Find controls by search terms and filters

List Controls given the provided search terms and filters

Securitybearer

Request

query Parameters

page	number >= 1 Default: 1 Which page of data are you requesting
limit	number [ 1 .. 50 ] Default: 20 How many items are you requesting
q	string Filter data by searching for control names, codes, or descriptions Example: q=Least-Privileged Policy for Customer Data Access
frameworkTags	Array of strings Filter data by controls associated with these framework tags Items Enum: "NONE" "SOC_2" "ISO27001" "CCPA" "GDPR" "HIPAA" "PCI" "SCF" "NIST80053" "NISTCSF" "CMMC" "NIST800171" "MSSSPA" "FFIEC" "ISO27701" "COBIT" "SOX_ITGC" "ISO270012022" "CCM" "CYBER_ESSENTIALS" "ISO270172015" "ISO270182019" "FEDRAMP" "NISTAI" "PCI4" "NISTCSF2" "NIS2" "DORA" "ISO420012023" "DRATA_ESSENTIALS" "NIST800171R3" "CUSTOM" Example: frameworkTags=SOC_2&frameworkTags=ISO27001
frameworkSlug	string Filter data by controls associated with these custom framework Slug Example: frameworkSlug=soc2
trustServiceCriterion	string Filter controls on their Trust Service Criteria Enum: "AVAILABILITY" "CONFIDENTIALITY" "SECURITY" "PRIVACY" "PROCESS_INTEGRITY" "GENERAL_RULES" "ADMINISTRATIVE_SAFEGUARDS" "PHYSICAL_SAFEGUARDS" "TECHNICAL_SAFEGUARDS" "REQUIREMENTS_ORGANIZATION" "REQUIREMENTS_POLICIES_PROCEDURES" "BASIC" "DERIVED" "NIST80053_PRIVACY" Example: trustServiceCriterion=AVAILABILITY
trustServiceCriteria	Array of strings Filter controls on their Trust Service Criteria Items Enum: "AVAILABILITY" "CONFIDENTIALITY" "SECURITY" "PRIVACY" "PROCESS_INTEGRITY" "GENERAL_RULES" "ADMINISTRATIVE_SAFEGUARDS" "PHYSICAL_SAFEGUARDS" "TECHNICAL_SAFEGUARDS" "REQUIREMENTS_ORGANIZATION" "REQUIREMENTS_POLICIES_PROCEDURES" "BASIC" "DERIVED" "NIST80053_PRIVACY" Example: trustServiceCriteria=AVAILABILITY&trustServiceCriteria=CONFIDENTIALITY
ismsCategory	Array of strings Filter controls on their ISMS requirements Items Enum: "CONTEXT_OF_THE_ORGANIZATION" "LEADERSHIP" "PLANNING" "SUPPORT" "OPERATION" "PERFORMANCE_EVALUATION" "IMPROVEMENT" Example: ismsCategory=CONTEXT_OF_THE_ORGANIZATION&ismsCategory=LEADERSHIP
isms2022Category	Array of strings Filter controls on their ISMS requirements Items Enum: "ISO_27001_2022_4_CONTEXT_OF_THE_ORGANIZATION" "ISO_27001_2022_5_LEADERSHIP" "ISO_27001_2022_6_PLANNING" "ISO_27001_2022_7_SUPPORT" "ISO_27001_2022_8_OPERATION" "ISO_27001_2022_9_PERFORMANCE_EVALUATION" "ISO_27001_2022_10_IMPROVEMENT" Example: isms2022Category=ISO_27001_2022_4_CONTEXT_OF_THE_ORGANIZATION&isms2022Category=ISO_27001_2022_5_LEADERSHIP
isAnnexA2022	boolean Filter controls on if they are an Annex A requirement Example: isAnnexA2022=true
rules	Array of strings Filter controls on their Hipaa rules Items Enum: "SECURITY" "BREACH_NOTIFICATION" "PRIVACY" Example: rules=BREACH_NOTIFICATION&rules=PRIVACY
