Identifying your Applicable Frameworks/Controls - Applicability (Option 1)

Modified on Wed, 28 Sep, 2022 at 2:12 AM

Once you have set up your GRC library, the next step in the compliance process is to identify which controls within the framework in which you are working are in scope for compliance. There are two options for doing this quickly and efficiently in the 1Risk Platform.


A common mistake made by companies is to simply assume that all controls in a standard/regulation or requirement must be satisfied to achieve certification. In many cases, this is not the case and by simply reviewing the framework and discarding those controls that do not apply to you will save you time and money when it comes to audit.


EXAMPLE: If you don’t have a building, you don’t need a physical security control for controlling access to your building, but you DO need controls to demonstrate controlling remote access for your employees.


Certifications like ISO/IEC 27001 require a Statement of Applicability, where you must identify why a control is not in-scope. You can identify both in-scope (applicable) and not applicable controls in the 1Risk platform.


1. Go to your GRC library and select the regulation or standard.

2. We recommend you select the obligations sections tab, which divides out control requirements by their relevant sections (Access Control, Governance, Asset Management, Risk Management, etc.)

3. From the Obligation Section, select a section and then select the control library tab to see the control requirements.

Helpful tip: Use [Control+Shift or Right Click to open each control in a separate window so you can review them]

NOTE: Check the Guidance section in your control. Many of our controls (ISO, SOC, PCI, 800-171) include additional guidance provided by auditors to help you understand if the control is in-scope, how to develop an internal control, and the type of evidence required to verify the control during audit.

4. From the Control Library list view select all controls in the Obligations Section that are either in-scope or not in-scope.

5. Click on the activity buttons and select [SOA] (Statement of Applicability).

6. Choose Yes or No

NOTE: You can write the actual applicability statement later once you have identified the controls in-scope or not in-scope.

7. Now you will see in the list view which controls you have selected. They will also appear in the Applicability Tab in the Compliance Module









Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons

Feedback sent

We appreciate your effort and will try to fix the article