Skip to main content

Controls

Controls are the foundation of your compliance assessment. This guide explains how to work with controls in ForgeComply.

What Is a Control?

A control is a specific security requirement that your organization must address. Controls are defined by compliance frameworks (SOC 2, ISO 27001) and cover areas like:

  • Access management
  • Data protection
  • Incident response
  • Change management
  • Business continuity

Each control asks a question about your security implementation. Your job is to answer honestly and provide supporting documentation.

The Controls Page

Navigate to Controls in the sidebar to see all controls in your assessment.

Control List

Each control shows:

  • Control ID — Unique identifier (e.g., AC-01)
  • Title — Brief description
  • Category — Security domain
  • Status — Current evaluation status
  • Owner — Assigned person

Filtering

Filter controls by:

  • Status (Pass, At Risk, Fail, Not Started)
  • Category
  • Search by title or ID

Answering a Control

Click any control to view details and provide your response.

The Question

Each control has a core question about your implementation. Read it carefully.

Example: "Is multi-factor authentication enforced for all user accounts?"

Answer Options

AnswerWhen to Use
YesFully implemented and operating as described
NoNot implemented
PartialPartially implemented or in progress
N/ANot applicable to your organization

Be honest. Auditors will verify your claims. It's better to show gaps and remediation plans than to overstate compliance.

Notes

Add context explaining your answer:

  • How the control is implemented
  • What systems are involved
  • Any nuances or exceptions

Notes are internal — auditors do not see them directly.

Control Status

After evaluation, each control receives a status based on completeness:

Pass

All requirements are satisfied:

  • Question answered (Yes or N/A with justification)
  • Owner assigned
  • Policy linked
  • Evidence provided (if required for your audit type)

At Risk

Progress has been made, but something is missing:

  • Answered "Partial"
  • Missing owner, policy, or evidence
  • Some requirements met, others not

Fail

Critical gaps exist:

  • Answered "No" without remediation plan
  • No answer provided
  • Missing required elements with no justification

Not Started

No action taken on this control yet.

Assigning Control Owners

Every control should have an owner — a specific person accountable for that control.

Why Owners Matter

  • Auditors expect clear accountability
  • Demonstrates organizational responsibility
  • Enables delegation and tracking

Who Should Be Owner?

The person who can:

  • Speak to the control's implementation
  • Provide evidence if requested
  • Make decisions about changes

Good vs. Not Ideal

GoodNot Ideal
"Jane Smith, IT Manager""IT Team"
"John Doe, Security Lead""Engineering"
"Sarah Chen, CISO""Management"

Assign individuals, not teams or departments.

Linking Policies

Controls should be linked to relevant policies that describe your organization's commitments.

  • Demonstrates documented procedures
  • Shows controls are formalized, not ad-hoc
  • Required for most compliance frameworks
  1. In the control detail view, find the Policy section
  2. Select an existing policy, or
  3. Generate a new policy if needed

One policy typically covers multiple related controls.

Adding Evidence

Evidence proves your controls are implemented and operating.

What Counts as Evidence?

  • Screenshots of configurations
  • System exports
  • Logs and reports
  • Training records
  • Policy acknowledgments

Evidence Requirements

Requirements vary by audit type:

  • Type I / Stage 1 — Primarily design evidence (policies, configurations)
  • Type II / Stage 2 — Operating evidence over time (logs, records, reviews)

How to Add Evidence

  1. In the control detail view, find the Evidence section
  2. Upload files or link existing evidence
  3. Evidence enters review workflow

See Evidence Documentation for details.

Working Through Controls

Sequential Approach (Guided Setup)

Enable Guided Setup to work through controls one at a time in a structured sequence.

Category Approach

Work through one category at a time (e.g., all Access Control, then all Data Protection).

Priority Approach

Start with critical controls or known gaps.

Any Order

Controls are independent — work in whatever order makes sense for your organization.

Control Evaluation Tips

Be Specific

"We use Okta for SSO with MFA required" is better than "Yes, we have MFA."

Acknowledge Gaps

If something isn't implemented, say so. Document your remediation plan.

Update as You Go

If implementation changes, update your control response.

Assign Owners Early

Don't leave this for the end. Auditors expect ownership.

Controls without policies appear incomplete.

Bulk Operations

For efficiency, you can:

  • Filter to specific categories
  • Review multiple controls in sequence
  • Generate policies for related controls together

Individual attention to each control is still required.

What Happens to Controls in Reports?

When you generate reports:

  • Control status is captured at that moment
  • Linked policies are included
  • Evidence references are included
  • Owner assignments are recorded

Reports are immutable — changes after generation require new reports.

Frequently Asked Questions

Can I change my answer later?

Yes, until you generate reports. After that, generate new reports to reflect changes.

What if a control doesn't apply to us?

Select "N/A" and provide a justification in the notes.

Can multiple people work on controls?

Yes, team members can work simultaneously. Coordinate to avoid conflicts.

Do notes appear in reports?

No. Notes are internal working documentation.

What if I don't know the answer?

Mark as "Not Started" and assign to someone who does know. Or use AI assistance for guidance.

Next Steps