> ## Documentation Index
> Fetch the complete documentation index at: https://developer.vanta.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Create a custom control for an audit

> Create a custom control for an audit.

Rate limit: 10 requests / minute.



## OpenAPI

````yaml https://spec.speakeasy.com/vanta/vanta/conduct-an-audit-with-code-samples post /audits/{auditId}/controls/custom-controls
openapi: 3.0.0
info:
  title: Conduct an audit
  version: 1.0.0
  description: >-
    The Auditor API lets audit firms conduct audits from a tool outside of
    Vanta. Unlock data syncing with Vanta through this API.


    **Note for Vanta Gov (FedRAMP) customers:** Select `Vanta Gov (FedRAMP)`
    from the server dropdown to issue requests against
    `https://api.vanta-gov.com`. The OAuth token URL shown below defaults to the
    commercial host — replace it with `https://api.vanta-gov.com/oauth/token`.
  termsOfService: https://www.vanta.com/terms
  license:
    name: UNLICENSED
  contact:
    name: API Support
    url: https://help.vanta.com/
    email: support@vanta.com
servers:
  - url: https://api.vanta.com/v1
    description: Vanta (Commercial)
  - url: https://api.vanta-gov.com/v1
    description: Vanta Gov (FedRAMP)
security: []
paths:
  /audits/{auditId}/controls/custom-controls:
    post:
      tags:
        - Audits
      summary: Create a custom control for an audit
      description: |-
        Create a custom control for an audit.

        Rate limit: 10 requests / minute.
      operationId: CreateCustomControl
      parameters:
        - in: path
          name: auditId
          required: true
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CreateCustomControlInput'
      responses:
        '201':
          description: Custom control created
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Control'
              examples:
                Example 1:
                  value:
                    id: a2f7e1b9d0c3f4e5a6c7b8d9
                    externalId: CRY-104
                    name: Data encryption utilized
                    description: >-
                      Access reviews are performed to ensure that access is
                      appropriate for the user's role and responsibilities.
                    source: Vanta
                    domains:
                      - CRYPTOGRAPHIC_PROTECTIONS
                    owner:
                      id: 65e1efde08e8478f143a8ff9
                      emailAddress: example-person@email.com
                      displayName: Example Owner
                    role: CONTROLLER
                    customFields:
                      - label: Additional context
                        value: This control is critical for GDPR compliance
                    creationDate: null
                    modificationDate: null
      security:
        - bearerAuth: []
      x-codeSamples:
        - lang: typescript
          label: CreateCustomControl
          source: |-
            import { Vanta } from "vanta-auditor-api-sdk";

            const vanta = new Vanta({
              bearerAuth: process.env["VANTA_BEARER_AUTH"] ?? "",
            });

            async function run() {
              const result = await vanta.audits.createCustomControl({
                auditId: "<id>",
                createCustomControlInput: {
                  externalId: "<id>",
                  name: null,
                  description: "yet plus utter queasily what juvenile wound",
                  effectiveDate: new Date("2024-11-10T13:58:54.564Z"),
                  category: "CLOUD_SECURITY",
                },
              });

              console.log(result);
            }

            run();
        - lang: java
          label: CreateCustomControl
          source: >-
            package hello.world;


            import com.vanta.vanta_auditor_api.Vanta;

            import com.vanta.vanta_auditor_api.models.components.ControlDomain;

            import
            com.vanta.vanta_auditor_api.models.components.CreateCustomControlInput;

            import
            com.vanta.vanta_auditor_api.models.operations.CreateCustomControlResponse;

            import java.lang.Exception;

            import java.time.OffsetDateTime;

            import java.util.Optional;


            public class Application {

                public static void main(String[] args) throws Exception {

                    Vanta sdk = Vanta.builder()
                            .bearerAuth(System.getenv().getOrDefault("BEARER_AUTH", ""))
                        .build();

                    CreateCustomControlResponse res = sdk.audits().createCustomControl()
                            .auditId("<id>")
                            .createCustomControlInput(CreateCustomControlInput.builder()
                                .externalId("<id>")
                                .name(Optional.empty())
                                .description("yet plus utter queasily what juvenile wound")
                                .effectiveDate(OffsetDateTime.parse("2024-11-10T13:58:54.564Z"))
                                .category(ControlDomain.CLOUD_SECURITY)
                                .build())
                            .call();

                    if (res.control().isPresent()) {
                        System.out.println(res.control().get());
                    }
                }
            }
components:
  schemas:
    CreateCustomControlInput:
      properties:
        externalId:
          type: string
          description: The external id of the control.
        name:
          type: string
          nullable: true
          description: The name of the control.
        description:
          type: string
          description: The description of the control.
        effectiveDate:
          type: string
          format: date-time
          description: The effective date of the control.
        category:
          $ref: '#/components/schemas/ControlDomain'
          description: >-
            The category of the control. See the ControlDomain enum for possible