subRules	Array of strings Filter controls on their Hipaa rules Items Enum: "GENERAL_RULES" "ADMINISTRATIVE_SAFEGUARDS" "PHYSICAL_SAFEGUARDS" "TECHNICAL_SAFEGUARDS" "REQUIREMENTS_ORGANIZATION" "REQUIREMENTS_POLICIES_PROCEDURES" Example: subRules=GENERAL_RULES&subRules=ADMINISTRATIVE_SAFEGUARDS
pciRequirements	Array of strings Filter controls on their PCI requirements Items Enum: "FIREWALL" "PASSWORDS" "DATA_AT_REST_PROTECTION" "DATA_IN_TRANSIT_ENCRYPTION" "MALWARE_PROTECTION" "SECURE_SYSTEM_MANAGEMENT" "ACCESS_RESTRICTION" "SYSTEM_ACCESS_CONTROL" "PHYSICAL_ACCESS_CONTROL" "NETWORK_ACCESS_MONITORING" "VULNERABILITY_TESTING" "INFORMATION_SECURITY_POLICY" Example: pciRequirements=FIREWALL&pciRequirements=ACCESS_RESTRICTION
chapters	Array of strings Filter controls on their GDPR chapters Items Enum: "PRINCIPLES" "RIGHTS_OF_THE_DATA_SUBJECT" "CONTROLLER_AND_PROCESSOR" "TRANSFERS_OF_PERSONNEL_DATA_TO_THIRD_COUNTRIES_AND_INTERNATIONAL_ORGANIZATIONS" Example: chapters=CONTROLLER_AND_PROCESSOR&chapters=PRINCIPLES
statutes	Array of strings Filter controls on their CCPA statutes Items Enum: "CCPA_INDIVIDUAL_RIGHTS" "CCPA_SERVICE_PROVIDER" "CCPA_SECURITY" Example: statutes=CCPA_INDIVIDUAL_RIGHTS&statutes=CCPA_SERVICE_PROVIDER
regulations	Array of strings Filter controls on their CCPA regulations Items Enum: "CCPA_NOTICES_TO_CONSUMERS" "CCPA_BUSINESS_PRACTICES_FOR_HANDLING_CONSUMER_REQUESTS" "CCPA_VERIFICATION_OF_REQUESTS" "CCPA_SPECIAL_RULES_REGARDING_CONSUMERS_UNDER_16_YEARS_OF_AGE" "CCPA_NON_DISCRIMINATION" "CCPA_GENERAL_PROVISIONS" "CCPA_REQUIRED_DISCLOSURES_TO_CONSUMERS" "CCPA_SERVICE_PROVIDERS_CONTRACTORS_AND_THIRD_PARTIES" "CCPA_TRAINING_AND_RECORD_KEEPING" Example: regulations=CCPA_BUSINESS_PRACTICES_FOR_HANDLING_CONSUMER_REQUESTS&regulations=CCPA_NON_DISCRIMINATION
functions	Array of strings Filter controls on their NIST CSF Functions Items Enum: "IDENTIFY" "PROTECT" "DETECT" "RESPOND" "RECOVER" Example: functions=RECOVER&functions=RESPOND
functions2	Array of strings Filter controls on their NIST CSF 2.0 Functions Items Enum: "NIST_CSF_2_0_GOVERN_GV" "NIST_CSF_2_0_IDENTIFY_ID" "NIST_CSF_2_0_PROTECT_PR" "NIST_CSF_2_0_DETECT_DE" "NIST_CSF_2_0_RESPOND_RS" "NIST_CSF_2_0_RECOVER_RC" Example: functions2=NIST_CSF_2_0_GOVERN_GV&functions2=NIST_CSF_2_0_IDENTIFY_ID
sections	Array of strings Filter controls on their MSSSPA Section Items Enum: "MANAGEMENT" "NOTICE" "CHOICE_AND_CONSENT" "COLLECTION" "RETENTION" "DATA_SUBJECTS" "DISCLOSURE_TO_THIRD_PARTIES" "QUALITY" "MONITORING_AND_ENFORCEMENT" "MS_SSPA_SECURITY" Example: sections=DATA_SUBJECTS&sections=CHOICE_AND_CONSENT
