Managing & implementing controls

Controls are measures that organizations implement to modify or maintain risks related to information security. To comply with a specific clause or control in the standard, organizations must implement the appropriate measures and monitors, and maintain evidence of their results. Evidence are the records or artifacts that demonstrate the effective implementation and operation of these controls.

 

For example, to comply with ISO 27001:2022 Clause 9.1, which relates to monitoring, measurement, analysis, and evaluation, organizations must establish measures (quantitative values or metrics) and monitors (systems for collecting and recording these measures) to track the performance of their information security management system (ISMS).

The evidences for this clause could include historical reports, dashboards, or other records that demonstrate the monitoring activities and the analysis of the collected data.

 

Overview

 

On the "Controls" page in the navigation bar, you can see the list of controls that belong to the standard that you want to get certified against. For instance, if you want to become ISO27001 certified, we will import the according set of controls for into your platform.

 

There might be some controls that are not applicable to your organization. For example, if you are a remote-only company without a physical office space, some controls related to office security will be not relevant for you. In this case, you can directly toggle the “applicable” button on or off from the overview page for a faster workflow. In this case however, it is very important that you provide an explanation as to why said control is not relevant to you.

 

Detail View

 

 

When you open a control from the overview page, you will see the detail view, you can edit controls. You can modify the following information:

  • Status: Document whether a control is “to-do”, “in-progress”, or “implemented”.
  • Applicable: Whether the control is relevant to your organization or not. For further explanation, see the green section above.
  • Owner: Who is responsible for this control.
  • Effective from: From when this control is effective.
  • Implementation progress: This breaks down the control into concrete, actionable steps. Once you marked every implementation step as done, the control receives the status “implemented”. See this page for more info about implementation steps.
  • Evidence: The corresponding evidence that this control has been implemented. Click on “Add Attachment” to upload a file or provide a link.
  • Resources: These are tailor-made resources for specific controls that we provide you with in order to help you implement the control and provide evidences.
  • Notes: Space for anything else that you want to document.
  • Citation: The original text excerpt of the respective regulatory body.

 

Creating controls

 

 

1. In the overview, click “Add control”. This will open the detail view of the new control.

2. Fill in the fields as described above.

3. Click “Save” at the bottom of the screen.

 

Exporting controls in a Statement of Applicability (SoA)

You can export a report that contains all controls, also the ones that are not applicable and not implemented as they are also relevant in a potential audit.

 

 

1. In the overview, click “Export SoA”.

 

 

2. Select the framework you want to export controls for.

3. You will be presented with a list of versions of the control list. If you go back to the list and make changes, these will be reflected here and create a new version. Give the current version a name.

4. Scroll down and click “Export”.

 

 

5. In the following screen, click “Generate and Download”.

 

Implementing controls

Implementation Steps & Checks in Kertos helps you to track, manage, and automate the completion of compliance controls. By breaking down controls into clear, actionable steps and automating evidence collection (where possible), this feature ensures smooth progress toward compliance goals with minimal manual effort.

 

 

Manually

  • Easily mark implementation steps as completed once finished.
  • Create tasks and assign them to team members to ensure clear responsibilities.
  • Update progress manually as tasks are completed to maintain an accurate overview.

 

Automated Verification

  • The system automatically verifies completed steps based on collected evidence (whre possible, for example when an implementation step is to ceate a control)
  • For example, if a policy hasn’t been accepted by all assigned employees (e.g., new hires), Kertos flags the step as outdated.
  • The compliance status is updated in real-time on the Controls Page, keeping you informed without extra effort.

 

Creating and Managing Tasks for Implementation Steps

When expanding an Implementation Step, it expands to show additional details and an option to create tasks. You can create and assign tasks to ensure accountability and progress tracking. Tasks connect specific actions to team members, making it easier to complete implementation steps efficiently.

 

 

1. In the control you want to implement, go to implementation steps.

2. Expand the implementation step

3. Click the  “Create task” button.

 

 

4. Fill out the task details as described in this article.

 

FAQs

What do I need to do in the ‘controls’ section?

Controls are central to the Kertos platform in that they are like a “to-do list” for you on the way to achieving compliance with a certain standard or a regulatory requirement. In the control section, you have an overview of all the controls that relevant for you. It is your responsibility that all relevant controls are in this overview and that each of them is implemented. If you click on an individual control, Kertos will give you exact recommendations on how to implement it.

How do I know which controls are relevant to my company?

This depends on the legal frameworks or standards you are trying to achieve and the risks that you documented assessed on the “Risks” page. Every risk that you want to mitigate is connected to at least one control. If you open a risk, you get suggestions on which controls can be linked to it. There are also general controls that you have to implement and that are not tied to certain risks, you will find these also in the controls overview.

How are risks and controls connected/related?

Controls ensure that you take the correct measures in response to your identified and assessed risks. This is why you can link controls to risks in Kertos.

Why is risk control mapping important?

Risk control mapping ensures that you have the right controls implemented and gives you clear guidance when choosing which controls are relevant to your organization.

How can I link controls to my company’s risks?

Check out our help center article for this.

Do I really have to implement all the controls?

No, you don't have to implement all the controls. ISO 27001:2022 is flexible and allows organizations to tailor their implementation based on their specific needs and risk assessment.

How do I implement Control XYZ?

For every control, we give you expert-reviewed implementation steps that you can access in Kertos when opening an individual control and that you directly

Do I really need an evidence for each and every control?

You don't necessarily need evidence for each and every control as you can showcase the evidence during the audit. However having a central evidence register makes the audit process easier.

Was this article helpful?