Control Library

The Control Library is a catalog of pre-built Control Templates that can be provisioned into a Workspace. Each item carries default mappings to Tests, Policies, Evidence, and Framework Requirements.

List Control Library

Returns a paginated list of Control Templates with optional field and relational filters.

🔒 Requires Controls: List Controls permission.

💎 Requires your account have the Custom Frameworks feature. Contact your CSM for help upgrading.

Securitybearer
Request
query Parameters
cursor
string

This parameter is used to paginate through results. No value is needed for the first request. If there are additional results, the response will contain a pagination.cursor value that can be used in the subsequent request to retrieve the next page of results

size
number [ 1 .. 500 ]
Default: 50

Number of results to return

sort
string (ControlLibrarySortEnum)

Field to sort by.

Enum: "createdAt" "updatedAt" "name" "controlNumber"
sortDir
string (SortDirectionEnum)

The direction to sort the data

Enum: "ASC" "DESC"
includeTotalCount
boolean
Default: false

Include total count of all matching records in response. Only honored on first page (when cursor is null).

Example: includeTotalCount=false
search
string

Prefix search across Control name AND code. Matches Controls where either the name OR the code starts with the provided value.

Example: search=DCF-
codes[]
Array of strings

Filter by exact Control codes (not prefix). Returns only Controls whose code matches one of the provided values. Use search for prefix matching.

Example: codes[]=DCF-1&codes[]=DCF-42
ids[]
Array of numbers

Filter by Control Template IDs. Returns only Controls whose ID matches one of the provided values.

Example: ids[]=1&ids[]=2&ids[]=3
excludeIds[]
Array of numbers

Exclude Control Templates with these IDs from the response.

Example: excludeIds[]=99
domain
string (ControlDomainEnum)

Filter by Control Domain. Accepts the Domain name (e.g. DATA_AND_PRIVACY).

Enum: "DATA_AND_PRIVACY" "INTERNAL_SECURITY_PROCEDURES" "ORGANIZATIONAL_SECURITY" "PRODUCT_SECURITY" "INFRASTRUCTURE_SECURITY" "PHYSICAL_SECURITY" "AVAILABILITY" "CONFIDENTIALITY" "PROCESSING_INTEGRITY" "PRIVACY" "GENERAL"
category
string (ControlCategoryEnum)

Filter by Control Category. Accepts the Category name (e.g. ACCESS_CONTROL).

Enum: "CUSTOMER_DATA_POLICIES" "INTERNAL_ADMIN_TOOL" "SOFTWARE_DEVELOPMENT_LIFE_CYCLE" "RESPONSIBLE_DISCLOSURE_POLICY" "ACCESS_CONTROL" "VULNERABILITY_MANAGEMENT" "SECURITY_ISSUES" "BUSINESS_CONTINUITY" "INCIDENT_RESPONSE_PLAN" "SECURITY_POLICIES" "SECURITY_PROGRAM" "PERSONNEL_SECURITY" "ENDPOINTS_LAPTOPS" "DATA_ENCRYPTION" "VENDOR_MANAGEMENT" "SOFTWARE_APPLICATION_SECURITY" "CUSTOMER_COMMUNICATION" "AUTHENTICATION_AND_AUTHORIZATION" "AVAILABILITY" "STORAGE" "BACKUP" "LOGGING" "MONITORING" "NETWORK" "PROTECTING_SECRETS" "DATA_CENTER_SECURITY" "SCALING" "BACKUPS" "DATA" "EMPLOYEE_RESPONSIBILITIES" "REGRESSION_TESTING" "APPLICATION_AND_SYSTEM_EDITS" "COMMUNICATION_OF_OBJECTIVES_RELATED_TO_PRIVACY_PRACTICES" "PRIVACY_RELATED_TO_CHOICE_AND_CONSENT" "PRIVACY_RELATED_TO_COLLECTION" "PRIVACY_RELATED_TO_USE_RETENTION_AND_DISPOSAL" "PRIVACY_CRITERIA_RELATED_TO_ACCESS" "PRIVACY_CRITERIA_RELATED_TO_DISCLOSURE_AND_NOTIFICATION" "PRIVACY_RELATED_TO_QUALITY" "PRIVACY_RELATED_TO_MONITORING_AND_ENFORCEMENT" "DEFINITIONS" "BREACH_NOTIFICATIONS" "TECHNICAL" "OPERATIONAL" "MANAGEMENT"
frameworkTag
string (FrameworkTagEnum)

Filter by Framework. Accepts the Framework Tag name (e.g. SOC_2, ISO27001, HIPAA). Returns Controls mapped to a Requirement on the given Framework.