controlFamilies	Array of strings Filter controls on their NIST SP 800-171 Control Family Items Enum: "NIST_800_171r2_AUDIT_AND_ACCOUNTABILITY" "NIST_800_171r2_CONFIGURATION_MANAGEMENT" "NIST_800_171r2_IDENTIFICATION_AND_AUTHENTICATION" "NIST_800_171r2_INCIDENT_RESPONSE" "NIST_800_171r2_MEDIA_PROTECTION" "NIST_800_171r2_PERSONNEL_SECURITY" "NIST_800_171r2_PHYSICAL_PROTECTION" "NIST_800_171r2_SECURITY_ASSESSMENT" "NIST_800_171r2_SYSTEM_AND_COMMUNICATIONS_PROTECTION" "NIST_800_171r2_SYSTEM_AND_INFORMATION_INTEGRITY" "NIST_800_171r2_ACCESS_CONTROL" "NIST_800_171r2_AWARENESS_AND_TRAINING" "NIST_800_171r2_MAINTENANCE" "NIST_800_171r2_RISK_ASSESSMENT" Example: controlFamilies=NIST_800_171r2_ACCESS_CONTROL&controlFamilies=NIST_800_171r2_PERSONNEL_SECURITY
controlClasses	Array of strings Filter controls on their NIST SP 800-171 Control Class Items Enum: "NIST_800_171r2_TECHNICAL" "NIST_800_171r2_OPERATIONAL" "NIST_800_171r2_MANAGEMENT" Example: controlClasses=NIST_800_171r2_TECHNICAL
iso27701	Array of strings Filter controls on their ISO27701 requirements Items Enum: "PIMS_SPECIFIC_REQUIREMENTS" "PIMS_SPECIFIC_GUIDANCE" "PII_CONTROLS_GUIDANCE" "PII_PROCESSORS_GUIDANCE" "ISO27701_8_CONDITIONS_FOR_COLLECTION_AND_PROCESSING" "ISO27701_8_OBLIGATIONS_TO_PII_PRINCIPLES" "ISO27701_8_PRIVACY_BY_DESIGN_AND_PRIVACY_BY_DEFAULT" "ISO27701_8_PII_SHARING_TRANSFER_AND_DISCLOSURE" "CONDITIONS_FOR_COLLECTION_AND_PROCESSING" "OBLIGATIONS_TO_PII_PRINCIPLES" "PRIVACY_BY_DESIGN_AND_PRIVACY_BY_DEFAULT" "PII_SHARING_TRANSFER_AND_DISCLOSURE" Example: iso27701=CONDITIONS_FOR_COLLECTION_AND_PROCESSING
cobit	Array of strings Filter controls on their COBIT requirements Items Enum: "EVALUATE_DIRECT_AND_MONITOR" "ALIGN_PLAN_AND_ORGANIZE" "BUILD_ACQUIRE_AND_IMPLEMENT" "DELIVER_SERVICE_AND_SUPPORT" "MONITOR_EVALUATE_AND_ASSESS" Example: cobit=ALIGN_PLAN_AND_ORGANIZE
soxitgc	Array of strings Filter controls on their SOX requirements Items Enum: "PROGRAM_DEVELOPMENT" "CHANGE_MANAGEMENT" "SYSTEM_OPERATIONS" "ACCESS_MANAGEMENT" Example: soxitgc=PROGRAM_DEVELOPMENT
controlBaselines	Array of strings Filter controls on their NIST SP 800-53 Control Baseline Items Enum: "NIST_800_53_TECHNICAL" "NIST_800_53_OPERATIONAL" "NIST_800_53_MANAGEMENT" Example: controlBaselines=NIST_800_53_OPERATIONAL
cmmcClasses	Array of strings Filter controls on their NIST SP 800-53 Control Baseline Items Enum: "CMMC_2_0_TECHNICAL" "CMMC_2_0_OPERATIONAL" "CMMC_2_0_MANAGEMENT" Example: cmmcClasses=CMMC_2_0_MANAGEMENT
domains	Array of strings Filter controls on their FFIEC Domains Items Enum: "FFIEC_CYBER_RISK_MANAGEMENT_AND_OVERSIGHT" "FFIEC_THREAT_INTELLIGENCE_AND_COLLABORATION" "FFIEC_CYBERSECURITY_CONTROLS" "FFIEC_EXTERNAL_DEPENDENCY_MANAGEMENT" "FFIEC_CYBER_INCIDENT_MANAGEMENT_AND_RESILIENCE" Example: domains=FFIEC_CYBERSECURITY_CONTROLS
