Getting Started

Glossary of Compliance Terms

This glossary contains terms and key concepts that will help you better-utilize the Compliance Management module portion of KnowBe4's KCM GRC platform.

In addition to the terms listed in the jump links below, you can find additional related concepts under each of these sections.

Jump to:



Controls can be thought of as the method, evidence, or proof that demonstrates how your organization is meeting various requirements. Controls are a document, process, technical implementation, or other action that relates to one or more requirements.

Examples of Controls:

  • Disaster Recovery Policy and periodic review and testing of the policy
  • Active Directory password configuration settings review
  • Apply the latest patches to SERVER1
  • Collect Security and Privacy documentation from VENDOR
  • Review and Document Incident

We recommend making your control description very detailed. The description should include what the control is, how to review and assess the control, what type of evidence is expected as a result of a review, and where that evidence should be placed. If you should need to change ownership of the control's tasks, providing these details will make it much easier for the new user (or user group) to understand what is expected. 

The control description is used in Detailed Compliance Reports. Additionally, when creating task schedules for your controls, by default, the control description will be used as the task description. Alternatively, you can modify the task description to be specific to the task. The task description is used in task reminder emails.

Additional Resources:

Control Task Schedules

Task schedules are created in order to automatically generate tasks for a control. Schedules can recur at one of the following intervals: weekly, monthly, bimonthly, quarterly, semiannually, annually, every two years, every three years, or every five years. A control can have multiple schedules. 

If tasks are needed outside of a recurring schedule, you can create tasks on an ad-hoc basis by creating a one-time schedule

When creating a task schedule for a control, you will assign a user to be responsible for completing the tasks under that schedule. As an alternative option, under our user group workflow, the group lead can be assigned to the task schedule, then, the group lead can re-assign the task to another member of their group.  

Additional Resources:

Control Documents

Control documents are an optional way to submit an example of the evidence documents that are required of the user or users who are responsible for completing a task. While this is not a replacement for the evidence that is required for task completion, it is a way to support the act of gathering evidence for a particular control.

Examples of control documents:

  • A blank management sign-off form
  • A screenshot of a particular area in Active Directory

Additionally, you can use control documents to upload detailed instructions for completing a task. If you do so, when creating the task schedule, we recommend using the Task Description field to instruct the user to review the file that you've uploaded under control documents. From the View Task page, the user assigned to the task can view all of the control documents that have been uploaded to the associated control. 

Control Health

The Control Health is the percentage of a control's scheduled tasks that are complete. This percentage includes tasks with Awaiting Approval, Closed Late, and Satisfied statuses. All completed tasks increase the Control Health by the same amount, regardless of status. For example, a task with a Closed Late status will increase the Control Health by the same amount as a task with a Satisfied status.

By viewing the Control Health, you can determine what percentage of a control's tasks you need to complete to reach 100%. Incomplete tasks have Failed and Past Due statuses, so completing tasks with those statuses will increase the Control Health. 

Note: We do not include tasks with the Active status in the Control Health calculation. The Control Health accounts for tasks that are complete or overdue, and tasks with the Active status have not reached their due date.


Evidence is provided to satisfy tasks, in order to support the control that you have in place for one or more requirements. Users can submit task evidence by uploading a file (referred to as "Document") or by providing a URL (referred to as "Link") to the evidence—when evidence is hosted externally from KCM GRC.

From the Documents area of your platform, the Evidence tab contains a repository of the URLs (Links) and files (Documents) that have been submitted as evidence for the controls in your account. Users with the Auditor user role can navigate this repository of evidence and see that your organization's controls are in place and operating as they should be. 

Additional Resources: 

Documents (File Upload)

Uploading a document is one way you can use KCM GRC to store audit evidence. Each file that is uploaded is uniquely encrypted and stored securely in the cloud. Uploaded files are associated with a specific task.

We recommend using the file upload feature if you are not currently using a central storage facility for audit evidence. For more information, please see: Are there limitations for the various files uploaded to KCM GRC?

Links (URLs)

As an alternative to uploading documents as task evidence, you can provide a link (URL) that points to externally-hosted evidence. If you are currently using a centralized storage area on your internal network for maintaining audit evidence, you do not need to upload files to KCM GRC. By providing a URL to the evidence, you get the benefit of linking that information to a specific control (via a task) without storing files in multiple places.

Additionally, any web-based file storage application can be used, whether it's internal to your network or external, such as Sharepoint, Dropbox, Google Drive, Jira, etc.


