devguard

Coverage

Monitor framework control coverage across your organization by tracking implementation status, linked assets, risks, and policies for comprehensive compliance oversight.

Overview

The Coverage view allows your organization to assess how well you are meeting the requirements of a compliance framework. By selecting a framework that has been enabled in the Frameworks section, you can view all associated controls, their coverage status, and the items linked to them.

Coverage ensures that compliance is measurable and transparent, showing whether framework controls are fully implemented, partially addressed, or missing. This provides a clear picture of your organization’s readiness and highlights areas requiring further action.

Common use cases include monitoring ISO 27001 control coverage, NIST CSF alignment, or assessing internal custom frameworks.

Core Functionality

The Coverage view works by selecting a framework that has already been enabled in your organization. Once selected, the system displays all controls from the framework and their associated coverage data.

For each control, you can see:

  • Control ID and Control Name
  • Coverage Status (implementation state)
  • Whether the control is Mandatory
  • Linked items such as assets, risks, and policies

Coverage Status

Each control is assigned one of the following statuses:

  • Full Coverage — Control requirements are fully addressed and linked to supporting items.
  • Partial Coverage — Control is only partially covered by existing items.
  • No Coverage — Control has no associated items or implementations.
  • Unknown — Coverage could not be determined, often due to incomplete configuration.

Linked Items

Linked items provide the evidence of coverage. They can include:

  • Assets (e.g., systems or applications implementing security measures)
  • Risks (showing threats mitigated by the control)
  • Policies (documented procedures supporting the control)

By linking items directly, the Coverage view ties framework requirements to real operational data, ensuring traceability and audit readiness.

Coverage Calculation

Coverage is calculated by aggregating all coverage definitions across multiple sources for each control. When a control has coverage defined in multiple places (such as different assets, policies, or risk assessments), the system automatically determines the effective coverage using a "highest wins" principle. This means if one source indicates Full Coverage and another indicates Partial Coverage for the same control, the system will display Full Coverage as the final status.

This hierarchical approach ensures that the most complete implementation is always reflected in your compliance posture. For example, if Asset A provides partial coverage for control A.5.1 and Policy B provides full coverage for the same control, the control will show as fully covered. You can still maintain multiple partial or no coverage definitions across different sources when it makes sense for documentation purposes, but the highest completion state will determine both the displayed status and count toward your overall framework progression percentage.

The overall progression for a framework is calculated based on these winning coverage values across all controls. Each control contributes to the total based on its effective coverage status (the highest among all sources), providing an accurate representation of your organization's compliance readiness without double-counting or underestimating your actual implementation state.

Fields Explained

FieldDescriptionExample
Control IDUnique identifier of the control within the frameworkA.5.1
Control NameThe name/title of the controlInformation Security Policy
CoverageImplementation status (Full, Partial, No Coverage, Unknown)Full Coverage
MandatoryIndicates whether the control is mandatory for the selected frameworkYes
Linked ItemsAssociated objects covering the control (assets, risks, policies)Policy: Access Control, Asset: VPN

Best Practices

  • Select the right framework: Enable frameworks that are relevant to your compliance goals (e.g., ISO, NIST, SOC 2).
  • Maintain linked items: Regularly update linked policies, risks, and assets to keep coverage accurate.
  • Focus on mandatory controls: Prioritize mandatory controls first to meet baseline compliance requirements.
  • Use coverage for audits: Export or present the Coverage view during audits to demonstrate compliance evidence.
  • Review unknown statuses: Investigate and resolve any controls marked as Unknown to prevent gaps.

For example, in an ISO 27001 framework, the control A.8.1 – Asset Inventory may be marked as Partial Coverage if it is only linked to IT assets but not to supporting policies. Updating the linked policy ensures Full Coverage, strengthening compliance readiness.

Coverage integrates closely with:

  • Frameworks — to select and manage compliance frameworks
  • Controls — for detailed information on individual controls

These sections provide more detail on enabling frameworks and managing control metadata.

How is this guide?

On this page