Control Management

The Gap Analysis section is where you select which SCF controls apply to your organization, track their implementation progress, and assess maturity. This is the foundation of your compliance program.

Accessing Gap Analysis

Click Gap Analysis under Controls & Frameworks in the sidebar.

The Gap Analysis Interface

The interface is split into two panels:

Left Panel: Control List

The left panel uses virtualized scrolling (powered by react-window) for smooth performance even with thousands of controls. It displays:

• Stats header — Shows selected count, implemented count, and gap (unselected controls)
• Progress bar — Visual indicator of implementation progress
• Scope by Framework — Opens a modal where you can select from 260+ frameworks to bulk-scope controls
• Framework filters — Filter the control list to show only controls mapped to specific frameworks
• Search — Filter by control ID, name, or domain
• SidebarControlCard — Each card shows:
  • Checkbox for selection
  • Control ID and implementation status badge
  • Control name
  • Domain and metadata (artifact count, framework count)
  • Theme and type badges

Right Panel: Control Details

When you select a control, the right panel shows:

• Control header — ID, name, domain, theme, and type
• Control Details section — Description, policy standard, implementation guidance, testing procedure
• Maturity Roadmap — Visual roadmap showing the path from current maturity to target level
• Business Size Guidance — Tailored implementation recommendations based on your organization size
• SCRM Focus Badges — Supply chain risk management relevance indicators
• Risk & Threat Context — Related risks and threat scenarios linked to this control
• Implementation Tracking section — All the fields you can configure
• Audit Artifacts section — Evidence items required by this control
• Framework Mappings section — Which frameworks this control satisfies
• Audit Log — Field-level change tracking showing who changed what and when
• Comments — Threaded discussion for team collaboration

Selecting Controls for Scope

Individual Selection

1. Click the checkbox on any control card to toggle its selection
2. Or open a control and check “Include this control in scope”

Scope by Framework

The Scope by Framework button opens a modal listing all 260+ supported frameworks. Select one or more frameworks to automatically scope every control mapped to them. This is the fastest way to build your initial control scope.

Framework-Based Scoping

Use Scope by Framework for your primary compliance target (e.g., ISO 27001), then refine with the framework filters in the left panel to review specific subsets.

Tracking Implementation

For each scoped control, you can track:

Implementation Status

Status	When to Use
Not Started	Control is scoped but no work has begun
In Progress	Implementation work is underway
Implemented	Control is fully operational
Ready for Review	Implementation is complete and awaiting audit or peer review
Monitored	Control is implemented and under active monitoring
At Risk	Implementation is delayed or has issues
Not Applicable	Control doesn’t apply to your environment
Deferred	Intentionally postponed to a future date

Priority

Set the implementation priority:

• Critical — Must be addressed immediately
• High — Should be completed soon
• Medium — Normal priority
• Low — Can be addressed when resources allow

Maturity Level

Assess how mature your control implementation is. The Maturity Roadmap in the detail panel visualizes your current level and the path to your target.

Level	Name	Description
L0	Incomplete	No process or ad-hoc activity
L1	Initial	Ad-hoc, inconsistent processes
L2	Developing	Repeatable but undocumented
L3	Defined	Documented and standardized
L4	Managed	Monitored and measured
L5	Optimized	Continuously improving

Ownership

• Owner Team — Select the responsible team (e.g., Security Operations, DevSecOps, GRC)
• Assigned To — Specify the individual responsible (email address)

Dates and Notes

• Completion Date — Target or actual completion date
• Selection Reason — Document why this control was selected
• Implementation Notes — Describe how the control is implemented

Related Documentation

Link to policies, procedures, or other documents:

1. Click + Add Document
2. Enter a Document ID (e.g., “POL-001”)
3. Optionally add a URL to the document
4. Click the ✕ button to remove a document

Using the Gap Analysis

Click ▼ Advanced Stats to expand the gap analysis panel, which shows:

Gap by Domain

See how many controls are selected vs. total for each control domain (Access Management, Data Security, etc.). A checkmark (✓) means full coverage; a number shows the gap.

Gap by Control Theme

Analyze coverage by theme:

• Protect — Preventive controls
• Detect — Monitoring and detection
• Respond — Incident response
• Recover — Business continuity

Gap by Control Type

Coverage breakdown by control type:

• Technical — Technology-based controls
• Administrative — Policy and procedure controls
• Physical — Physical security controls

Viewing Audit Artifacts

The Audit Artifacts section shows evidence items required by the selected control:

• Tracking status — ✅ (tracked) or ⚪ (not tracked)
• Artifact ID — Unique identifier
• Artifact title — Description of the evidence
• Collecting system — System responsible for collecting this evidence (if tracked)

Artifacts are grouped by domain for easier navigation.

Note

To actually track and collect evidence, use the Evidence Workspace section.

Viewing Framework Mappings

The Framework Mappings section shows which compliance frameworks this control satisfies and the specific requirement references (e.g., “A.9.1.1” for ISO 27001).

This helps you understand the compliance value of each control—controls mapped to many frameworks provide broader coverage.

Collaboration Features

Assignments

If the control has been saved to the database, you can assign team members using the Assignment Picker.

Audit Log

The Audit Log panel provides field-level change tracking for every scoped control. Each entry records:

• Which field was changed
• Previous and new values
• Who made the change
• Timestamp

This gives your audit team a complete history of implementation decisions without relying on external tracking.

Comments

The comment thread supports threaded discussions for implementation decisions, questions, and approvals. Comments support:

• Threaded replies
• @mentions (if configured)
• Timestamp tracking

Auto-Save

All changes are automatically saved as you make them. You’ll see a ”💾 Saving…” indicator briefly appear when changes are being persisted.

---

Best Practices

Initial Scoping

1. Start with a framework — Use “Scope by Framework” to select your primary compliance target
2. Review and refine — Deselect controls that don’t apply to your environment
3. Check Business Size Guidance — Review the tailored recommendations for each control

Ongoing Maintenance

1. Update status regularly — Move controls through statuses as work progresses (In Progress, Implemented, Ready for Review, Monitored)
2. Document as you go — Add implementation notes when completing work
3. Use completion dates — Track actual vs. planned completion
4. Assess maturity — Use the Maturity Roadmap to track L0-L5 progression
5. Review the Audit Log — Check change history before audits to ensure accuracy

Team Coordination

1. Assign ownership — Every scoped control should have an owner team
2. Use comments — Discuss implementation approaches in the comments
3. Link documentation — Connect controls to policies and procedures

---

Related Guides

• Dashboard Overview — See aggregated control metrics
• Evidence Management — Track evidence for controls
• Control Library — Browse all available controls