assessmentFactors	Array of strings Filter controls on their FFIEC Assessment Factors Items Enum: "FFIEC_GOVERNANCE" "FFIEC_RISK_MANAGEMENT" "FFIEC_RESOURCES" "FFIEC_TRAINING_AND_CULTURE" "FFIEC_THREAT_INTELLIGENCE" "FFIEC_MONITORING_AND_ANALYZING" "FFIEC_INFORMATION_SHARING" "FFIEC_PREVENTATIVE_CONTROLS" "FFIEC_DETECTIVE_CONTROLS" "FFIEC_CORRECTIVE_CONTROLS" "FFIEC_CONNECTIONS" "FFIEC_RELATIONSHIP_MANAGEMENT" "FFIEC_INCIDENT_RESILIENCE_PLANNING_AND_STRATEGY" "FFIEC_DETECTION_RESPONSE_AND_MITIGATION" "FFIEC_ESCALATION_AND_REPORTING" Example: assessmentFactors=FFIEC_GOVERNANCE
articles	Array of strings Filters controls by their NIS 2 Articles Items Enum: "NIS_2_GOVERNANCE" "NIS_2_RISK_MANAGEMENT" "NIS_2_REPORTING" Example: articles=NIS_2_GOVERNANCE
doraChapters	Array of strings Filters controls by their DORA Standards Items Enum: "DORA_REGULATION" "DORA_ICT_RMF_RTS" Example: doraChapters=DORA_ICT_RMF_RTS
drataFunctions	Array of strings Filters controls by their Drata Essentials Function Items Enum: "DRATA_ESSENTIALS_PROTECT" "DRATA_ESSENTIALS_RECOVER" "DRATA_ESSENTIALS_RESPOND" "DRATA_ESSENTIALS_IDENTIFY" "DRATA_ESSENTIALS_DETECT" "DRATA_ESSENTIALS_GOVERN" Example: drataFunctions=DRATA_ESSENTIALS_DETECT
iso420012023	Array of strings Filters controls by their ISO42001 Sections Items Enum: "ISO_420012023_RESOURCES_FOR_AI_SYSTEMS" "ISO_420012023_INTERNAL_ORGANIZATION" "ISO_420012023_AI_SYSTEM_LIFE_CYCLE" "ISO_420012023_ASSESSING_IMPACTS_OF_AI_SYSTEMS" "ISO_420012023_DATA_FOR_AI_SYSTEMS" "ISO_420012023_INFORMATION_FOR_INTERESTED_PARTIES_OF_AI_SYSTEMS" "ISO_420012023_USE_OF_AI_SYSTEMS" "ISO_420012023_THIRDPARTY_AND_CUSTOMER_RELATIONSHIPS" "ISO_420012023_POLICIES_RELATED_TO_AI" "ISO_420012023_SUPPORT" "ISO_420012023_OPERATION" "ISO_420012023_CONTEXT_OF_THE_ORGANIZATION" "ISO_420012023_PERFORMANCE_EVALUATION" "ISO_420012023_PLANNING" "ISO_420012023_LEADERSHIP" "ISO_420012023_IMPROVEMENT" Example: iso420012023=ISO_420012023_AI_SYSTEM_LIFE_CYCLE
nist800171r3ControlFamilies	Array of strings Filter controls on their NIST SP 800-171 R3 Control Family Items Enum: "NIST_800171R3_INCIDENT_RESPONSE" "NIST_800171R3_SUPPLY_CHAIN_RISK_MANAGEMENT" "NIST_800171R3_MEDIA_PROTECTION" "NIST_800171R3_AUDIT_AND_ACCOUNTABILITY" "NIST_800171R3_ACCESS_CONTROL" "NIST_800171R3_PHYSICAL_PROTECTION" "NIST_800171R3_CONFIGURATION_MANAGEMENT" "NIST_800171R3_SYSTEM_AND_COMMUNICATIONS_PROTECTION" "NIST_800171R3_IDENTIFICATION_AND_AUTHENTICATION" "NIST_800171R3_PLANNING" "NIST_800171R3_MAINTENANCE" "NIST_800171R3_RISK_ASSESSMENT" "NIST_800171R3_SYSTEM_AND_INFORMATION_INTEGRITY" "NIST_800171R3_SECURITY_ASSESSMENT_AND_MONITORING" "NIST_800171R3_SYSTEM_AND_SERVICES_ACQUISITION" "NIST_800171R3_AWARENESS_AND_TRAINING" "NIST_800171R3_PERSONNEL_SECURITY" Example: nist800171r3ControlFamilies=NIST_800171R3_ACCESS_CONTROL&nist800171r3ControlFamilies=NIST_800171R3_PERSONNEL_SECURITY
