> ## Documentation Index
> Fetch the complete documentation index at: https://developer.vanta.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Create custom control

> Create a custom control.



## OpenAPI

````yaml /reference/manage-vanta.json post /controls
openapi: 3.0.0
info:
  title: Manage Vanta
  version: 1.0.0
  description: >-
    The REST API lets customers query and mutate Vanta's data. Use this API to
    automate bulk actions, query data for custom workflows and dashboards, and
    bolster your security operations


    **Note for Vanta Gov (FedRAMP) customers:** Select `Vanta Gov (FedRAMP)`
    from the server dropdown to issue requests against
    `https://api.vanta-gov.com`. The OAuth token URL shown below defaults to the
    commercial host — replace it with `https://api.vanta-gov.com/oauth/token`.
  termsOfService: https://www.vanta.com/terms
  license:
    name: UNLICENSED
  contact:
    name: API Support
    url: https://help.vanta.com/
    email: support@vanta.com
servers:
  - url: https://api.vanta.com/v1
    description: Vanta (Commercial)
  - url: https://api.vanta-gov.com/v1
    description: Vanta Gov (FedRAMP)
security: []
paths:
  /controls:
    post:
      tags:
        - Controls
      summary: Create custom control
      description: Create a custom control.
      operationId: CreateCustomControl
      parameters: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CreateControlInput'
      responses:
        '201':
          description: Custom Control created
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Control'
              examples:
                Example 1:
                  value:
                    id: a2f7e1b9d0c3f4e5a6c7b8d9
                    externalId: CRY-104
                    name: Data encryption utilized
                    description: >-
                      Access reviews are performed to ensure that access is
                      appropriate for the user's role and responsibilities.
                    source: Vanta
                    domains:
                      - CRYPTOGRAPHIC_PROTECTIONS
                    owner:
                      id: 65e1efde08e8478f143a8ff9
                      emailAddress: example-person@email.com
                      displayName: Example Owner
                    role: CONTROLLER
                    customFields:
                      - label: Additional context
                        value: This control is critical for GDPR compliance
                    creationDate: null
                    modificationDate: null
      security:
        - bearerAuth: []
components:
  schemas:
    CreateControlInput:
      properties:
        externalId:
          type: string
          description: The control's external ID.
        name:
          type: string
          nullable: true
          description: The control's name.
        description:
          type: string
          description: The control's description.
        effectiveDate:
          type: string
          format: date-time
          description: The effective date of the control.
        domain:
          $ref: '#/components/schemas/ControlDomain'
          description: The control's category.
        sections:
          items:
            $ref: '#/components/schemas/FrameworkSection'
          type: array
          nullable: true
          description: The framework sections that the control maps to.
        role:
          allOf:
            - $ref: '#/components/schemas/GdprRole'
          nullable: true
          description: >-
            The GDPR role of the control, which specifies whether the data is
            being "collected" or "processed".

            This field should only be included for controls that are to be
            mapped to the GDPR framework.
        customFields:
          items:
            $ref: '#/components/schemas/CustomField'
          type: array
          description: The control's values for custom fields.
      required:
        - externalId
        - name
        - description
        - effectiveDate
        - domain
      type: object
      additionalProperties: false
    Control:
      properties:
        id:
          type: string
          description: The control's unique ID.
        externalId:
          type: string
          nullable: true
          description: The control's external ID.
        name:
          type: string
          description: The control's name.
        description:
          type: string
          description: The control's description.
        source:
          $ref: '#/components/schemas/ControlSource'
          description: The control's source, either "VANTA" or "CUSTOM".
        domains:
