Help Center
Go back to application
Help Center
Go back to application
Platform Terms GlossaryContacting Support and Reporting Bugs
Task Management
Task Management explained Creating Tasks Setting up Task NotificationsGiving permissions to team members
Organization
Working together in KertosInviting UsersCreating rolesAssigning System AccessCreating Departments and Assigning Users
Integrations
Discovery
Tasks
Device Management
Human Resource Information Systems
Inventory
Inventorization of vendorsInventorization of systemsInventorization of assetsEU AI Act: Inventorization of AI use cases
Risks
Managing risks
Trust Center
Setting up your trust center
Incidents
Reporting incidents
KAIA
KAIA explainedPrinciples of AI at Kertos
Interacting with KAIA
Compliance
Frameworks explainedManaging & implementing controlsCreating & managing policiesCompleting & assigning trainingsGuidanceDetermining Control Applicability
Privacy Management
Creating a RoPACreating TOMsCreating DPIAs
Data Subject Requests
API Reference
Ingress API Docs for DSRs Webhook API Docs for DSRs
Auto Checks
Auto Checks explainedAuto Checks: AWS Auto Checks: GCPAuto Checks: AzureEnabling Auto Checks by Reconfiguring the Azure IntegrationEnabling Auto Checks by Reconfiguring the GCP IntegrationEnabling Auto Checks by Reconfiguring the AWS Integration
AWS Auto Checks Detailed Explanations
Azure Auto Checks Detailed Explanations

Determining Control Applicability

Kertos helps you focus only on relevant controls, keeping your compliance scope lean, justified, and audit-ready.

Purpose 

 

In Kertos, you can determine whether a control is applicable to your business and document your decision. This ensures that your compliance program reflects how your organization actually operates—and keeps your audit documentation accurate and defensible.

Problem Solved

For companies compliance frameworks can feel bloated with controls that don’t always apply. Manually reviewing and interpreting each one is time-consuming and often confusing.

Kertos simplifies this process. It gives you structured guidance and an intuitive toggle to evaluate applicability, capture justifications, to generate a clean, audit-ready Statement of Applicability (SoA).

Key Benefits

Tailored Compliance Scope: Easily focus only on relevant controls—skip the rest with proper documentation.

Built-In Justifications: Record why a control isn’t relevant and ensure full audit transparency.

Exportable SoA: Applicability decisions and justifications are automatically included in your SoA.

Aligned Across Frameworks: Kertos multi-framework functionality visualizes overlap across standards—so you only manage what matters.

How It Works

1. Evaluate Control Applicability

Every control in Kertos includes:

  • The original control language
  • A business-focused justification
  • Implementation steps and evidence fields

To determine if a control applies, ask:

  • Is this activity part of our business operations?
  • Does this control help us mitigate a documented risk?
  • Are we directly responsible for this area, or is it managed externally?

If yes → mark it as applicable
If no → mark it as not applicable and provide a short explanation

2. Mark Applicability in Kertos

In the Control Detail View, use the “Applicable” toggle. If marking a control as not applicable, you’ll be prompted to add a justification.

Example:
“Our team is fully remote. Physical access control policies do not apply.”

All decisions are version-controlled and automatically included in your Statement of Applicability export.

3. Use Risk Mapping to Inform Applicability

Controls and risks go hand in hand. If a control helps mitigate a risk you’ve identified, it should be marked as applicable. If no relevant risk exists and your business doesn’t perform the associated activity, it can usually be excluded—with justification.

You can link risks to controls directly in Kertos to reinforce your logic and maintain full traceability.

Examples

ScenarioApplicabilityJustification
No physical office❌ Not applicable“Our team operates fully remotely.”
Storing customer data in AWS✅ Applicable“We manage sensitive data in cloud systems.”
External payroll processor❌ Not applicable“Payroll is outsourced with a data processing agreement.”
Company-issued laptops✅ Applicable“We enforce policies for asset use and protection.”

FAQs

What does “applicability” mean?
It refers to whether a control is relevant to your business activities and risk landscape.

Who decides if a control is applicable?
Your compliance lead or anyone familiar with your organizational risks and operations.

Do I need to justify non-applicable controls?
Yes. Auditors expect clear, reasoned justifications for all controls marked as not applicable.

What if I’m unsure about a control?
Start by linking it to a business process or risk. If unsure, leave it marked as applicable and return to it once more context is available.

How does this show up in my SoA?
Your applicability decisions, justifications, and statuses are included in your Statement of Applicability export, with full version tracking.

Was this article helpful?

Powered by Product Fruits