New Control Implementation

gourav_aggarwal · 3 weeks ago

I have a requirement suppose there is a new regulation coming for an organization and need to create new control objective and also new controls in an organization. Where is the that step in the control lifecycle where control owner needs to set up/create new control for that particular control objective. Because in attestation they are only asking if the control is implemented and giving default 14 days. Implementing a new control will take longer time first time, right?

Rafael Cardoso · 3 weeks ago

What kind of regulation are we talking about, internal or external?

External: you should start from Authority Documents → Citations → Control Objectives.
Internal: you should start from Policies → Control Objectives.

From there, the Control Owner creates the required controls under the Control Objective, that’s the step in the lifecycle where new controls are defined. You need to build the "hierarchy" in order to roll up the compliance score properly.

Regarding attestations duration, the due days (e.g., 14) are a fixed configuration on the attestation type. It’s not about how long a control has existed. New controls don’t take inherently longer to attest than existing ones the implementation effort happens earlier when defining and setting up the control.

Raf

Helpful post? Don’t forget to bookmark it, give it kudos, or mark it as the answer to help the community grow!

gourav_aggarwal · 3 weeks ago

Thanks Rafael, So it means if new control needs to be implemented or go live , it has to be done once control is in draft state? because once control is created by control owner, he needs to implement it first and then send it for attestation to confirm if control is working as intended. ?