Determining Control Applicability
Purpose
In Kertos, you can determine whether a control is applicable to your business and document your decision. This ensures that your compliance program reflects how your organization actually operates—and keeps your audit documentation accurate and defensible.
Problem Solved
For companies compliance frameworks can feel bloated with controls that don’t always apply. Manually reviewing and interpreting each one is time-consuming and often confusing.
Kertos simplifies this process. It gives you structured guidance and an intuitive toggle to evaluate applicability, capture justifications, to generate a clean, audit-ready Statement of Applicability (SoA).
Key Benefits
Tailored Compliance Scope: Easily focus only on relevant controls—skip the rest with proper documentation.
Built-In Justifications: Record why a control isn’t relevant and ensure full audit transparency.
Exportable SoA: Applicability decisions and justifications are automatically included in your SoA.
Aligned Across Frameworks: Kertos multi-framework functionality visualizes overlap across standards—so you only manage what matters.
How It Works
1. Evaluate Control Applicability
Every control in Kertos includes:
- The original control language
- A business-focused justification
- Implementation steps and evidence fields
To determine if a control applies, ask:
- Is this activity part of our business operations?
- Does this control help us mitigate a documented risk?
- Are we directly responsible for this area, or is it managed externally?
If yes → mark it as applicable
If no → mark it as not applicable and provide a short explanation
2. Mark Applicability in Kertos
In the Control Detail View, use the “Applicable” toggle. If marking a control as not applicable, you’ll be prompted to add a justification.
Example:
“Our team is fully remote. Physical access control policies do not apply.”
All decisions are version-controlled and automatically included in your Statement of Applicability export.
3. Use Risk Mapping to Inform Applicability
Controls and risks go hand in hand. If a control helps mitigate a risk you’ve identified, it should be marked as applicable. If no relevant risk exists and your business doesn’t perform the associated activity, it can usually be excluded—with justification.
You can link risks to controls directly in Kertos to reinforce your logic and maintain full traceability.
Examples
Scenario | Applicability | Justification |
---|---|---|
No physical office | ❌ Not applicable | “Our team operates fully remotely.” |
Storing customer data in AWS | ✅ Applicable | “We manage sensitive data in cloud systems.” |
External payroll processor | ❌ Not applicable | “Payroll is outsourced with a data processing agreement.” |
Company-issued laptops | ✅ Applicable | “We enforce policies for asset use and protection.” |
FAQs
What does “applicability” mean?
It refers to whether a control is relevant to your business activities and risk landscape.
Who decides if a control is applicable?
Your compliance lead or anyone familiar with your organizational risks and operations.
Do I need to justify non-applicable controls?
Yes. Auditors expect clear, reasoned justifications for all controls marked as not applicable.
What if I’m unsure about a control?
Start by linking it to a business process or risk. If unsure, leave it marked as applicable and return to it once more context is available.
How does this show up in my SoA?
Your applicability decisions, justifications, and statuses are included in your Statement of Applicability export, with full version tracking.