Create a New Control

Creating a new control requires you to have Control View and Control Author permissions. There are three types of controls:

  • Controls with subcontrols: The most common type of control. A container for specific subcontrols. For example, the control might be "Ensure physical security" and the subcontrols might refer to specific aspects of physical security.
  • Controls with a single subcontrol: Binds a control to a single subcontrol, creating a control that can act like a subcontrol, if necessary. Use this type of control when a control does not have multiple aspects.
  • Audit-friendly controls:  Include design and effectiveness tests in order to be self-documenting. For more information, see Using Audit-Friendly Controls.


To create a new control: 

  1. Go to Content Risks > Controls and Questionnaires.
  2. Navigate to a writable control group in the Organization Content tree (control groups in the content tree, for example, are read-only) and click New Control.
  3. Click a Control Type. Selecting the Flexible Tests and Documentation option changes the attributes in the lower part of the screen. For more information about creating that kind of control, see Using Audit-Friendly Controls.
  4. Enter the parameters:

     Parameter Description
    TitleEnter a name for the new control. This is the only required field.
    Control StatementEnter an optional statement to be associated with the new control. Clicking the field opens the rich text editor. The control statement specifies the actions or checks that must be provided by supporting subcontrols (automated or manual/questionnaire).
    IdentifierEnter an optional identifier for the new control.
    StatusSelect a status, such as Draft, In Testing, Final, or Review. The Status field lets you specify the stage of control development or completion. Later on, you can use this information to identify and track controls in various stages of completion.
    Key ControlChoose Yes if this is a key control. The Key Control field indicates whether this control must be included when a user selects control options only to implement or use key controls in measuring risk and policy compliance.
    VersionEnter the new control's version in any consistent format.
    Target Entity's Preferred OwnershipChoose users, teams, and roles to be preferred owners of the new control.
    Reference NumbersEnter any meaningful reference numbers (for example, referring to specific internal or regulatory standards). This field lets you specify information corresponding to related control framework or regulation reference numbers, for example, ISO-17799 1.4.1. To enter multiple reference numbers, you can include the reference numbers in a comma-separated list.
    WeightEnter a weight for the new control. The default is 1.0. This value indicates the weight (between 0 and 1) assigned to this control. When compliance and risk scores are rolled up, values are calculated based on the percentage this control's weight contributes to the total weight of controls at the same level in a hierarchy.
  5. Click Save to create the new control, or Cancel to return to viewing controls.