            values.
        sections:
          items:
            $ref: '#/components/schemas/FrameworkSection'
          type: array
          nullable: true
          description: Framework sections that the control should be mapped to.
        role:
          allOf:
            - $ref: '#/components/schemas/GdprRole'
          nullable: true
          description: >-
            The GDPR role of the control, which specifies whether the data is
            being "collected" or "processed". See the GdprRole enum for possible
            values.

            This field should only be included for controls that are to be
            mapped to the GDPR framework.
      required:
        - externalId
        - name
        - description
        - effectiveDate
        - category
      type: object
      additionalProperties: false
    Control:
      properties:
        id:
          type: string
          description: The control's unique ID.
        externalId:
          type: string
          nullable: true
          description: The control's external ID.
        name:
          type: string
          description: The control's name.
        description:
          type: string
          description: The control's description.
        source:
          $ref: '#/components/schemas/ControlSource'
          description: The control's source, either "VANTA" or "CUSTOM".
        domains:
          items:
            type: string
          type: array
          description: The security domains that the control belongs to.
        owner:
          allOf:
            - $ref: '#/components/schemas/Owner'
          nullable: true
          description: The control's owner.
        role:
          type: string
          nullable: true
          description: The control's GDPR role, if the control is a GDPR control.
        customFields:
          items:
            $ref: '#/components/schemas/CustomField'
          type: array
          description: >-
            The control's custom field values, if control custom fields is
            included in your Vanta instance.
        creationDate:
          type: string
          format: date-time
          nullable: true
          description: >-
            When the control was created. Returns null for Vanta library
            controls.
        modificationDate:
          type: string
          format: date-time
          nullable: true
          description: >-
            When the control was last modified. Returns null for Vanta library
            controls.
      required:
        - id
        - externalId
        - name
        - description
        - source
        - domains
        - owner
        - customFields
        - creationDate
        - modificationDate
      type: object
      additionalProperties: false
    ControlDomain:
      enum:
        - ARTIFICIAL_&_AUTONOMOUS_TECHNOLOGY
        - ASSET_MANAGEMENT
        - BUSINESS_CONTINUITY_&_DISASTER_RECOVERY
        - CAPACITY_&_PERFORMANCE_PLANNING
        - CHANGE_MANAGEMENT
        - CLOUD_SECURITY
        - COMPLIANCE
        - CONFIGURATION_MANAGEMENT
        - CONTINUOUS_MONITORING
        - CRYPTOGRAPHIC_PROTECTIONS
        - DATA_CLASSIFICATION_&_HANDLING
        - EMBEDDED_TECHNOLOGY
        - ENDPOINT_SECURITY
        - HUMAN_RESOURCES_SECURITY
        - IDENTIFICATION_&_AUTHENTICATION
        - INCIDENT_RESPONSE
        - INFORMATION_ASSURANCE
        - MAINTENANCE
        - MOBILE_DEVICE_MANAGEMENT
        - NETWORK SECURITY
        - PHYSICAL_&_ENVIRONMENTAL_SECURITY
        - PRIVACY
        - PROJECT_&_RESOURCE MANAGEMENT
        - RISK_MANAGEMENT
        - SECURE_ENGINEERING_&_ARCHITECTURE
        - SECURITY_AWARENESS_&_TRAINING
        - SECURITY_OPERATIONS
        - SECURITY_&_PRIVACY_GOVERNANCE
        - TECHNOLOGY_DEVELOPMENT_&_ACQUISITION
        - THIRD-PARTY_MANAGEMENT
        - THREAT_MANAGEMENT
        - VULNERABILITY_&_PATCH_MANAGEMENT
        - WEB_SECURITY
        - ADMINISTRATIVE
        - PHYSICAL
        - TECHNICAL
        - BASIC
        - DERIVED
      type: string
    FrameworkSection:
      properties:
        frameworkId:
          anyOf:
            - $ref: '#/components/schemas/FrameworkId'
            - type: string
        sectionId:
          type: string
      required:
        - frameworkId
        - sectionId
      type: object
      additionalProperties: false
    GdprRole:
      enum:
        - BOTH
        - CONTROLLER
        - PROCESSOR
      type: string
    ControlSource:
      enum:
        - Vanta
        - Custom
      type: string
    Owner:
      properties:
        id:
          type: string
          description: Unique identifier for the person.
        displayName:
          type: string
          description: Name of the person that is shown in product.
        emailAddress:
          type: string
          description: Email address of the person.
      required:
        - id
        - displayName
        - emailAddress
      type: object
      additionalProperties: false
    CustomField:
      properties:
        label:
          type: string
        value:
          anyOf:
            - type: string
            - items:
                type: string
              type: array
      required:
        - label
        - value
      type: object
      additionalProperties: false
    FrameworkId:
      enum:
        - AU_E_8
        - AWS_FTR
        - CCPA
        - CIS_V8
        - CPS_234
        - DORA
        - FEDRAMP
        - GDPR
        - HIPAA
        - HITRUST_E1
        - ISO_27001
        - ISO_27001_2022
        - ISO_27017
        - ISO_27018
        - ISO_27701
        - ISO_42001
        - ISO_9001
        - MSFT_SSPA
        - MVSP
        - NIS_2D
        - NIST_171
        - NIST_53
        - NIST_AI_RMF
        - NIST_CSF
        - NIST_CSF_2
        - OFDSS
        - PCI_SAQ_A
        - PCI_SAQ_A_EP
        - PCI_SAQ_D_MERCHANT
        - PCI_SAQ_D_SP
        - PCI_DDS_4
        - SOC_2
        - SOX_ITGC
        - UK_CYBER_ESSENTIALS
        - US_DATA_PRIVACY
      type: string
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer

````