Managing & implementing controls
Overview: Turn Compliance Requirements Into Actionable Controls
Controls are the core building blocks of your compliance program. In Kertos, the Controls section helps you document, implement, and monitor all the requirements from your selected compliance framework (e.g., ISO 27001, GDPR, NIS2).
Kertos imports the full list of controls for your selected standard. You can track implementation progress, attach evidence, assign responsibility, and mark non-applicable controls—all within a single interface. Whether you’re preparing for an audit or maintaining ongoing compliance, this section ensures nothing falls through the cracks.
Problem Solved
Implementing compliance standards like ISO 27001 can feel overwhelming due to vague requirements, lack of clear next steps, and difficulties in tracking evidence. Kertos transforms abstract controls into a structured to-do list with concrete implementation steps, real-time verification, and centralized evidence—all helping you stay audit-ready with confidence.
Key Benefits
- Clear Control Overview: See the full list of framework controls and their status at a glance.
- Tailored Relevance: Mark controls as non-applicable (with justification) to match your business context.
- Implementation Steps: Break each control into actionable tasks with automatic or manual progress tracking.
- Evidence Collection: Attach evidence files or links and verify control implementation in real-time.
- Export SoA: Generate a Statement of Applicability with implemented and non-applicable controls, versioned and audit-ready.
How It Works
1. Viewing and Managing Controls
Navigate to “Controls” in the sidebar to access your framework’s control list.
- Each control is listed with its status:
- To-do, In-progress, or Implemented
- You can toggle whether a control is Applicable to your organization
Example: A remote-only company can mark physical office security controls as not applicable—just provide a reason.
Click any control to access its Detail View.
2. Control Detail View
When you open a control from the overview page, you will see the detail view, you can edit controls. You can modify the following information:
- Status: Document whether a control is “to-do”, “in-progress”, or “implemented”.
- Applicable: Whether the control is relevant to your organization or not. For further explanation, see the green section above.
- Owner: Who is responsible for this control.
- Effective from: From when this control is effective.
- Implementation progress: This breaks down the control into concrete, actionable steps. Once you marked every implementation step as done, the control receives the status “implemented”. See this page for more info about implementation steps.
- Evidence: The corresponding evidence that this control has been implemented. Click on “Add Attachment” to upload a file or provide a link.
- Resources: These are tailor-made resources for specific controls that we provide you with in order to help you implement the control and provide evidences.
- Notes: Space for anything else that you want to document.
- Citation: The original text excerpt of the respective regulatory body.
3. Creating controls
- In the overview, click “Add control”. This will open the detail view of the new control.
- Fill in the fields as described above.
- Click “Save” at the bottom of the screen.
4. Exporting controls in a Statement of Applicability (SoA)
You can export a report that contains all controls, also the ones that are not applicable and not implemented as they are also relevant in a potential audit.
- In the overview, click “Export SoA”.
- Select the framework you want to export controls for.
- You will be presented with a list of versions of the control list. If you go back to the list and make changes, these will be reflected here and create a new version. Give the current version a name.
- Scroll down and click “Export”.
- In the following screen, click “Generate and Download”.
5. Implementing controls
Implementation Steps & Checks in Kertos helps you to track, manage, and automate the completion of compliance controls. By breaking down controls into clear, actionable steps and automating evidence collection (where possible), this feature ensures smooth progress toward compliance goals with minimal manual effort.
6. Checking of Implementation Steps Manually
- Easily mark implementation steps as completed once finished.
- Create tasks and assign them to team members to ensure clear responsibilities.
- Update progress manually as tasks are completed to maintain an accurate overview.
7. Automated Verification of Implementation Steps
- The system automatically verifies completed steps based on collected evidence (whre possible, for example when an implementation step is to create a control)
- For example, if a policy hasn’t been accepted by all assigned employees (e.g., new hires), Kertos flags the step as outdated.
- The compliance status is updated in real-time on the Controls Page, keeping you informed without extra effort.
8. Creating and Managing Tasks for Implementation Steps
When expanding an Implementation Step, it expands to show additional details and an option to create tasks. You can create and assign tasks to ensure accountability and progress tracking. Tasks connect specific actions to team members, making it easier to complete implementation steps efficiently.
- In the control you want to implement, go to implementation steps.
- Expand the implementation step
- Click the “Create task” button.
.png)
- Fill out the task details as described in this article.
Frequently Asked Questions (FAQs)
Q1: What do I need to do in the ‘Controls’ section?
A: The Controls section is your compliance to-do list. You must:
- Review all relevant controls
- Implement each control using the provided steps
- Upload evidence or link relevant documentation
- Track progress and applicability
Q2: How do I know which controls are relevant to my company?
A:
- Start with the framework you’re targeting (e.g., ISO 27001)
- Consider your documented risks—controls can be linked to mitigate those
- Some controls are mandatory regardless of risk and will be listed in your overview
Q3: How are risks and controls connected?
A: Controls are used to mitigate risks. In Kertos, you can link controls to risks so you can clearly show which measures address which vulnerabilities.
Q4: Why is risk-control mapping important?
A: It helps prioritize which controls are most critical and ensures that you’re addressing all documented risks with appropriate safeguards.
Q5: Can I link controls to risks in Kertos?
A: Yes. Open a risk from the “Risks” page and select one or more relevant controls from the suggestion list or search manually.
Q6: Do I have to implement all controls?
A: No. Standards like ISO 27001 are flexible. You only need to implement controls that are relevant based on your risk context and business operations. Just make sure to mark non-applicable controls and explain why.
Q7: How do I implement a specific control (e.g., Control A.5.1)?
A: Open the control in Kertos and follow the provided expert-reviewed implementation steps. You’ll also see recommended tasks and can track completion directly.
Q8: Do I need to upload evidence for every control?
A: Not necessarily. You can show evidence during an audit even if it's not uploaded in Kertos. However, using Kertos as a central evidence register simplifies audits and ensures your documentation is always accessible.