Control Playbooks
Use these playbooks when working with controls, control testing, linked risks, assessment responses, and audit findings.
Maintain a Control
- Open Controls.
- Search for the control by code, title, framework, or domain.
- Confirm owner, description, objective, and domain.
- Review linked frameworks and mappings.
- Review evidence and testing history.
- Review linked risks and whether the control is still effective.
- Review exceptions and change requests.
- Update owner, notes, or implementation details if allowed.
- Schedule the next review or test.
Respond to a Control in an Assessment
- Open the assessment.
- Open the Controls tab.
- Filter to My Controls.
- Open the assigned control.
- Select compliance status.
- Add findings and recommendations for gaps.
- Upload evidence.
- Save.
Handle an Audit Finding Against a Control
- Review the audit finding and linked assessment control.
- Confirm whether the finding is material.
- Link issue or risk if required.
- Complete remediation and upload evidence.
- Wait for auditor verification.
- Reassess the affected assessment control after the platform marks it for reassessment.
- Upload updated evidence.
- Confirm linked risk or issue can be updated.
FAQ
| Question | Answer |
|---|---|
| Should every control have an owner? | Yes. Ownerless controls create weak assessments and weak audit evidence. |
| What makes control evidence good? | It should match the control, period, scope, and approved source. |
| When should a control be retested? | After major change, failed assessment, audit finding, exception, incident, or scheduled review. |
| Can control reassessment be targeted? | Yes. Verified audit findings can reopen only the affected assessment control. |