Create a control

  • Release version: Australia
  • Updated March 12, 2026
  • 4 minutes to read

    • Controls are automatically generated when you associate a policy with an entity type or an entity type with a control objective. A control is created for each entity listed in the entity type for the control objective. Controls can also be manually created.

    Before you begin

    Role required: sn_compliance.admin or sn_compliance.manager

    Procedure

    1. Navigate to All > Policy and Compliance > Controls > All Controls.
    2. Click New.
    3. On the form, fill in the fields.
      Table 1. Control form
      Field Description
      Name Name of the control.
      Number Unique identification number.
      Entity Related entity.
      Note:
      If you change the state of the entity to Active from Retired state, then the manually created control on the entity also moves to the Draft state.
      Inherit from control objective Option to indicate whether the control is created through item generation process. For more information, see Multiple controls for a unique entity–control objective combination.
      Control Objective Related control objective.
      Owning group Group that owns the policy.
      Owner User that owns the policy.
      Note:
      The owner is always added as a respondent. The control owner that you select belongs to the owning group.
      Key control Indicator that the control is a key control.
      Weighting Value used to calculate the control score effectiveness. Based on the control weighting, in the control score effectiveness value is calculated ​
      Status Control status. Possible choices are:
      • Compliant
      • Non-compliant
      • Not applicable
      State Control state. Possible choices are:
      • Draft In this state, all compliance users can modify the control. Only available when creating a one-off control. One-off controls are possible but not recommended.
      • Attest When the control is created from a control objective, controls are in this state.
        Note:
        When a control is set back to draft, the attestation is canceled.
      • Review Controls are automatically moved to review from the attestation phase.
      • Monitor In this state, all compliance managers can move the control from review to monitor.
      • Retired Compliance managers or administrators can move a control from Monitor to Retired.
        Note:
        When a control is retired:
        • Associated indicators do not run
        • Associated attestations are canceled
        • Changes to associated control objectives do not update the control
      Exempt Mark the control as exempted.
      Enforcement List of options:
      • Mandated
      • Voluntary
      Category List of options:
      • Acquisition or sale of facilities, technology, and services
      • Audits and risk management
      • Compliance and Governance Manual of Style
      • Human Resources management
      • Leadership and high-level objectives
      • Monitoring and measurement
      • Operational management
      • Physical and environmental protection
      • Privacy protection for information and data
      • Records management
      • System hardening through configuration management
      • Systems continuity
      • Systems design, build, and implementation
      • Technical security
      • Third Party and supply chain oversight
      • Root
      • Deprecated
      Type List of options:
      • Acquisition/Sale of Assets or Services
      • Actionable Reports or Measurements
      • Audits and Risk Management
      • Behavior
      • Business Processes
      • Communicate
      • Configuration
      • Data and Information Management
      • Duplicate
      • Establish Roles
      • Establish/Maintain Documentation
      • Human Resources Management
      • Investigate
      • IT Impact Zone
      • Log Management
      • Maintenance
      • Monitor and Evaluate Occurrences
      • Physical and Environmental Protection
      • Process or Activity
      • Records Management
      • Systems Continuity
      • Systems Design, Build, and Implementation
      • Technical Security
      • Testing
      • Training
      Classification List of options:
      • Preventive
      • Corrective
      • Detective
      • IT Impact Zone
      Frequency Frequency at which the control is tested. This field is for the control's testing and reporting purpose.
      List of options:
      • Event Driven
      • Daily
      • Weekly
      • Monthly
      • Quarterly
      • Semi-Annually
      • Annually
      Note:
      The Frequency field is intended for reporting purposes only and defines how often the control is expected to be tested or executed. It does not influence the attestation schedule. The Attestation Frequency field, however, governs how often attestations are triggered for the control. Attestations are initiated by the Control Nightly Attestation scheduled job when the control is in Review or Monitor state. This separation allows customers to track control testing independently from attestation cycles.
      Description Description of the control.
      Additional Information Additional information about the control.
      Assignment
      Owning group Group that owns the control.
      Owner User that owns the control.
      Attestation
      Attestation

      Select from a list of options.

      • Other attestation types can be configured.
      • If this field is populated, then the Attestation Respondents field automatically becomes mandatory, and the owner is made the respondent.
      Note:
      If the user changes the attestation type in the control objective, all the related controls are changed also.
      Attestation respondents
      • Users assigned to the attestation of this control.
      • Only a user with the sn_grc.user role can be added as a respondent.
      Note:
      When both the Attestation and Attestation respondents fields are set, attestations are created when you click Attest.
      Attestation frequency Frequency at which attestations on the control are triggered. If the field has no value selected, then the associated entity's Attestation frequency value defaults to this field.
      Option for attestation frequency.
      • Daily
      • Weekly
      • Monthly
      • Quarterly
      • Semi-Annually
      • Annually
      Note:
      After the attestation is complete, the control moves to Review and Monitor states. The control is then monitored for its next due date of attestation. You have the option to trigger the control's attestation frequency based on the attestation's Created date or the last completed attestation's Updated date. This option is based on the value in Trigger control attestations based on the created or updated date of the last completed attestation system property.
      Activity Journal
      Additional comments Public information about the control.
      Access Settings
      Entity based access restriction When Entity based access restriction is enabled, only users or user groups included in the access configuration for the entities associated with this control can access it.
    4. Select Copy entity frequency related link to copy the value of the Attestation frequency field of the entity to the Attestation frequency field of the control.
      When you select the Copy entity frequency related link, the respective entity’s attestation frequency gets copied to the Attestation frequency field in the Attestation section of the control table, and does not update the Frequency field of the control table.
    5. Click Submit.

    What to do next

    After you create a control, you can convert the control to a common control and add reliant entities and reliant entity types to it. For more information, see Testing common control and implementing results on multiple reliant entities.