Controls and tests are elements of a compliance framework, a structured set of requirements to help organizations achieve compliance with relevant laws, regulations, and standards.
SOC2, ISO 27001, and GDPR are examples of external security and privacy frameworks, but larger organizations often define their own frameworks for their own unique business objectives or custom compliance needs.
Controls
A Control defines an activity, process, procedure or configuration that minimizes risks when followed. Controls are defined by an organization in response to the risks that organization has identified with respect to external or internal compliance frameworks. One control may be mapped to multiple frameworks and may be supported by multiple tests.
Tests
Tests are the small units of work that Secureframe has created to demonstrate that certain controls are functioning as intended.
It is important to perform these tests or monitor them continually as part of your ongoing compliance program in order to avoid any surprises from your auditor performing the same or similar tests as part of their audit procedures. One test may support multiple controls across frameworks.
Common Control Abbreviations
AC - Access Controls
AVA - Availability
C - Confidentiality
CCPA - CCPA
CM - Configuration/Change Management
COM - Communications
CP - Contingency Planning
DORA - EU DORA
GDPR - GDPR
GOV - Governance
I - Integrity
IR - Incident Response
MP - Media protection
MSFT - Microsoft
NET - Network Security
ORG - Organizational
P - Privacy
PCI - Payment Card Industry
PHYS - Physical security
PI - Processing Integrity
RA - Risk assessment
SR - Supply chain risk management
VM - Vulnerability management
ZT - Zero Trust
Frequently Asked Questions (FAQ)
Can Controls and Tests be active without being mapped to a Framework Requirement?
- No, Controls will show up as unmapped in the inactive tab of the Controls page if not mapped to an active (applicable) Framework Requirement.
Why do I not have a status on my enabled Test?
- Tests must be mapped to a Control that is mapped to an active Framework Requirement in order for a status to be generated on the test.
Related to
Comments
0 comments
Article is closed for comments.