In KCM GRC, a control is a process, technical implementation, or other action that demonstrates how you are meeting your compliance requirements or objectives. In your KCM GRC platform, you can create a control individually by creating a custom control or by creating a control from a requirement. You can also create controls in bulk by using a CSV file or by creating controls from requirements. We recommend that you create controls individually so you can focus on one compliance objective at a time.
See the sections below to learn how to create controls individually and create controls in bulk.
Creating Controls Individually
Creating controls individually may be the best option for your organization if controls will vary for your scopes or if your organization has not established a process for documenting compliance requirements. Once you've created one or more scopes, you can navigate to the View Scoped Requirement page to create individual controls for scoped requirements. You can either create custom controls or create controls from the scoped requirements. When you create a control from the View Scoped Requirements page, the control will automatically be mapped to the scoped requirement.
To navigate to a View Scoped Requirement page, follow the steps below.
- From the navigation panel, select the Scopes tab (Compliance > Scopes).
- From the View All Scopes page, select a scope under the Name column. When you select a scope, you'll be taken to the View Scope page.
- From the View Scope page, click the Requirements tab.
- Select a requirement under the Name column.
See the subsections below to learn how to create custom controls and create controls from scoped requirements.
Creating Custom Controls
Follow the steps below to create a custom control.
- From the Controls section of the View Scoped Requirement page, click the Create Control button.
- Fill out the fields on the Create Control for Requirement page. For more information about these fields, see the list below.
Note:We recommend that you avoid including the < and > special characters in these fields.
- Name: Enter a name that represents the purpose of the control. The name can be up to 255 characters, including spaces.
-
Control Description: Enter a detailed description of the control. The description can be up to 10,000 characters, including spaces.
- The description should include what the control is, how to review and assess the control, and what type of evidence is expected to satisfy the control. See our Glossary of Compliance Terms to learn more about control descriptions.
- Tags: (Optional) You can add one or more tags to your control. Tags allow you to group similar controls together in your platform.To add an existing tag, click the drop-down menu and select the tag you'd like to add. To create a new tag, enter one or more words into the field, and press Enter on your keyboard. Tags can be up to 25 characters long, including spaces.
- (Optional) If you'd like to create an additional control for this requirement, select the Create Another Control check box.
- Click the Create button.
- Repeat step 1 through step 4 for the remaining requirements in your scope. To navigate to the next requirement in your scope, click the Next Requirement button in the top-right corner of the View Scoped Requirement page.
After you create the control, the control will display in the Controls area of the View Scoped Requirement page. In the Controls area, you can view a table that displays all controls that are mapped to the scoped requirement.
Creating a Control from a Requirement
In some cases, you may want to create controls that have the same name and description as the scoped requirement. For example, the requirements in our FedRAMP managed templates contain verbiage from NIST 800-53. Therefore, these requirements provide actionable controls that your organization should have in place to pass a FedRAMP authorization assessment.
To create a control from a requirement, navigate to the View Scoped Requirement page. Then, click the Create Control from Requirement button.
KCM GRC will use the requirement name and description to automatically create a control that is mapped to this requirement. Then, you can view the control in the Controls area of the View Scoped Requirement page.
Creating Controls in Bulk
Creating controls in bulk may be the best option for your organization if controls are applicable to multiple scoped requirements or if your organization has already established a process for documenting compliance requirements. You can create controls in bulk by importing controls with a CSV file or by creating controls from requirements.
See the subsections below to learn about these methods.
Importing Controls with a CSV file
To import controls in bulk, begin by creating a CSV file. When you create your CSV file, make sure the file meets the specifications listed below.
- The separator should be a comma.
- The following header line is required, and it is case-sensitive.
name, description
- All fields are mandatory.
Note:We recommend that you avoid including the < and > special characters in your CSV file. When you import the CSV file into your account, these special characters can cause fields to import unsuccessfully.
- The name field has a 255 character limit.
- The description field has a 10,000 character limit.
Once you've created your CSV file, follow the steps below to import the controls into your account.
- From the navigation panel, select the Controls tab.
- Click the Upload CSV button in the top-right corner of the Controls Library page.
- From the Import Items window, click the Click to Upload button and select your CSV file.
- (Optional) If you'd like to remove a control from the list of controls, click the trash can icon next to the control's Description.
- Click the Import Items button to import the controls.
After you've imported your controls, you can view the controls from the Controls tab of your platform.
Creating Controls from Requirements
You can create controls from requirements in bulk, which will automatically map the controls to requirements.
To create controls from requirements, follow the instructions below.
- From your navigation panel, select the Scopes tab (Compliance > Scopes).
- Select a scope under the Name column.
- From the View Scope page, select the Requirements tab.
- Click the check box next to each requirement that you want to create a control from.
- Click the Create Controls from Requirements button.
- In the pop-up window, click the Accept button.