Creating a new control requires Control View and Control Author permissions. There are three types of controls:
- Control with subcontrols;
- Control with a single subcontrol; and
- Audit-friendly controls.
Control with subcontrols are the most common type of control. The control is a container for specific subcontrols. For example, the control might be "Ensure physical security" and the subcontrols might refer to specific aspects of physical security.
A control with a single subcontrol binds a control to a single subcontrol, creating a control that can act like a subcontrol if necessary. Use this type when a control does not have multiple aspects.
Audit-friendly controls include design and effectiveness tests in order to be self-documenting. For more information, see Using Audit-Friendly Controls.
To create a new control:
- Open RiskVision Vendor Risk Manager.
- Go to > Controls and QuestionnairesQuestionnaires.
- Navigate to a writable control group in the Organization Content tree (Control groups in the Content tree, for example, are read-only) and click New Control.
- Select a Control Type. Selecting the Flexible Tests and Documentation option changes the attributes in the lower part of the screen. For more information about creating that kind of control, see Using Audit-Friendly Controls.
Enter the parameters:
Parameter Description Title Enter a name for the new control. This is the only required field. Control Statement Enter an optional statement to be associated with the new control. Clicking the field pops up the rich text editor. The control statement specifies the actions or checks that must be provided by supporting subcontrols (automated or manual/questionnaire). Identifier Enter an optional identifier for the new control. Status Select a status, such as Draft, In Testing, Final, or Review. The Status field lets you specify the stage of control development or completion. Later on, you can use this information to identify and track controls in various stages of completion. Key Control Choose Yes if this is a key control. The Key Control field indicates whether this control must be included when a user selects control options only to implement or use key controls in measuring risk and policy compliance. Version Enter the new control's version in any consistent format. Target Entity's Preferred Ownership Choose users, teams, and roles to be preferred owners of the new control. Reference Numbers Enter any meaningful reference numbers (for example, referring to specific internal or regulatory standards). This field lets you specify information corresponding to related control framework or regulation reference numbers, for example, ISO-17799 1.4.1. To enter multiple reference numbers, you can include the reference numbers in a comma-separated list. Weight Enter a weight for the new control. The default is 1.0. This value indicates the weight (between 0 and 1) assigned to this control. When compliance and risk scores are rolled up, values are calculated based on the percentage this control's weight contributes to the total weight of controls at the same level in a hierarchy. - Click Save to create the new control, or Cancel to return to viewing controls.