In KCM GRC, a control is a processes, technical implementation, or other action that demonstrates how you are meeting your compliance requirements or other objectives.
There are two options for creating controls in the KCM GRC platform. We recommend option 1, creating controls one-by-one, so you can focus on one compliance objective at a time.
Here's more information on each option:
- Option 1: Create controls one-by-one
- This option involves navigating to a scope's individual requirements to create a control for each.
- When you create a control from the View Scoped Requirement page, the control is automatically mapped to that requirement.
- This method may be the best solution for your organization if the controls will vary between your different scopes, or if you do not already have processes in place for documenting compliance requirements.
Click here to see instructions for creating controls one-by-one.
- Option 2: Create controls in bulk
- This option involves uploading a CSV file of controls independently from a scope's requirements.
- Once created, you’ll map these controls to the appropriate requirements. See our Mapping Requirements and Controls article for more information.
- This method may be the best solution for your organization if controls will be applicable to multiple scoped requirements, or if you already have processes in place for documenting compliance efforts.
Click here to see instructions for creating controls in bulk.
Option 1: Creating Controls One-By-One
Once you've created one or more scopes, you will open each scoped requirement to create a control for that requirement. Click the drop-down below to see instructions for navigating to a View Scoped Requirement page.
- Open the scope containing the requirements for which you want to create controls:
- Click Compliance > Scopes from the menu on the left-hand side.
- Click a scope name under the Name column to open the scope.
- From the View Scope page, click the Requirements tab. Then, from the Name column, click a requirement name to open the requirement.
You have two options for creating a control from the View Scoped Requirement page. See the following sections to learn more.
Creating Custom Controls
Creating custom controls is a common approach for creating your organization's controls in KCM GRC. To assist you with creating controls, we've added guidance to the requirements under many of the managed templates that we offer. To learn more about guidance, see: Working With Control Guidance.
Follow the steps below to create a custom control.
- From the Controls section of the View Scoped Requirement page, click the Create Control button.
- On the Create Control for Requirement page, add the following information:
- Name: Add a name that represents the purpose of the control. The name can be up to 255 characters, including spaces.
- Control Description: Provide a detailed description of the control. The control description can be up to 10,000 characters, including spaces.
- The description should include what the control is, how to review and assess the control, and what type of evidence is expected to satisfy the control. See our Glossary of Terms to learn more about control descriptions.
- Tags: (Optional) You can add one or more tags to group similar controls in your platform.
To create a new tag: Type one or more words in the field, then press enter on your keyboard to save the tag. Tags can be up to 25 characters, including spaces.
To select an existing tag: Click the drop-down menu to see existing tags. Click on a tag to add it to the control.
- If you'd like to create an additional control for this requirement, click the Create Another Control check box. Otherwise, click the Create button.
- You will see the new control in the Controls table. This table shows the controls that are mapped to this scoped requirement.
Note: If this control applies to additional scoped requirements, open the control, then map the control to the applicable requirements. For more information, see our Mapping Requirements and Controls article.Now, repeat steps 1-5, above, for the remaining requirements in your scope. To navigate to the next requirement in your scope, click the Next Requirement button in the top-right area of the View Scoped Requirement page.
Creating Controls from Requirements
In some cases, it may make sense to use a requirement's name and description as the control's name and description. For example, the requirements in our FedRAMP managed templates contain verbiage from NIST 800-53, and therefore, these requirements provide actionable controls that your organization should have in place to pass a FedRAMP authorization assessment.
If you click the Create Control from Requirement button in the Controls area of the View Scoped Requirement page, the system will use the requirement name and description to automatically create a control that is mapped to this requirement. You will see your new control in the Controls area of the View Scoped Requirement page.
Option 2: Creating Controls in Bulk
To add controls to your account in bulk, begin by creating a CSV file. Expand the below drop-down menu to learn how to format your file.
- The separator should be a comma and the file should be a valid CSV
- The following header line is required, and it is case-sensitive:
- name, description
- All fields are mandatory
- The name field has a 255 character limit
- The description field has a 10,000 character limit
Once you've created your CSV file, follow the steps below to upload the controls to your account.
- Navigate to the Controls Library by clicking Controls from the menu on the left-hand side of your account.
- Click the Upload CSV button in the top-right area of the page.
- From the Import Items window, click the Click to Upload button and select your CSV file.
- You will see a preview of the controls. If you would like to remove a control from the import, click the trash can icon.
- Click the Import Items button to import your controls.
After you've uploaded your controls, be sure to map them to the appropriate requirements. For more information, please see our Mapping Requirements and Controls article.