Requirements and Controls

Share

Is this article helpful?

Last updated:

How to Work with Control Guidance

In your KCM GRC platform, we offer a broad selection of managed templates that you can use to create scopes in your account. A managed template is a set of requirements that a governing agency has published in a regulatory framework. 

Guidance is a feature that we've added for the requirements under many of the managed templates that we offer. Guidance provides information that will help you create controls that will satisfy the requirement. 

Which Templates Contain Guidance?

The guidance that you will find in your account was either created by our team of GRC specialists or it was published by the governing agency that published the regulatory framework. Guidance has been added to the requirements that are included in the managed templates listed below.

  • General Data Protection Regulation (GDPR) v1.0
  • HIPAA Security Rule v1.0
  • HIPAA Privacy and Breach v1.0
  • HITECH v1.0
  • InTREx-CU v1.2021
  • ISO 27001 v2022
  • ISO 27002 v2022
  • NERC CIP Cyber Security — BES Cyber System Categorization CIP-002-5.1a
  • NERC CIP Cyber Security — Security Management Controls CIP-003-8
  • NERC CIP Cyber Security — Personnel & Training CIP-004-7
  • NERC CIP Cyber Security — Electronic Security Perimeters CIP-005-7
  • NERC CIP Cyber Security — Physical Security of BES Cyber Systems CIP-006-6
  • NERC CIP Cyber Security — Systems Security Management CIP-007-6
  • NERC CIP Cyber Security — Incident Reporting and Response Planning CIP-008-6
  • NERC CIP Cyber Security — Recovery Plans for BES Cyber Systems CIP-009-6
  • NERC CIP Cyber Security — Configuration Change Management and Vulnerability Assessments CIP-010-4
  • NERC CIP Cyber Security — Information Protection CIP-011-3
  • NERC CIP Cyber Security — Communications between Control Centers CIP-012-1
  • NERC CIP Cyber Security — Supply Chain Risk Management CIP-013-2
  • NERC CIP — Physical Security CIP-014-3
  • NIST 800-172 v2.2021
  • PCI DSS v4.0.1
  • PCI DSS Self-Assessment Questionnaire A v4.0 v2
  • PCI DSS Self-Assessment Questionnaire A-EP v4.0 v2
  • PCI DSS Self-Assessment Questionnaire B v4.0
  • PCI DSS Self-Assessment Questionnaire B-IP v4.0
  • PCI DSS Self-Assessment Questionnaire C v4.0
  • PCI DSS Self-Assessment Questionnaire C-VT v4.0
  • PCI DSS Self-Assessment Questionnaire D Merchants v4.0
  • PCI DSS Self-Assessment Questionnaire D Service Providers v4.0
  • PCI DSS Self-Assessment Questionnaire P2PE v4.0
  • PCI DSS Appendix A v4.0
  • SSAE18 SOC TSC v3.2023

Please contact your KCM Customer Success Manager if you'd like to add one of these templates to your console. To view our full offering of managed templates, see our Managed Templates article.

Where Can I View Guidance in My Account?

If you have one or more of the managed templates listed above in your account, you can review the guidance for each of the requirements included in that template. Depending on whether you have converted the managed template to a scope, you may have two different areas in your platform where you can view guidance—see the explanations below: 

  1. The View Requirement page: If you have not converted the managed template to a scope, this page will be the only area where you can view the guidance that is available for the template's requirements.
  2. The View Scoped Requirement page: If you have converted the managed template to a scope you can view the guidance from the View Scoped Requirement page, instead of the View Requirement page.
    Tip: To learn more about requirements and scoped requirements please see this section of our Glossary of Compliance Terms.

Navigating to the View Requirement Page

If you have not yet converted your managed template to a scope, but you would like to review the guidance that is offered under an applicable managed template—you will navigate to the template, then, open each requirement to see it's guidance. Follow the steps below: 

  1. From the navigation panel on the left-hand side of your account, click Compliance > Templates
  2. From the Name column, click the name of the template that you would like to open.
  3. Under the Template Requirements section of the page, you will see a list of the template's requirements. From the Name column, click a requirement name to open the requirement.
    Tip: If you will be reviewing guidance for multiple requirements in this template, right-click the requirement name and open the requirement in a new tab, instead.
  4. From the View Requirement page, you will see the guidance under the requirement's name and description.

Now, if you'd like, jump to the Using Guidance to Create Controls section below, to see an explanation of how you can utilize guidance to create your controls.

Otherwise, when you're ready to utilize guidance to create controls for your requirements, see our How to Create Controls for Scoped Requirements article for instructions.

Note: As a best practice, we recommend converting your template to a scope before creating controls for the requirements. To see the recommended order of workflows for implementing scopes in your account, see our Getting Started With the Compliance Management Module article.

Navigating to the View Scoped Requirement Page

If your account contains a scope that was created from one of the templates listed above, you can navigate to your scope, then, open each requirement to see it's guidance. Follow the steps below: 

  1. From the navigation panel on the left-hand side of your account, click Compliance > Scopes
  2. From the Name column, click the name of the scope that you would like to open.
  3. From the View Scope page, click the Requirements tab. Here, you will see a list of the requirements included in the scope.
  4. From the Name column, click a requirement name to open the requirement.
    Tip: If you will be reviewing guidance for multiple requirements in this scope, right-click the requirement name and open the requirement in a new tab, instead.
  5. From the View Scoped Requirement page, you will see the guidance under the Guidance section of the page.

Now, if you'd like, jump to the Using Guidance to Create Controls section below, to see an explanation of how you can utilize guidance to create your controls.

Otherwise, when you're ready to utilize guidance to create controls for your requirements, see our How to Create Controls for Scoped Requirements article for instructions.

Using Guidance to Create Controls

This section includes an example of the guidance offered by KCM GRC and explains how you can use this information to create adequate controls for your requirements.

Important: Each organization's environment is different. Therefore, guidance will provide a general direction for creating controls that are specific to your organization.

Example of Guidance

Template Name: Cybersecurity Maturity Model Certification
Requirement: Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
Guidance: Make sure to limit users/employees to only the information systems, roles, or applications they are permitted to use and that are needed for their jobs.

Solution: Using this information, create one or more controls to ensure the necessary technical processes and procedures are in place to satisfy the requirement. This control may include providing evidence of—written policies and procedures, forms, and logs—to verify the limitations you have in place for accessing information systems in your organization.  

Was this article helpful?

3 out of 4 found this helpful

Can't find what you're looking for?

Contact Support