Applied Controls
Applied controls are the specific security measures and processes your organization has implemented to meet compliance requirements and mitigate risks.
Understanding Controls
Control Types
- Preventive - Stop incidents before they occur (access controls, encryption)
- Detective - Identify incidents when they happen (monitoring, logging)
- Corrective - Address incidents after detection (incident response, backup restoration)
Control Categories
- Technical - Technology-based controls (firewalls, encryption, MFA)
- Administrative - Policies and procedures (security policies, training)
- Physical - Physical security measures (badge access, CCTV)
Creating Applied Controls
- Navigate to Controls → Applied Controls
- Click New Control
- Complete the control details:
- Name - Clear, descriptive title
- Description - What the control does
- Category - Technical, Administrative, or Physical
- Type - Preventive, Detective, or Corrective
- Owner - Person responsible for the control
- Status - Active, Planned, or Deprecated
- Link to framework requirements and risks
Control Effectiveness
Rate how well each control performs:
| Rating | Description |
|---|---|
| Effective | Control is fully implemented and operating as intended |
| Partially Effective | Control exists but has gaps or inconsistent implementation |
| Ineffective | Control is not working or significantly deficient |
| Not Implemented | Control is planned but not yet in place |
Mapping Controls
To Framework Requirements
Link controls to the compliance requirements they satisfy:
- Open the control details
- Go to Mappings tab
- Click Add Mapping
- Select framework and specific requirement
- One control can map to multiple requirements across frameworks
To Risks
Connect controls to the risks they mitigate:
- Open the control details
- Go to Risks tab
- Link to existing risks from the Risk Register
- Specify mitigation impact (reduces likelihood, impact, or both)
Evidence Management
Demonstrate control effectiveness with evidence:
- Documents - Policies, procedures, configuration guides
- Screenshots - System configurations, access lists
- Reports - Audit logs, monitoring reports
- Certifications - Third-party assessments
Control Testing
Regularly verify controls are working:
- Define testing procedures for each control
- Schedule periodic testing (quarterly, annually)
- Document test results and findings
- Track remediation of any gaps
Reporting
- Control Inventory - Complete list of implemented controls
- Coverage Analysis - Which requirements are covered vs. gaps
- Effectiveness Report - Control health across the organization
- Owner Report - Controls grouped by responsible party