Control Library
Manage security and compliance controls across all your frameworks.
Overview
The Control Library provides a centralized view of all compliance controls, their implementation status, and associated evidence.
Navigate to Control Library in the sidebar to access your controls.
Control Structure
Frameworks
Controls are organized by compliance framework:
- SOC 2 Type II
- ISO 27001
- PCI-DSS
- HIPAA
- GDPR
- NIST CSF
- DORA
Control Categories
Each framework organizes controls into categories:
SOC 2 Example:
CC1 - Control Environment
CC2 - Communication and Information
CC3 - Risk Assessment
CC4 - Monitoring Activities
CC5 - Control Activities
CC6 - Logical and Physical Access
CC7 - System Operations
CC8 - Change Management
CC9 - Risk MitigationControl Details
Each control includes:
| Field | Description |
|---|---|
| Control ID | Unique identifier (e.g., CC6.1) |
| Title | Control name |
| Description | Full control requirement |
| Category | Parent category |
| Framework | Associated framework |
| Status | Implementation status |
| Owner | Responsible person |
| Evidence | Linked evidence items |
Control Status
Status Types
| Status | Description |
|---|---|
| Not Started | Control not yet addressed |
| In Progress | Implementation underway |
| Implemented | Control is in place |
| Not Applicable | Control doesn't apply |
| Failed | Control failed testing |
Status Workflow
Not Started → In Progress → Implemented
↓
Not Applicable
↓
Failed → In Progress (remediation)Viewing Controls
Framework View
View controls organized by framework:
- Go to Control Library
- Select framework from dropdown
- Expand categories to see controls
- Click control for details
Flat View
View all controls in a searchable table:
- Click View: Table
- Sort by any column
- Filter by status, framework, or owner
Control Detail
Click any control to see:
- Full description
- Implementation guidance
- Linked evidence
- Related findings
- Audit history
- Comments
Managing Controls
Update Status
- Open control detail
- Click Status dropdown
- Select new status
- Add notes (optional)
- Click Save
Assign Owner
- Open control detail
- Click Assign Owner
- Select team member
- Click Save
Owners receive notifications for:
- Evidence expiration
- Failed assessments
- Audit requests
Add Implementation Notes
Document how your organization implements a control:
- Open control detail
- Click Implementation tab
- Add notes describing your implementation
- Click Save
Evidence Linking
Link Evidence to Control
- Open control detail
- Click Evidence tab
- Click Link Evidence
- Select existing evidence or upload new
- Click Link
View Control Evidence
The Evidence tab shows all linked evidence:
| Evidence | Type | Status | Collected |
|---|---|---|---|
| access_policy.pdf | Document | Approved | Jan 1 |
| user_review.xlsx | Spreadsheet | Draft | Dec 15 |
| [scan] config_check | Automated | Current | Today |
Evidence Coverage
View evidence coverage percentage:
CC6.1 - Access Controls
Evidence Coverage: 80%
████████████████░░░░ 4/5 required itemsControl Testing
Manual Testing
Record manual control tests:
- Open control detail
- Click Testing tab
- Click Record Test
- Enter test results
- Attach evidence
- Click Save
Automated Testing
CyberOrigen automatically tests controls via:
- Vulnerability scans
- Configuration checks
- Access reviews
Automated results appear in the Testing tab.
Test History
View historical test results:
| Date | Type | Result | Tester |
|---|---|---|---|
| Jan 1 | Manual | Pass | John |
| Dec 1 | Automated | Pass | System |
| Nov 1 | Manual | Fail | Jane |
Control Mapping
Cross-Framework Mapping
See how controls map across frameworks:
SOC 2 CC6.1 (Access Controls)
├── Maps to: ISO 27001 A.9.1.1
├── Maps to: PCI-DSS 7.1
├── Maps to: HIPAA §164.312(a)
└── Maps to: NIST CSF PR.AC-1Finding Mapping
View security findings related to each control:
- Open control detail
- Click Findings tab
- See linked vulnerabilities
- Track remediation status
Bulk Operations
Bulk Status Update
Update multiple controls at once:
- Select controls using checkboxes
- Click Bulk Actions
- Select Update Status
- Choose new status
- Click Apply
Bulk Assignment
Assign multiple controls to an owner:
- Select controls
- Click Bulk Actions → Assign
- Select owner
- Click Apply
Export Controls
Export control data:
- Click Export
- Select format (CSV, Excel, PDF)
- Choose columns to include
- Click Download
Custom Controls
Professional Feature
Custom controls require Professional or Enterprise plan.
Create Custom Control
Add organization-specific controls:
- Click Add Control
- Select framework (or "Custom")
- Enter control details:
- ID
- Title
- Description
- Category
- Click Create
Import Controls
Import controls from spreadsheet:
- Click Import
- Download template
- Fill in control data
- Upload completed file
- Review and confirm
Reporting
Control Status Report
Generate status report:
Control Status Summary
Framework: SOC 2 Type II
Total Controls: 64
Status Count Percentage
─────────────────────────────────────
Implemented 52 81%
In Progress 8 13%
Not Started 2 3%
Not Applicable 2 3%Gap Analysis
Identify controls needing attention:
- Go to Reports → Gap Analysis
- Select framework
- View controls by status
- Export for remediation planning
Compliance Score
View overall compliance score:
SOC 2 Type II Compliance Score
Current: 81%
████████████████░░░░
Target: 95%
Remaining: 14% (9 controls)API Access
# List controls
GET /api/v1/controls?framework=soc2
# Get control details
GET /api/v1/controls/{control_id}
# Update control
PATCH /api/v1/controls/{control_id}
{
"status": "implemented",
"owner_id": "user_123",
"notes": "Implemented via SSO"
}
# Link evidence
POST /api/v1/controls/{control_id}/evidence
{
"evidence_id": "evidence_456"
}See API Reference for full documentation.
Best Practices
- Assign Owners: Every control should have an owner
- Regular Reviews: Review control status quarterly
- Link Evidence: Attach evidence as you implement
- Document Implementation: Explain how controls are met
- Test Regularly: Schedule periodic control testing
- Track Gaps: Monitor and remediate gaps promptly