Enum: "CUSTOM" "NONE" "SOC_2" "ISO27001" "CCPA" "GDPR" "HIPAA" "PCI" "SCF" "NIST80053" "NISTCSF" "CMMC" "NIST800171" "MSSSPA" "FFIEC" "ISO27701" "COBIT" "SOX_ITGC" "ISO270012022" "CCM" "CYBER_ESSENTIALS" "ISO270172015" "ISO270182019" "FEDRAMP" "NISTAI" "PCI4" "NISTCSF2" "NIS2" "DORA" "ISO420012023" "DRATA_ESSENTIALS" "NIST800171R3" "CIS8" "CYBER_ESSENTIALS_32" "FEDRAMP20X" "HITRUST" "MSSSPA11" "ESSENTIAL_EIGHT" "NYDFS" "TISAX" "ISO270182025" "CCPA2026" "ISO277012025" "CPS230" "CYFUN" "ALL"
hasTests
boolean

When true, returns only Controls with at least one default Test mapping.

hasPolicies
boolean

When true, returns only Controls with at least one default Policy mapping.

hasEvidence
boolean

When true, returns only Controls with at least one default Evidence mapping.

hasRisks
boolean

When true, returns only Controls mapped to at least one Risk in the Risk Library.

Responses
200

Successful

400

Malformed data and/or validation errors

401

Invalid Authorization

402

You must upgrade your plan to use this feature

403

You are not allowed to perform this action

412

You must accept the Drata terms and conditions to use the API

500

Internal server error

get/control-library
Request samples 
Response samples 
application/json
{
  • "data": [
    • {
      • "id": 1042,
      • "code": "DCF-42",
      • "controlNumber": 42,
      • "name": "Access Control Policy",
      • "description": "Documented policy describing access controls...",
      • "question": "Does the company enforce documented access controls?",
      • "activity": "Review and approve access requests at least quarterly.",
      • "domain": "DATA_AND_PRIVACY",
      • "category": "CUSTOMER_DATA_POLICIES",
      • "inUse": true
      }
    ],
  • "pagination": {
    • "cursor": "string",
    • "totalCount": 0
    }
}
Get Control Library Item
Returns a single Control Template by id with optional expand-gated relations.


🔒 Requires Controls: List Controls permission.


💎 Requires your account have the Custom Frameworks feature. Contact your CSM for help upgrading.


Securitybearer 
Request 
path Parameters
templateId
required
number
 
query Parameters
expand[]
Array of strings (ControlLibraryDetailExpandEnum) 
List of subcollections and sub-objects to expand.


Items Enum: "testTemplates" "policyTemplates" "evidenceTemplates" "requirementTemplates" "controlsUsingTemplate"  
Responses 
200
Successful


