r2_RISK_ASSESSMENT"
Example: controlFamilies=NIST_800_171r2_ACCESS_CONTROL&controlFamilies=NIST_800_171r2_PERSONNEL_SECURITY
controlClasses
Array of strings

Filter controls on their NIST SP 800-171 Control Class

Items Enum: "NIST_800_171r2_TECHNICAL" "NIST_800_171r2_OPERATIONAL" "NIST_800_171r2_MANAGEMENT"
Example: controlClasses=NIST_800_171r2_TECHNICAL
iso27701
Array of strings

Filter controls on their ISO27701 requirements

Items Enum: "PIMS_SPECIFIC_REQUIREMENTS" "PIMS_SPECIFIC_GUIDANCE" "PII_CONTROLS_GUIDANCE" "PII_PROCESSORS_GUIDANCE" "ISO27701_8_CONDITIONS_FOR_COLLECTION_AND_PROCESSING" "ISO27701_8_OBLIGATIONS_TO_PII_PRINCIPLES" "ISO27701_8_PRIVACY_BY_DESIGN_AND_PRIVACY_BY_DEFAULT" "ISO27701_8_PII_SHARING_TRANSFER_AND_DISCLOSURE" "CONDITIONS_FOR_COLLECTION_AND_PROCESSING" "OBLIGATIONS_TO_PII_PRINCIPLES" "PRIVACY_BY_DESIGN_AND_PRIVACY_BY_DEFAULT" "PII_SHARING_TRANSFER_AND_DISCLOSURE"
Example: iso27701=CONDITIONS_FOR_COLLECTION_AND_PROCESSING
cobit
Array of strings

Filter controls on their COBIT requirements

Items Enum: "EVALUATE_DIRECT_AND_MONITOR" "ALIGN_PLAN_AND_ORGANIZE" "BUILD_ACQUIRE_AND_IMPLEMENT" "DELIVER_SERVICE_AND_SUPPORT" "MONITOR_EVALUATE_AND_ASSESS"
Example: cobit=ALIGN_PLAN_AND_ORGANIZE
soxitgc
Array of strings

Filter controls on their SOX requirements

Items Enum: "PROGRAM_DEVELOPMENT" "CHANGE_MANAGEMENT" "SYSTEM_OPERATIONS" "ACCESS_MANAGEMENT"
Example: soxitgc=PROGRAM_DEVELOPMENT
controlBaselines
Array of strings

Filter controls on their NIST SP 800-53 Control Baseline

Items Enum: "NIST_800_53_TECHNICAL" "NIST_800_53_OPERATIONAL" "NIST_800_53_MANAGEMENT"
Example: controlBaselines=NIST_800_53_OPERATIONAL
cmmcClasses
Array of strings

Filter controls on their NIST SP 800-53 Control Baseline

Items Enum: "CMMC_2_0_TECHNICAL" "CMMC_2_0_OPERATIONAL" "CMMC_2_0_MANAGEMENT"
Example: cmmcClasses=CMMC_2_0_MANAGEMENT
domains
Array of strings

Filter controls on their FFIEC Domains

Items Enum: "FFIEC_CYBER_RISK_MANAGEMENT_AND_OVERSIGHT" "FFIEC_THREAT_INTELLIGENCE_AND_COLLABORATION" "FFIEC_CYBERSECURITY_CONTROLS" "FFIEC_EXTERNAL_DEPENDENCY_MANAGEMENT" "FFIEC_CYBER_INCIDENT_MANAGEMENT_AND_RESILIENCE"
Example: domains=FFIEC_CYBERSECURITY_CONTROLS
assessmentFactors
Array of strings

