Control objectives form

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Use the control objectives form to capture all the information that you need to associate a control objective with a question using the Third-party Risk Management application.

    Table 1. Control Objectives form
    Field Description
    Name Name of the control objective.
    Source Source of the control objective. For example, if the control objective is from a third-party provider, indicate which one.
    Source ID Unique identification number used by the source to catalog this control objective.
    Reference Unique numerical identifier.
    Parent Control objective that is not a child of the current control objective. This is to avoid cyclic parent – child relationship.
    Compliance Score Percentage Compliance score percentage calculated for this control objective and its color code:
    • 80 and higher in green
    • 80 to 50 in yellow
    • below 50 in red
    Active Option that indicates whether a control objective is active.
    Creates controls automatically Option that indicates that controls are automatically created from the control objective.
    Note:
    Select this option if the control objective can also serve as the control.
    Category List of options:
    • Acquisition or sale of facilities, technology, and services
    • Audits and risk management
    • Compliance and Governance Manual of Style
    • Human Resources management
    • Leadership and high-level objectives
    • Monitoring and measurement
    • Operational management
    • Physical and environmental protection
    • Privacy protection for information and data
    • Records management
    • System hardening through configuration management
    • Systems continuity
    • Systems design, build, and implementation
    • Technical security
    • Third Party and supply chain oversight
    • Root
    Classification List of options:
    • Preventive
    • Corrective
    • Detective
    Type List of options:
    • Acquisition/Sale of Assets or Services
    • Actionable Reports or Measurements
    • Audits and Risk Management
    • Behavior
    • Business Processes
    • Communicate
    • Configuration
    • Data and Information Management
    • Duplicate
    • Establish Roles
    • Establish/Maintain Documentation
    • Human Resources Management
    • Investigate
    • IT Impact Zone
    • Log Management
    • Maintenance
    • Monitor and Evaluate Occurrences
    • Physical and Environmental Protection
    • Process or Activity
    • Records Management
    • Systems Continuity
    • Systems Design, Build, and Implementation
    • Technical Security
    • Testing
    • Training
    Attestation List of options.
    • GRC Attestation is chosen by default
    • Note:
      If the user changes the control attestation, the related control objective attestation type is changed also.
    Issue group rule Group rule assigned to this control objective.
    Description Description of the control objective.
    Functional domain Functional domain for the control objective.