Step 4 - (Optional) Connect Policies to your (regulatory) Control Requirements

 This training is also available in Policy Management

As part of the compliance process or as a function of Policy Management, you can map internal controls, standards and regulatory control requirements to your policy. This enables auditors to see you have policies in place (compliance), and enables you to ensure your policies meet your compliance and/or risk management requirements.

How to Map Regulatory/Standard and Internal Controls to your Policy Document

You can ensure your policies meet any regulatory or standard security certification (SOC2, ISO, PCI, HIPAA, etc.)   requirements by mapping controls to your policy. You also have the option to map Internal Controls to policies, however, internal controls that are already mapped to control requirements will auto-populate in the record. Once controls are mapped, you can see your policy connection in the control library for the purpose of gap analysis or print out your policy and see your control references. 

Mapping Control Library (Regulations and Standard Requirements)

1. From your policy record main page, look for the Control Library Field and click on the magnifying glass to access your control library. NOTE: your policy must be in draft (open), or revision status. 

2. Your Control Library will appear. Use the filters and keyword search to select the requirement(s) (obligation) and controls you wish to map.
3. Select the controls using the checkbox (Use SHIFT+rightclick to select multiple controls).
4. Click ‘Apply”

5. Now your controls are mapped, and any connected internal controls will also be mapped to your policy.
6. This can be viewed in the policy record and/or in the control library list view and in the specific control.
7. Note in the policy record, filters are available to search for specific regulations and controls. 

Policy record/Control Library Tab

Policy record/Internal Controls Tab

Control Library List View

Control Library/Control Record

How to Map Internal Control (Company Controls) to your Control Library

Internal Controls that have a connected or ‘mapped’ control library will automatically be populated when the control requirement is mapped to the policy record. Internal Controls may also be mapped independently to the policy record. NOTE: your policy must be in draft (open), or revision status.

1. In the Policy Record, go to the Internal Controls Tab.

2.  In the Internal Controls Tab, use the Ellipses drop-down menu and select Look Up to access your existing Internal Controls or Add New to add a new Internal Control. New Internal Controls will automatically be added to your Policy and the Internal Controls Library in your Compliance module.

3. Your Internal Control Library will appear. Use the filters and keyword search to select the requirement(s) (obligation) and internal controls you wish to map.

4. Select the controls using the checkbox (Use SHIFT + right click to select multiple controls).

5. Click ‘Apply”

• Now your internal controls are mapped, and any connected internal controls will also be mapped to your policy.
• This can be viewed in the policy record and/or in the control library list view and in the specific control.
• Note in the policy record, filters are available to search for specific regulations and controls. 

Policy record/Internal Control Tab

Internal Control List View