Control Management
Control Management
Section titled “Control Management”The Control Scoping section is where you select which SCF controls apply to your organization and track their implementation progress. This is the foundation of your compliance program.
Accessing Control Scoping
Section titled “Accessing Control Scoping”Click the Target icon in the sidebar or select Control Scoping from the navigation.
The Control Scoping Interface
Section titled “The Control Scoping Interface”The interface is split into two panels:
Left Panel: Control List
Section titled “Left Panel: Control List”The left panel displays all available SCF controls with:
- Stats header — Shows selected count, implemented count, and gap (unselected controls)
- Progress bar — Visual indicator of implementation progress
- Advanced Stats — Expandable gap analysis by domain, theme, and type
- Bulk actions — Select All / Deselect All buttons
- Search — Filter by control ID, name, or domain
- Framework filter — Show only controls mapped to a specific framework
- Control cards — Each card shows:
- Checkbox for selection
- Control ID and implementation status badge
- Control name
- Domain and metadata (artifact count, framework count)
- Theme and type badges
Right Panel: Control Details
Section titled “Right Panel: Control Details”When you select a control, the right panel shows:
- Control header — ID, name, domain, theme, and type
- Control Details section — Description, policy standard, implementation guidance, testing procedure
- Implementation Tracking section — All the fields you can configure
- Audit Artifacts section — Evidence items required by this control
- Framework Mappings section — Which frameworks this control satisfies
- Comments section — Discussion thread for team collaboration
Selecting Controls for Scope
Section titled “Selecting Controls for Scope”Individual Selection
Section titled “Individual Selection”- Click the checkbox on any control card to toggle its selection
- Or open a control and check “Include this control in scope”
Bulk Selection
Section titled “Bulk Selection”Use the bulk action buttons above the search field:
| Button | Action |
|---|---|
| ✓ Select All | Selects all controls matching current filter |
| ✗ Deselect All | Deselects all controls matching current filter |
Tracking Implementation
Section titled “Tracking Implementation”For each scoped control, you can track:
Implementation Status
Section titled “Implementation Status”| Status | When to Use |
|---|---|
| Not Started | Control is scoped but no work has begun |
| In Progress | Implementation work is underway |
| Implemented | Control is fully operational |
| At Risk | Implementation is delayed or has issues |
| Not Applicable | Control doesn’t apply to your environment |
| Deferred | Intentionally postponed to a future date |
Priority
Section titled “Priority”Set the implementation priority:
- Critical — Must be addressed immediately
- High — Should be completed soon
- Medium — Normal priority
- Low — Can be addressed when resources allow
Maturity Level
Section titled “Maturity Level”Assess how mature your control implementation is:
| Level | Description |
|---|---|
| Initial | Ad-hoc, inconsistent processes |
| Developing | Repeatable but undocumented |
| Defined | Documented and standardized |
| Managed | Monitored and measured |
| Optimized | Continuously improving |
Ownership
Section titled “Ownership”- Owner Team — Select the responsible team (e.g., Security Operations, DevSecOps, GRC)
- Assigned To — Specify the individual responsible (email address)
Dates and Notes
Section titled “Dates and Notes”- Completion Date — Target or actual completion date
- Selection Reason — Document why this control was selected
- Implementation Notes — Describe how the control is implemented
Related Documentation
Section titled “Related Documentation”Link to policies, procedures, or other documents:
- Click + Add Document
- Enter a Document ID (e.g., “POL-001”)
- Optionally add a URL to the document
- Click the ✕ button to remove a document
Using the Gap Analysis
Section titled “Using the Gap Analysis”Click ▼ Advanced Stats to expand the gap analysis panel, which shows:
Gap by Domain
Section titled “Gap by Domain”See how many controls are selected vs. total for each control domain (Access Management, Data Security, etc.). A checkmark (✓) means full coverage; a number shows the gap.
Gap by Control Theme
Section titled “Gap by Control Theme”Analyze coverage by theme:
- Protect — Preventive controls
- Detect — Monitoring and detection
- Respond — Incident response
- Recover — Business continuity
Gap by Control Type
Section titled “Gap by Control Type”Coverage breakdown by control type:
- Technical — Technology-based controls
- Administrative — Policy and procedure controls
- Physical — Physical security controls
Viewing Audit Artifacts
Section titled “Viewing Audit Artifacts”The Audit Artifacts section shows evidence items required by the selected control:
- Tracking status — ✅ (tracked) or ⚪ (not tracked)
- Artifact ID — Unique identifier
- Artifact title — Description of the evidence
- Collecting system — System responsible for collecting this evidence (if tracked)
Artifacts are grouped by domain for easier navigation.
Viewing Framework Mappings
Section titled “Viewing Framework Mappings”The Framework Mappings section shows which compliance frameworks this control satisfies and the specific requirement references (e.g., “A.9.1.1” for ISO 27001).
This helps you understand the compliance value of each control—controls mapped to many frameworks provide broader coverage.
Collaboration Features
Section titled “Collaboration Features”Assignments
Section titled “Assignments”If the control has been saved to the database, you can assign team members using the Assignment Picker.
Comments
Section titled “Comments”Add comments to discuss implementation details, raise questions, or document decisions. Comments support:
- Threaded discussions
- @mentions (if configured)
- Timestamp tracking
Auto-Save
Section titled “Auto-Save”All changes are automatically saved as you make them. You’ll see a ”💾 Saving…” indicator briefly appear when changes are being persisted.
Best Practices
Section titled “Best Practices”Initial Scoping
Section titled “Initial Scoping”- Start with a framework — Filter by your primary compliance target
- Bulk select — Use “Select All” to include all relevant controls
- Review and refine — Deselect controls that don’t apply to your environment
Ongoing Maintenance
Section titled “Ongoing Maintenance”- Update status regularly — Keep implementation status current
- Document as you go — Add implementation notes when completing work
- Use completion dates — Track actual vs. planned completion
- Assess maturity — Periodically review and update maturity levels
Team Coordination
Section titled “Team Coordination”- Assign ownership — Every scoped control should have an owner team
- Use comments — Discuss implementation approaches in the comments
- Link documentation — Connect controls to policies and procedures
Related Guides
Section titled “Related Guides”- Dashboard Overview — See aggregated control metrics
- Evidence Management — Track evidence for controls
- Control Library — Browse all available controls