Filter controls on their FFIEC Assessment Factors

Items Enum: "FFIEC_GOVERNANCE" "FFIEC_RISK_MANAGEMENT" "FFIEC_RESOURCES" "FFIEC_TRAINING_AND_CULTURE" "FFIEC_THREAT_INTELLIGENCE" "FFIEC_MONITORING_AND_ANALYZING" "FFIEC_INFORMATION_SHARING" "FFIEC_PREVENTATIVE_CONTROLS" "FFIEC_DETECTIVE_CONTROLS" "FFIEC_CORRECTIVE_CONTROLS" "FFIEC_CONNECTIONS" "FFIEC_RELATIONSHIP_MANAGEMENT" "FFIEC_INCIDENT_RESILIENCE_PLANNING_AND_STRATEGY" "FFIEC_DETECTION_RESPONSE_AND_MITIGATION" "FFIEC_ESCALATION_AND_REPORTING"
Example: assessmentFactors=FFIEC_GOVERNANCE
articles
Array of strings

Filters controls by their NIS 2 Articles

Items Enum: "NIS_2_GOVERNANCE" "NIS_2_RISK_MANAGEMENT" "NIS_2_REPORTING"
Example: articles=NIS_2_GOVERNANCE
doraChapters
Array of strings

Filters controls by their DORA Standards

Items Enum: "DORA_REGULATION" "DORA_ICT_RMF_RTS"
Example: doraChapters=DORA_ICT_RMF_RTS
userIds
Array of numbers

User Ids of Control Owners

Example: userIds=1
isOwned
boolean

Filter controls on if they have a control owner

Example: isOwned=true
isReady
boolean

Filter controls on if they are ready

Example: isReady=true
isAnnexA
boolean

Filter controls on if they are an Annex A requirement

Example: isAnnexA=true
isArchived
boolean

Filter to controls that are or are not archived

isMonitored
boolean

Filter to controls that are or are not monitored

hasEvidence
boolean

Filter to controls with or without evidence

Example: hasEvidence=true
hasPolicy
boolean

Filter to controls with or without policy

Example: hasPolicy=true
hasPassingTest
boolean

Filter to controls with at least one passing test

Example: hasPassingTest=true
excludeIds
Array of numbers

Exclude controls by array of id

Example:
excludeRequirementId
number

Exclude controls if they are mapped to this requirement id

Example:
requirementId
number

Only include controls if they are mapped to this requirement id

Example:
excludeTestId
number

Exclude controls if they are mapped to this test id

Example:
testId
number

Only include controls if they are mapped to this test id

Example:
hasTicket
string

Only include controls if they associted to a task management ticket

Enum: "IN_PROGRESS" "ARCHIVED"
connectionId
number

This will be filled in automatic when using a taskManagementStatus.

reviewersIds
Array of numbers

User Ids of Control Reviewers

Example: reviewersIds=1
taskOwnersIds
Array of numbers

User Ids of TaskOwners

Example: taskOwnersIds=1
workspaceId
number

ID of the workspace associated with the controls

Example: workspaceId=1
Responses
200
400

Malformed data and/or validation errors

401

Invalid Authorization

403

You are not allowed to perform this action

404

Record Not Found

500

Internal server error

default

Response Code: 412

You must accept the Drata terms and conditions to use the API

get/controls
Request samples
Response samples
application/json
{
  • "data": [
    • {
      • "id": "123",
      • "name": "Databases Monitored and Alarmed",
      • "code": "DCF-1002",
      • "description": "Drata has implemented tools to monitor Drata's databases and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.",
      • "slug": "databases-monitored-and-alarmed",
      • "workspaceId": 2,
      • "archivedAt": "2020-07-06 12:00:00.000000",
      • "frameworkTags": [
        • "SOC_2",
        • "CCPA"
        ],
      • "hasEvidence": false,
      • "hasOwner": false,
      • "isMonitored": false,
      • "frameworkRequirements": "FrameworkRequirementsResponseDto[]",
      • "topics": [
        • 1,
        • 2
        ],
      • "isReady": "true",
      • "hasTicket": "true"
      }
    ],
  • "page": 1,
  • "limit": 10,
  • "total": 100
}