          items:
            type: string
          type: array
          description: The security domains that the control belongs to.
        owner:
          allOf:
            - $ref: '#/components/schemas/Owner'
          nullable: true
          description: The control's owner.
        role:
          type: string
          nullable: true
          description: The control's GDPR role, if the control is a GDPR control.
        customFields:
          items:
            $ref: '#/components/schemas/CustomField'
          type: array
          description: >-
            The control's custom field values, if control custom fields is
            included in your Vanta instance.
        creationDate:
          type: string
          format: date-time
          nullable: true
          description: >-
            When the control was created. Returns null for Vanta library
            controls.
        modificationDate:
          type: string
          format: date-time
          nullable: true
          description: >-
            When the control was last modified. Returns null for Vanta library
            controls.
      required:
        - id
        - externalId
        - name
        - description
        - source
        - domains
        - owner
        - customFields
        - creationDate
        - modificationDate
      type: object
      additionalProperties: false
    ControlDomain:
      enum:
        - ARTIFICIAL_&_AUTONOMOUS_TECHNOLOGY
        - ASSET_MANAGEMENT
        - BUSINESS_CONTINUITY_&_DISASTER_RECOVERY
        - CAPACITY_&_PERFORMANCE_PLANNING
        - CHANGE_MANAGEMENT
        - CLOUD_SECURITY
        - COMPLIANCE
        - CONFIGURATION_MANAGEMENT
        - CONTINUOUS_MONITORING
        - CRYPTOGRAPHIC_PROTECTIONS
        - DATA_CLASSIFICATION_&_HANDLING
        - EMBEDDED_TECHNOLOGY
        - ENDPOINT_SECURITY
        - HUMAN_RESOURCES_SECURITY
        - IDENTIFICATION_&_AUTHENTICATION
        - INCIDENT_RESPONSE
        - INFORMATION_ASSURANCE
        - MAINTENANCE
        - MOBILE_DEVICE_MANAGEMENT
        - NETWORK SECURITY
        - PHYSICAL_&_ENVIRONMENTAL_SECURITY
        - PRIVACY
        - PROJECT_&_RESOURCE MANAGEMENT
        - RISK_MANAGEMENT
        - SECURE_ENGINEERING_&_ARCHITECTURE
        - SECURITY_AWARENESS_&_TRAINING
        - SECURITY_OPERATIONS
        - SECURITY_&_PRIVACY_GOVERNANCE
        - TECHNOLOGY_DEVELOPMENT_&_ACQUISITION
        - THIRD-PARTY_MANAGEMENT
        - THREAT_MANAGEMENT
        - VULNERABILITY_&_PATCH_MANAGEMENT
        - WEB_SECURITY
        - ADMINISTRATIVE
        - PHYSICAL
        - TECHNICAL
        - BASIC
        - DERIVED
      type: string
    FrameworkSection:
      properties:
        frameworkId:
          anyOf:
            - $ref: '#/components/schemas/FrameworkId'
            - type: string
        sectionId:
          type: string
      required:
        - frameworkId
        - sectionId
      type: object
      additionalProperties: false
    GdprRole:
      enum:
        - BOTH
        - CONTROLLER
        - PROCESSOR
      type: string
    CustomField:
      properties:
        label:
          type: string
        value:
          anyOf:
            - type: string
            - items:
                type: string
              type: array
      required:
        - label
        - value
      type: object
      additionalProperties: false
    ControlSource:
      enum:
        - Vanta
        - Custom
      type: string
    Owner:
      properties:
        id:
          type: string
          description: Unique identifier for the person.
        displayName:
          type: string
          description: Name of the person that is shown in product.
        emailAddress:
          type: string
          description: Email address of the person.
      required:
        - id
        - displayName
        - emailAddress
      type: object
      additionalProperties: false
    FrameworkId:
      enum:
        - AU_E_8
        - AWS_FTR
        - CCPA
        - CIS_V8
        - CPS_234
        - DORA
        - FEDRAMP
        - GDPR
        - HIPAA
        - HITRUST_E1
        - ISO_27001
        - ISO_27001_2022
        - ISO_27017
        - ISO_27018
        - ISO_27701
        - ISO_42001
        - ISO_9001
        - MSFT_SSPA
        - MVSP
        - NIS_2D
        - NIST_171
        - NIST_53
        - NIST_AI_RMF
        - NIST_CSF
        - NIST_CSF_2
        - OFDSS
        - PCI_SAQ_A
        - PCI_SAQ_A_EP
        - PCI_SAQ_D_MERCHANT
        - PCI_SAQ_D_SP
        - PCI_DDS_4
        - SOC_2
        - SOX_ITGC
        - UK_CYBER_ESSENTIALS
        - US_DATA_PRIVACY
      type: string
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer

````