...
Controls
Category: choose your own categorization of the security measures if you handle many different types
Source: which standard or chapter of the standard these come from, possibly other requirements
Responsible: this person owns the security measure itself and will be notified at the next audit
Next audit: notice of an audit will be sent to the Responsible on this date and every 14 days thereafter
Optional: if the security measure is no longer used, it is "un-tagged".
Status: the field makes it easier to choose the right control in Risk, Assets and Purpose. If you choose "4. Not applicable" you must fill in an explanation of why - as 27001 requires. Here you have the choices
1. To be implemented
2. Partially implemented
3. Implemented
4. Not applicable
Themes and Attributes
Here it is chosen according to the 27002:2022 standard
Action plan
When new measures are entered, these can be linked to predefined Action Plans. Since measures have cost fields, the cost picture for the various Action Plans is summarized.
Action plans are important to use since one and the same security measure may have to be implemented in several different places and updated several times.
Risks
The security measures can be risk assessed, which in some cases can be very important for how and whether it should be implemented.
Structure
Visually, the structure can be represented in this way:
A control has a form with several fields as described above.
One or more actions may be added, each of which can be linked to an Action plan. An action cannot be linked to different "mothers".
Each control can be risk evaluated. The easiest way is to choose a risk and evaluate it. See the risk module for details.
...
Videos
Add and edit security measures: https://youtu.be/_bwFFmkz6W0
Add safeguards to risk assessment: https://youtu.be/umo6SFd1-JM
...