Controls
Security and compliance measures you define, test, and track
What are Controls?
Controls are the security and compliance measures your organisation implements to mitigate risk. Each control defines what should be done (e.g. "ensure all servers have disk encryption enabled"), how to verify it (test procedure), and how often it should be checked. When a control test fails, an issue is automatically created, feeding directly into the risk report.
Key Information
Each control captures the following details:
- Control number — an auto-generated sequential identifier (CTL-0001, CTL-0002, and so on).
- Title — a short name for the control (required).
- Description — a detailed explanation of the control's purpose and scope.
- Test procedure — step-by-step instructions for testers to verify the control is effective.
- Framework reference — an optional reference to a compliance framework, e.g. ISO 27001 A.5.1 or SOC 2 CC6.1, with an optional link to the framework documentation.
- Test frequency — how often the control should be tested (see below).
- Review required — whether test results need a second person to approve or reject them.
- Owner — the user responsible for maintaining this control.
- Owning entity — the entity this control belongs to.
Test Frequency
The test frequency defines how often a control should be tested. Options include daily, weekly, monthly, quarterly, and yearly.
If no frequency is set, the control is treated as ad-hoc (tested on demand). The frequency helps auditors and compliance teams ensure controls are being verified at the required cadence.
Review Required
When review is enabled on a control, every test execution enters a review workflow. After a tester submits their result, a different user must approve or reject the test before it is considered authoritative. This provides four-eyes oversight for critical controls. See Control Testing for the full review workflow.
Linked Resources
- Entity — each control belongs to one entity.
- Configuration items — controls can be linked to the assets they protect.
- Business processes — controls can be linked to the business processes they safeguard. This link is used in risk exposure calculations.
Test History
Each control maintains a complete log of all test executions. You can view past results, evidence, and review outcomes from the control's detail page. See Control Testing for how tests are created and reviewed.