nist800171r3ControlClasses	Array of strings Filter controls on their NIST SP 800-171 R3 Control Class Items Enum: "NIST_800171R3_OPERATIONAL" "NIST_800171R3_MANAGEMENT" "NIST_800171R3_TECHNICAL" Example: nist800171r3ControlClasses=NIST_800171R3_TECHNICAL
userIds	Array of numbers User Ids of Control Owners Example: userIds=1
isOwned	boolean Filter controls on if they have a control owner Example: isOwned=true
isReady	boolean Filter controls on if they are ready Example: isReady=true
isAnnexA	boolean Filter controls on if they are an Annex A requirement Example: isAnnexA=true
isArchived	boolean Filter to controls that are or are not archived Example: isArchived=false
isMonitored	boolean Filter to controls that are or are not monitored Example: isMonitored=false
hasEvidence	boolean Filter to controls with or without evidence Example: hasEvidence=true
hasPolicy	boolean Filter to controls with or without policy Example: hasPolicy=true
hasPassingTest	boolean Filter to controls with at least one passing test Example: hasPassingTest=true
excludeIds	Array of numbers Exclude controls by array of id Example:
excludeRequirementId	number Exclude controls if they are mapped to this requirement id Example:
requirementId	number Only include controls if they are mapped to this requirement id Example:
excludeTestId	number Exclude controls if they are mapped to this test id Example:
testId	number Only include controls if they are mapped to this test id Example:
hasTicket	string Only include controls if they associted to a task management ticket Enum: "IN_PROGRESS" "ARCHIVED" Example: hasTicket=0
connectionId	number This will be filled in automatic when using a taskManagementStatus.
reviewersIds	Array of numbers User Ids of Control Reviewers Example: reviewersIds=1
taskOwnersIds	Array of numbers User Ids of TaskOwners Example: taskOwnersIds=1
workspaceId	number ID of the workspace associated with the controls Example: workspaceId=1

Responses

200

400

Malformed data and/or validation errors

401

Invalid Authorization

402

Response Code 402

You must pay to activate this feature

403

You are not allowed to perform this action

404

Record Not Found

412

Response Code: 412

You must accept the Drata terms and conditions to use the API

500

Internal server error

get/controls

Request samples

Response samples

application/json

{"data": [{"id": "123",
"name": "Databases Monitored and Alarmed",
"code": "DCF-1002",
"description": "Drata has implemented tools to monitor Drata's databases and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.",
"slug": "databases-monitored-and-alarmed",
"workspaceId": 2,
"archivedAt": "2025-07-01T16:45:55.246Z",
"frameworkTags": ["SOC_2",
"CCPA"
],
"hasEvidence": false,
"hasOwner": false,
"isMonitored": false,
"frameworkRequirements": "FrameworkRequirementsResponseDto[]",
"topics": [1,
2
],
"isReady": "true",
"hasTicket": "true"
}
],
"page": 1,
"limit": 10,
"total": 100
}