A requirement is a concrete statement that describes a compliance objective, audit finding, best practice, or another obligation that the organization is striving to achieve or correct.

Some examples of requirements are:

  • PCI DSS 1.1.2 – Current Network Diagram – There must exist a current network diagram with all connections to cardholder data, including any wireless networks.
  • HIPAA 164.308(a)(2)(ii) – Facility Security Plan – Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
  • Internal IT Audit FY2015 – Finding #4 Missing Security Patches – The following servers did not have the most recent security patches applied: SERVER1.

You can use requirements from the managed templates that are offered by KCM GRC, or you can create custom requirements. As a best practice for creating custom requirements: Add requirements to a custom template, then, convert the template to a scope to begin working toward achieving your requirements. 

Additional Resources: 

Scoped Requirements

When a requirement is added to a scope (by converting a template to a scope, by cloning a scope, or by mapping a requirement to a scope), a scoped version of the requirement is created under the scope. The scoped requirement has a one-to-one relationship with controls. Meaning, if a control applies to a requirement that is included in multiple scopes, you will map the control to each scoped version of the requirement. For more information, see our KCM GRC: Mapping Requirements and Controls article.


A scope is an umbrella structure to manage a series of related requirements, controls, and evidence. A scope is a way to describe the boundaries of a project or audit. Under KCM GRC's Compliance Management module, user permissions, and some reports are divided up by Scope.

For example, scopes can represent separate physical locations; different ongoing compliance initiatives; remediation and audit findings; incident and vendor management; or tracking a project.

Scopes are typically created from custom templates or managed templates.

Additional Resources:

Scope Self-Assessment

Each scope has a set of requirements. Each requirement has a self-assessment status. You can set the status for each requirement under a scope by completing the Scope Self-Assessment. For more information, see our Completing a Scope Self-Assessment article. 

Scope Export

You can use our scope exports feature to export information about your scopes from your account. Exporting your scope information may be beneficial during an audit, or if you need to keep a record of the status of your controls and evidence at a particular point in time. See our Scope Exports article to learn more.

Scope Health

The Scope Health is the percentage of a scope's scheduled tasks that are complete. This percentage includes tasks with Awaiting Approval, Closed Late, and Satisfied statuses. All completed tasks increase the Scope Health by the same amount, regardless of status. For example, a task with a Closed Late status will increase the Scope Health by the same amount as a task with a Satisfied status.

By viewing the Scope Health, you can determine what percentage of a scope's tasks you need to complete to reach 100%. Incomplete tasks have Failed and Past Due statuses, so completing tasks with those statuses will increase the Scope Health. 


Tasks allow for the continuous monitoring of controls. They provide an opportunity to collect evidence relating to a control on a periodic basis, so you will be prepared when it is time for an audit. Tasks are automatically created as part of an ongoing task schedule. Additionally, you can create a one-time task schedule, on an ad-hoc basis. For additional information, see the Controls section above.

Automated email reminders are sent to the user responsible for the task when the task's due date is approaching.

You have the option to assign one or more users to approve the evidence submitted for a task. To learn more, see the resources below.

Additional Resources:


Compliance templates are the highest-level object within KCM GRC. A template is a repository or collection of requirements that are related to one another. A compliance template can either be a managed template—which is created and kept up-to-date by KnowBe4—or a custom template created by the KCM GRC customer to suit their needs.

Custom Templates

Custom templates contain a group of requirements that a KCM GRC user will create and manage. This can be anything from audit requirements and findings, state and local regulations, security best practices, vendor management, incident management, IT and non-IT based projects, and more.

When creating scopes, we recommend you start with a template and convert it to a scope. That way, you can continue to utilize the template's requirements for additional compliance objectives, by adding them to additional scopes. For more information, please see our Creating Custom Templates for Scopes article. 

Managed Templates

We offer a wide variety of managed templates for your use in the KCM GRC platform. Our team ensures that we have the up-to-date versions of the published framework available for your use.

You can find a current list of the Managed Templates we offer here.


The KCM GRC platform consists of four different modules: Compliance Management, Policy Management, Risk Management, and the Vendor Risk Management module. There are multiple user roles associated with each of the KCM GRC modules. 

See our User Roles Guide for more information on the permissions that are granted with each user role.

Additionally, see our Working with User Groups article if you'd like to learn how you can work with user groups in your compliance management module.

Can't find what you're looking for?

Contact Support