Skip to content
English
Customer portal
Contact us
  • There are no suggestions because the search field is empty.

Define Control Frameworks

The Define Control Frameworks page is designed to help you create and manage frameworks and controls effectively. If you need assistance getting started, we provide several easy options to acquire frameworks and controls with minimal effort. One excellent option is the Compliance Forge SCF Extra, which is offered at no cost to all registered SimpleRisk Instances. After registering your instance (Configure → Register & Upgrade), you can activate and utilize the Compliance Forge SCF, a comprehensive controls framework featuring 875 controls that are aligned with 148 different frameworks. Although the specific wording of each control may differ, the overarching expectations will give you a solid foundation for managing governance in your organization. Additionally, we offer a paid Import/Export feature that allows you to import frameworks and controls that you may have already defined in a CSV format. This feature also includes convenient one-click installations, enabling you to access a variety of frameworks and controls effortlessly. The frameworks available for one-click installation include: AICPA 2017 SOC2 Trust Services Criteria (TSC), CIS Critical Security Controls v7, CMMC v1.02 Maturity Levels 1 to 5, FedRAMP Baseline Controls (Low, Moderate, High), Information Security Regulation Version 2.0, NIST 800-53, NIST 800-171, NIST Cybersecurity Framework (CSF), and PCI Data Security Standard v3.2.1. With these options to populate your page now covered, let's explore the various features and capabilities available to you.

This page is divided into two sections Frameworks and Controls. Frameworks govern the status, usage, and descriptions of frameworks while the controls side.

Frameworks

framework

  1. Frameworks - This tab provides an overview of the Frameworks established within the system. Currently, it serves as a view-only section since we are already within the Frameworks area of the Define Frameworks page.  
  2. Controls - Clicking on this tab will direct you to the controls section, where you can define, manage, and delete controls. We will explore this section in more detail later in the document.  
  3. Add (“+”) - This button enables you to create a new framework. You will be prompted to provide a Name, a Description, and any relevant parent associations with other frameworks that are already defined in the system.  
  4. Active Frameworks - This tab lists the frameworks that are currently active. These frameworks can be utilized in the Compliance section, and any notifications related to ongoing tests will be sent as long as the framework remains active. You have the ability to click and drag frameworks between the active and inactive tabs as needed.
  5. Inactive Frameworks - This tab displays the frameworks that have been marked as inactive. These frameworks and their associated controls will not be visible in any other section of SimpleRisk while they remain inactive. Additionally, no notifications will be dispatched for any tests linked to them prior to their deactivation. You can move frameworks back to the active tab from here by clicking and dragging.  
  6. Edit Framework - By clicking this button, you can modify the details of an existing framework. Please note that the controls tied to this framework will not be available for editing in this section; those can be adjusted in the Controls tab, which we will cover later in the document.  
  7. Delete Framework - This button allows you to remove a framework from the system. It's important to note that deleting a framework does not automatically delete its controls; the linkage between that framework and its controls will simply be severed.

Controls

controls

  1. Frameworks Tab - This tab navigates you back to the frameworks section where you can create and manage your frameworks.  
  2. Controls Tab - This tab takes you to the Controls section, enabling you to create and manage controls effectively.  
  3. Control Class Filter - Use this filter to select one or more control classes to display. Only the chosen control classes will appear once a selection is made.  
  4. Control Phase Filter - This filter allows you to select one or more control phases to view. Only the selected control phases will be displayed after your selection.  
  5. Control Family Filter - With this filter, you can choose one or more control families to display. Once selected, only those control families will be visible.  
  6. Control Owner Filter - This filter lets you select one or more control owners to view. Once a selection is made, only the selected control owners will be shown.  
  7. Control Framework Filter - This filter allows you to select one or more control frameworks to view. Please note that only active frameworks will be displayed after making your selection.  
  8. Control Priority Filter - Use this filter to choose one or more control priority levels for viewing. Only the selected priority levels will be shown after your selection.  
  9. Control Type Filter - This dropdown menu allows you to filter displayed controls by type. The default options are Standalone, Project, and Enterprise.  
  10. Control Status Filter - Narrow your results based on the current pass/fail status of a control using this filter.  
  11. Filter By Text - This feature enables you to search across all fields associated with any control.  
  12. Create Control - Click here to open a menu for entering the details of a new control. Remember, any information entered will not be saved until you click the save button.  
  13. Control Short Name - This field is for storing a short form name for a control, which you will frequently reference.  
  14. Control Long Name - This field accommodates a full-length name, which is less commonly displayed in SimpleRisk references.  
  15. Control Number - Typically used as a section ID or identifier, this helps locate detailed information for a specific control.  
  16. Control Owner - This field identifies the party responsible for the knowledge and execution of a given control.  
  17. Control Priority - Use this field to assign a priority level to a control.  
  18. Current Control Maturity - This field allows your organization to document its current control maturity using the
  19. Control Class - This field enables you to define and categorize your controls more precisely by class. You can update the available values through the Add & Remove Values page located in the Configure menu at the top.
  20. Desired Control Maturity - This field allows your organization to record its desired level of control maturity, with options including Not Performed, Performed, Documented, Managed, Reviewed, or Optimizing.
  21. Control Phase - This field allows you to designate a control phase. The default options include Physical, Procedural, Technical, and Legal & Regulatory. Additional options can be added via the Add & Remove page in the Configure menu at the top.
  22. Mitigation Percent - This field lets you store a percentage that, when applied to a risk mitigation, will adjust the inherent risk to produce a residual risk score. Only the highest mitigation percentage will be considered in this calculation.
  23. Control Family - This field helps you categorize your control according to its family.
  24. Control Type - SimpleRisk offers three types of controls: Standalone, which operate independently; Project, which are designed to keep projects on track and within budget; and Enterprise, which enables integration of information across multiple processes. When the Enterprise type is selected, it will track the control's status during audits or compliance tests. If a compliance assessment fails, the mitigation percentage from this control will be set to 0. Conversely, if the assessment passes and the control is designated as both “Project” and “Enterprise,” the Control Validation Mitigation Percent in the Mitigation will be adjusted to half of this control's Mitigation Percent.
  25. Control Status - This field captures the current pass/fail status of a control, which will be updated based on the outcomes of compliance assessments, particularly for Enterprise controls.
  26. Description - This field is designated for detailing the control and its requirements.
  27. Supplemental Guidance - Users can upload any supporting documents related to the control here. The supported file formats are determined by the settings in Configure → Settings → File Upload tab.
  28. Mapped Control Frameworks - In this section, you can use the create control button to associate the control with an existing framework. The system allows for multiple frameworks to be linked to a single control, making it easier to manage controls across various frameworks by assigning a control number for cataloging purposes.

 

Summary

The Governance Define Frameworks page allows you to add and manage your Control Frameworks in SimpleRisk. This page should have served to answer all questions related to the Define Frameworks page but if you feel anything has been missed or just seek further clarification please reach out to us at support@simplerisk.com.