Controls
Controls are security measures, safeguards, or policies that organizations implement to protect their assets and ensure compliance with frameworks and regulations.
Overview
Controls are the centerpiece of your compliance program in devguard: every framework is built on its controls, and fulfilling these controls determines whether you meet compliance requirements.
They provide the practical foundation for achieving compliance. Whether you rely on devguard’s official frameworks or extend the platform with your own custom frameworks, controls ensure that every compliance requirement is structured, trackable, and reportable.
Core Functionality
Controls are listed within their associated frameworks and can be filtered by name, identifier, or framework for easier navigation. For official frameworks, devguard provides controls directly as part of the maintained standard. These cannot be modified, but you can map them to assets, policies, or risks to demonstrate compliance coverage.
You can also create your own controls and assign them to custom frameworks. This is particularly useful when working with client-specific requirements, internal guidelines, or country-specific regulations not included in official frameworks. Unlike official frameworks, custom frameworks (and their controls) are fully editable.
Each control includes the following information in the overview:
- ID / Identifier – a structured identifier like 5.7 or NC-1
- Name – a descriptive title such as Threat Intelligence
- Framework – which framework the control belongs to
- Type – Clause, Control, Requirement, Safeguard, etc.
- Coverage – the current coverage status (Unknown, Partial, Full)
Coverage is calculated automatically based on how the control is linked to policies, assets, or risks. Once all necessary references are mapped, the coverage moves to Full.
Fields Explained
| Field | Description |
|---|---|
Framewor | Select the custom framework the control belongs to. Controls cannot be added to official frameworks. (required) |
Control Name | The descriptive name of the control (e.g., "Information Security Policy"). (required) |
Control Identifier | A unique identifier such as 5.1 or AC-12. (required) |
Control Type | Defines the type of control. Options: Control, Requirement, Safeguard, Objective, Category, Group. |
Description | A free-text explanation of the control’s purpose and scope. |
Mandatory Control | Mark whether this control is required for compliance with the associated framework. |
Best Practices
- Map every mandatory control to at least one asset, risk, or policy to demonstrate coverage.
- Use consistent identifiers when creating custom controls to keep reports clean and structured.
- Do not duplicate official controls in your custom frameworks. Instead, adopt the official framework and map accordingly.
- Leverage control types (Control, Requirement, Safeguard, etc.) to organize and categorize your compliance implementation.
- Track coverage regularly: use the Coverage feature to identify gaps and ensure your compliance posture remains strong.
Example
- Adding a custom control for a client-specific contractual obligation (e.g., “Client data must be encrypted using AES-256 at rest”).
- Creating an internal objective control to track implementation of Zero Trust policies not yet part of an official framework.
- Assigning a mandatory safeguard to ensure periodic password resets across your organization.
How is this guide?
Frameworks
Frameworks represent structured standards and regulatory guidelines that define principles and controls to safeguard information, ensure compliance, and reinforce organizational trust and accountability.
Policies
Your organization's policies define how work gets done and ensure everyone follows the same standards. Use this section to create, edit and update policies so they stay compliant with the frameworks you enabled.