Control Library

The Control Library is a catalog of pre-built Control Templates that can be provisioned into a Workspace. Each item carries default mappings to Tests, Policies, Evidence, and Framework Requirements.

List Control Library

Returns a paginated list of Control Templates with optional field and relational filters.

🔒 Requires Controls: List Controls permission.

💎 Requires your account have the Custom Frameworks feature. Contact your CSM for help upgrading.

Securitybearer

Request

query Parameters

cursor	string This parameter is used to paginate through results. No value is needed for the first request. If there are additional results, the response will contain a `pagination.cursor` value that can be used in the subsequent request to retrieve the next page of results
size	number [ 1 .. 500 ] Default: 50 Number of results to return
sort	string (ControlLibrarySortEnum) Field to sort by. Enum: "createdAt" "updatedAt" "name" "controlNumber"
sortDir	string (SortDirectionEnum) The direction to sort the data Enum: "ASC" "DESC"
includeTotalCount	boolean Default: false Include total count of all matching records in response. Only honored on first page (when cursor is null). Example: includeTotalCount=false
search	string Prefix search across Control name AND code. Matches Controls where either the name OR the code starts with the provided value. Example: search=DCF-
codes[]	Array of strings Filter by exact Control codes (not prefix). Returns only Controls whose code matches one of the provided values. Use `search` for prefix matching. Example: codes[]=DCF-1&codes[]=DCF-42
ids[]	Array of numbers Filter by Control Template IDs. Returns only Controls whose ID matches one of the provided values. Example: ids[]=1&ids[]=2&ids[]=3
excludeIds[]	Array of numbers Exclude Control Templates with these IDs from the response. Example: excludeIds[]=99
domain	string (ControlDomainEnum) Filter by Control Domain. Accepts the Domain name (e.g. `DATA_AND_PRIVACY`). Enum: "DATA_AND_PRIVACY" "INTERNAL_SECURITY_PROCEDURES" "ORGANIZATIONAL_SECURITY" "PRODUCT_SECURITY" "INFRASTRUCTURE_SECURITY" "PHYSICAL_SECURITY" "AVAILABILITY" "CONFIDENTIALITY" "PROCESSING_INTEGRITY" "PRIVACY" "GENERAL"
category	string (ControlCategoryEnum) Filter by Control Category. Accepts the Category name (e.g. `ACCESS_CONTROL`). Enum: "CUSTOMER_DATA_POLICIES" "INTERNAL_ADMIN_TOOL" "SOFTWARE_DEVELOPMENT_LIFE_CYCLE" "RESPONSIBLE_DISCLOSURE_POLICY" "ACCESS_CONTROL" "VULNERABILITY_MANAGEMENT" "SECURITY_ISSUES" "BUSINESS_CONTINUITY" "INCIDENT_RESPONSE_PLAN" "SECURITY_POLICIES" "SECURITY_PROGRAM" "PERSONNEL_SECURITY" "ENDPOINTS_LAPTOPS" "DATA_ENCRYPTION" "VENDOR_MANAGEMENT" "SOFTWARE_APPLICATION_SECURITY" "CUSTOMER_COMMUNICATION" "AUTHENTICATION_AND_AUTHORIZATION" "AVAILABILITY" "STORAGE" "BACKUP" "LOGGING" "MONITORING" "NETWORK" "PROTECTING_SECRETS" "DATA_CENTER_SECURITY" "SCALING" "BACKUPS" "DATA" "EMPLOYEE_RESPONSIBILITIES" "REGRESSION_TESTING" "APPLICATION_AND_SYSTEM_EDITS" "COMMUNICATION_OF_OBJECTIVES_RELATED_TO_PRIVACY_PRACTICES" "PRIVACY_RELATED_TO_CHOICE_AND_CONSENT" "PRIVACY_RELATED_TO_COLLECTION" "PRIVACY_RELATED_TO_USE_RETENTION_AND_DISPOSAL" "PRIVACY_CRITERIA_RELATED_TO_ACCESS" "PRIVACY_CRITERIA_RELATED_TO_DISCLOSURE_AND_NOTIFICATION" "PRIVACY_RELATED_TO_QUALITY" "PRIVACY_RELATED_TO_MONITORING_AND_ENFORCEMENT" "DEFINITIONS" "BREACH_NOTIFICATIONS" "TECHNICAL" "OPERATIONAL" "MANAGEMENT"
frameworkTag	string (FrameworkTagEnum) Filter by Framework. Accepts the Framework Tag name (e.g. `SOC_2`, `ISO27001`, `HIPAA`). Returns Controls mapped to a Requirement on the given Framework. Enum: "CUSTOM" "NONE" "SOC_2" "ISO27001" "CCPA" "GDPR" "HIPAA" "PCI" "SCF" "NIST80053" "NISTCSF" "CMMC" "NIST800171" "MSSSPA" "FFIEC" "ISO27701" "COBIT" "SOX_ITGC" "ISO270012022" "CCM" "CYBER_ESSENTIALS" "ISO270172015" "ISO270182019" "FEDRAMP" "NISTAI" "PCI4" "NISTCSF2" "NIS2" "DORA" "ISO420012023" "DRATA_ESSENTIALS" "NIST800171R3" "CIS8" "CYBER_ESSENTIALS_32" "FEDRAMP20X" "HITRUST" "MSSSPA11" "ESSENTIAL_EIGHT" "NYDFS" "TISAX" "ISO270182025" "CCPA2026" "ISO277012025" "CPS230" "CYFUN" "ALL"
hasTests	boolean When true, returns only Controls with at least one default Test mapping.
hasPolicies	boolean When true, returns only Controls with at least one default Policy mapping.
hasEvidence	boolean When true, returns only Controls with at least one default Evidence mapping.
hasRisks	boolean When true, returns only Controls mapped to at least one Risk in the Risk Library.

Responses

200

Successful

400

Malformed data and/or validation errors

401

Invalid Authorization

402

You must upgrade your plan to use this feature

403

You are not allowed to perform this action

412

You must accept the Drata terms and conditions to use the API

500

Internal server error

get/control-library

Request samples

Response samples

application/json

{"data": [{"id": 1042,
"code": "DCF-42",
"controlNumber": 42,
"name": "Access Control Policy",
"description": "Documented policy describing access controls...",
"question": "Does the company enforce documented access controls?",
"activity": "Review and approve access requests at least quarterly.",
"domain": "DATA_AND_PRIVACY",
"category": "CUSTOMER_DATA_POLICIES",
"inUse": true
}
],
"pagination": {"cursor": "string",
"totalCount": 0
}
}

Get Control Library Item

Returns a single Control Template by id with optional expand-gated relations.

🔒 Requires Controls: List Controls permission.

💎 Requires your account have the Custom Frameworks feature. Contact your CSM for help upgrading.

Securitybearer

Request

path Parameters

templateId

required

number

query Parameters

expand[]

Array of strings (ControlLibraryDetailExpandEnum)

List of subcollections and sub-objects to expand.

Items Enum: "testTemplates" "policyTemplates" "evidenceTemplates" "requirementTemplates" "controlsUsingTemplate"