To compare controls from two or more standards:
- Go to Content > Controls and Questionnaires.
- Expand the Controls and Questionnaires tree and go to Controls and Questionnaires > Content > Controls > Standards. A grid view of the available standards appears in the right pane.
- Select two standards, then click View Common Controls to open the Common Control Report.
Optional: Click on a check mark in the standard column to see details of the common sub-controls.
Optional: Click on a sub-control to display a pop-up with information related to the sub-control.
If the sub-control identifier of the first sub-control is used as a reference number in the second sub-control or vice versa, then those two sub-controls are common controls.
You can now compare the degree of overlap between the controls and sub-controls of the various frameworks and regulations that you need to comply with. You can also see the controls and sub-controls from which answers can be copied.
Example 1
EXAMPLE | ||||||||
Organization ABC is completing the following assessment:
|
Example 2
EXAMPLE | ||||||||
You want to create a new program with the following details:
|
When creating the program, click New Program wizard > Options tab. Click Automatically answer unanswered controls using results from related controls.
This will ensure that if the questionnaire in the current program is not answered, the unanswered controls will use results from related controls that were answered in a different assessment. This is where the Common Controls Framework comes into use. If the controls overlap, then the responses used to answer controls in one assessment will be automatically re-used to answer controls in a different assessment.
- Apply compliance score from the related controls: Responses from a related control will be used to calculate the compliance scores.
- Apply answers from the related controls when controls have exactly the same set of choices: The framework will first validate if the same set of answer choices are used in the related controls. If they are, then they will be used as responses to the questionnaire.
Now, when an assessment using the control "Access Control practices" moves through the workflow, if it does not have responses to all the controls, responses from "Compliance with Access Control" program will be used (since the controls are common and overlapping), to populate the compliance scores.
The Common Control Framework only works when controls have the same question text and the same set of choices.