400
Malformed data and/or validation errors


401
Invalid Authorization


402
You must upgrade your plan to use this feature


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


get/control-library/{templateId}
Request samples 
Response samples 
application/json
{
  • "id": 1042,
  • "code": "DCF-42",
  • "controlNumber": 42,
  • "name": "Access Control Policy",
  • "description": "Documented policy describing access controls...",
  • "question": "Does the company enforce documented access controls?",
  • "activity": "Review and approve access requests at least quarterly.",
  • "domain": "DATA_AND_PRIVACY",
  • "category": "CUSTOMER_DATA_POLICIES",
  • "inUse": true,
  • "testTemplates": [
    • {
      • "id": 305,
      • "name": "MFA Enabled Across Workforce",
      • "description": "Verifies multi-factor authentication is enabled for all workforce identities.",
      • "rating": "RECOMMENDED",
      • "source": "DRATA"
      }
    ],
  • "policyTemplates": [
    • {
      • "id": 201,
      • "name": "Access Control Policy",
      • "description": "Documents the company approach to provisioning, reviewing, and revoking access..."
      }
    ],
  • "evidenceTemplates": [
    • {
      • "id": 412,
      • "evidenceTemplateCode": "DEC-12",
      • "name": "Quarterly Access Review",
      • "requestDescription": "Upload a signed copy of the most recent quarterly access review.",
      • "implementationGuidance": "Export the access list from your IdP and have a Control owner sign-off."
      }
    ],
  • "requirementTemplates": [
    • {
      • "id": 501,
      • "name": "CC6.1",
      • "description": "The entity implements logical access security software, infrastructure, and architectures...",
      • "longDescription": "Extended narrative covering scope and exceptions...",
      • "additionalInfo": "Additional context for auditors.",
      • "additionalInfo2": "string",
      • "additionalInfo3": "string",
      • "framework": {
        • "slug": "soc2",
        • "name": "SOC 2"
        }
      }
    ],
  • "controlsUsingTemplate": [
    • {
      • "controlId": 8801,
      • "code": "DCF-042",
      • "workspaceId": 100,
      • "workspaceName": "Production"
      }
    ]
}
Import Control Library Controls
Provisions one or more tenant Controls from Control Library templates. All-or-nothing semantics: any invalid spec rejects the whole request with no writes. Each provisioned Control includes the template default mappings (tests, policies, evidence, requirements).


🔒 Requires Controls: Create Control permission.


💎 Requires your account have the Custom Frameworks feature. Contact your CSM for help upgrading.


Securitybearer 
Request 
Request Body schema: application/json
required
required
Array of objects (ControlLibraryImportInputPublicV2Dto)   [ 1 .. 100 ] items 
List of import inputs. Each input provisions one tenant Control from a Control Library template. Defaults from the template are applied; per-input fields override them. Limits: at most 100 inputs per request, spanning no more than 10 distinct workspaceIds.


 
allowDuplicates
boolean
 Default:  false
When true, a template already provisioned in the target workspace produces an additional copy with a suffixed code. When false (default), duplicate inputs reject the entire request.


 
Responses 
201
Created


400
Malformed data and/or validation errors


401
Invalid Authorization


402
You must upgrade your plan to use this feature


403
You are not allowed to perform this action


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


post/control-library/action-import
Request samples 
application/json
{
  • "data": [
    • {
      • "workspaceId": 100,
      • "templateId": 1042,
      • "name": "Quarterly User Access Reviews",
      • "description": "Access to critical systems is reviewed on a quarterly basis to ensure that only authorized users retain access.",
      • "question": "Is the access review performed on a quarterly basis?",
      • "activity": "On a quarterly schedule, generate access reports from identity providers.",
      • "customFields": [
        • {
          • "id": 1,
          • "name": "Compliance Status",
          • "value": "Security & IT"
          }
        ]
      }
    ],
  • "allowDuplicates": false
}
Response samples 
application/json
{
  • "data": [
    • {
      • "inputIndex": 0,
      • "templateIdentifier": 0,
      • "workspaceId": 0,
      • "controlId": 0,
      • "code": "DCF-042",
      • "status": "created",
      • "failureReason": "string",
      • "associations": {
        • "tests": {
          • "created": [
            • 0
            ],
          • "mapped": [
            • 0
            ],
          • "failures": [
            • {
              • "identifier": 0,
              • "reason": "string"
              }
            ]
          },
        • "policies": {
          • "created": [
            • 0
            ],
          • "mapped": [
            • 0
            ],
          • "failures": [
            • {
              • "identifier": 0,
              • "reason": "string"
              }
            ]
          },
        • "evidence": {
          • "created": [
            • 0
            ],
          • "mapped": [
            • 0
            ],
          • "failures": [
            • {
              • "identifier": 0,
              • "reason": "string"
              }
            ]
          },
        • "requirements": {
          • "created": [
            • 0
            ],
          • "mapped": [
            • 0
            ],
          • "failures": [
            • {
              • "identifier": 0,
              • "reason": "string"
              }
            ]
          }
        },
      • "customFields": [
        • {
          • "customFieldId": 1,
          • "name": "Stakeholders",
          • "value": "Security & IT"
          }
        ]
      }
    ]
}