Controls

  • Updated on Dec 16, 2024
  • Published on Sep 5, 2024
  • 2 minute(s) read
  • fK
  • BP

Controls are measures that organizations implement to modify or maintain risks related to information security.

To comply with a specific clause or control in the standard, organizations must implement the appropriate measures and monitors, and maintain evidence of their results. Evidences are the records or artifacts that demonstrate the effective implementation and operation of these controls.

For example, to comply with ISO 27001:2022 Clause 9.1, which relates to monitoring, measurement, analysis, and evaluation, organizations must establish measures (quantitative values or metrics) and monitors (systems for collecting and recording these measures) to track the performance of their information security management system (ISMS).

The evidences for this clause could include historical reports, dashboards, or other records that demonstrate the monitoring activities and the analysis of the collected data.

Overview

In the overview page, you can see the list of controls that belong to the standard that you want to get certified against. For instance, if you want to become ISO27001 certified, we will import the according set of controls for into your platform.

There might be some controls that are not applicable to your organization. For example, if you are a remote-only company without a physical office space, some controls related to office security will be not relevant for you. In this case, you can directly toggle the “applicable” button on or off from the overview page for a faster workflow. In this case however, it is very important that you provide an explanation as to why said control is not relevant to you.

Detail View

  1. In order to open the detail view of an individual control, click on it in the overview. A sidebar with more detailed information will appear on the right side of the screen.

  2. In the top right corner of the sidebar, click on the expand button to open detail view. If you want to close the sidebar, just click the button in top-left corner.

Only in the detail view, you can edit controls. You can modify the following information:

  • Status: Document whether a control is “to-do”, “in-progress”, or “implemented”.

  • Applicable: Whether the control is relevant to your organization or not. For further explanation, see the green section above.

  • Owner: Who is responsible for this control.

  • Effective from: From when this control is effective.

  • Implementation progress: This breaks down the control into concrete, actionable steps. Once you marked every implementation step as done, the control receives the status “implemented”. See this page for more info about implementation steps.

  • Evidences: The corresponding evidence that this control has been implemented. Click on “Add Attachment” to upload a file or provide a link.

  • Resources: These are tailor-made resources for specific controls that we provide you with in order to help you implement the control and provide evidences.

  • Notes: Space for anything else that you want to document.

Creating controls

  1. In the overview, click “Add control”. This will open the detail view of the new control.

  2. Fill out the information as described above.

  3. Click “Save” at the bottom of the screen.

Exporting controls in a Statement of Applicability (SoA)

You can export a report that contains all controls, also the ones that are not applicable and not implemented as they are also relevant in a potential audit.

  1. In the overview, click “View and Export”.

  1. You will be presented with a list of versions of the control list. If you go back to the list and make changes, these will be reflected here and create a new version. Give the current version a name.

  2. Scroll down and click “Export”.

  3. In the following screen, click “Generate and Download”.