Controls

What is it?

A control is a process you follow as a company, so that you mitigate a potential risk from happening and affecting your business. In TrustCloud, controls are the foundational building blocks of your company’s compliance program.

For more information on controls please read the Key Concepts and Terminology section in Compliance Launchpad.

Controls in TrustOps

Controls in TrustOps are derived from 2 sources:

1. Custom controls that have been added to TrustCloud by you — these are controls that you have built and maintained on your own
2. Controls that have been inherited from the TrustCloud Common Controls Framework (TCCCF).

TrustCloud Common Controls Framework

The TCCCF is a set of comprehensive controls that were developed based on common requirements from various industry security and privacy frameworks such as NIST, ISO, SOC, and HITRUST. Since most frameworks have the same underlying security and privacy requirements with minimal differences or focus, TrustCloud created a TCCCF that focuses on the fundamentals controls shared among common regulatory compliance.  As such, Adopting the TCCCF enables meeting requirements to many security and privacy standards such as SOC 2, ISO 27001, HIPAA, GDPR and so forth.

The TCCCF includes 200+ controls and is currently aligned with SOC 2, HIPAA, ISO 27001, ISO 9001, GDPR, CCPA, ISO 27701, CMMC L1 and L2, NIST Cybersecurity, NIST 800-171, NIST 800-53.

The TCCCF is updated at least quarterly with new controls and revision of existing controls to align better with framework updates and changes. `

Objectives of TCCCF

The regulatory compliance space continues to grow and change rapidly. Companies are  ever flooded with many compliance requirements to deal with and this activity quickly becomes challenging.  TCCCF is an attempt at taking the worry away and figuring out the compliance requirements for you. Our curated framework compiles all the key requirements and gives you a set that is easy to digest and use.  TCCCF was developed by focusing on the common underlying requirements across standards and drafting controls to meet those requirements.

This methodology allows the TCCCF controls to be agnostic! Meet a control once and comply with many other standards.  When working towards a specific framework, it is common to find that the bulk of the work (70-80%) has already been done by using the TCCCF framework.

Benefits of using TCCCF

TCCCF focuses on overall security and privacy best practices of your organization and this is a good first step and effective way to prevent and mitigate cybersecurity risks. Using a general controls framework can help any organization to demonstrate a security and compliance posture to your auditors or your customers. The TCCCF is mapped to many compliance frameworks and allows you to easily adopt or expand into different compliance frameworks. The benefits include but are not limited to:

• Getting best practices baseline set of controls and evidence requirements for security and privacy to help get a headstart on compliance
• An easy adoption of multiple compliance frameworks
• Efficient gained through combined audits (since the same evidence can be used across audits, by combining all your audits at once, your team gain time back and makes audits a joyful process again)
• Joyful compliance, control owner only have to worry about a control once and meet many
• Allows for benchmarks to other compliance frameworks
• Map TCCCF controls to your policies, so that you can measure policy and compliance risk

Control Attributes

The controls table in TrustOps allow you to view your controls using different filters, search options, and views:

Filter and Search

• Control Status Filter – Allows you to filter through Adopted, Planned and All controls
• Standards-based Mapping Filter – If you are pursuing multiple standards, TrustOps allows you to filter the control list by each specific standard
• Additional Filters – Filter control list by Groups, Owner, Frequency, Maturity Level, Test Status, and Evidence Status
• Search Bar – Allows you to search for a specific control using its control ID or control name

Sorting the control table

The control table can be sorted based on:

• Test Status – Allows you to see if a control is Passing, Failing, or has not been run
• Evidence Status – Allows you to see if evidence has been uploaded for a control, and if it’s due or outdated.
• Control ID – Sort alpabetically, based on the Control ID.
• Control Name – Sort alphabetically, based on the name of the Control
• Next Refresh – Sort based on the date at which the next evidence refresh is required for your controls.
• Owner – TrustOps allows you to assign each control to a certain owner, and sorted and view controls based on the owner
• Group – Each control is mapped to a certain group, and sorted and viewed based on groups

Adopting Controls

In TrustOps, locate the Controls page on the panel on the left side of the screen. Filter the list using the drop down menu, select Planned from the drop down.

• Controls are either Adopted or Planned. Planned controls aren’t implemented yet, they are controls we suggest you implement. Adopted controls are ones you have reviewed and accepted as part of your program. If you have a specific compliance goal you are trying to meet, you can use the “Show mapping to” drop down menu and select the compliance goal you are trying to meet.
• When looking at a Planned Control, there will be a Before you adopt section and an After you adopt section. If you are already doing the requirements for the control or you have looked at the mapping and it aligns to one of your goals, you should adopt the control. If a control is left in planned, we won’t be able to generate the tests to run.

Add a control

TrustOps gives you the ability to add a custom control to your program, and add any related tests to that control. It also allows you to map the custom control to any of our out of the box standards.

Control Detail Attributes

Controls  in TrustOps have the following attributes:

• Control Name – Name of this control
• Control Definition – Description of what this control does
• Control ID – Unique identifier for this control.
• Group – Each control is mapped to a certain group, which is equivalent to a team or department in your organization
• Test Status –  Allows you to see if a control is Passing, Failing, or has not been run.
• Evidence Status – Allows you to see if evidence has been uploaded for a control, and if it’s due or outdated.
• Evaluation Frequency – Your evaluation frequency is the frequency in which you are testing that your controls are still in place and nothing is out of compliance. This tool is useful to ensure you are continuously complying.
• Customer Impact – Number of contracts mapped to this control. In the event a control fails, your compliance team gets alerted immediately, so that they can act on it and understand the potential business risks of not being in compliance.
• Show Mapping To – TrustOps maps every control to a standard. A control is mapped to multiple standards allowing you to collect evidence for the control once, and satisfy the requirements of multiple standards simultaneously.

Editing Controls

We know that your business is unique, and you may already have security and privacy programs in place.  So, we’ve made control customization a focus and a pillar in our platform, making it effortless for you to craft custom controls. On the control details page in TrustOps, you can edit a control and customize the control statement language, policy mappings and frequency of the control to accurately reflect your business practices.

Video: Adding and editing controls on TrustOps

Step by step guide to Edit Controls

1. Select the control that you would like to edit. Select the three ellipsis icon in the top right corner. From the drop-down menu select Edit Control.
2. On the top section of this page you can edit:
   • Control Statement
   • Group
   • Evaluation Frequency
   • Add Related Policies
3. In the Self-Assessment section of the page, you can edit existing self-assessments by selecting the pencil icon.
4. You can Clone and Edit a self-assessment by selecting the three ellipsis icon and choosing it from the drop-down menu.
   • The Delete button may be disabled because you can’t delete self-assessments that the TrustCloud program has created for you. If you believe that one of the self-assessments does not apply, you can leverage test exclusions at the control level.
5. You can Add Self-Assessments by selecting the button in the right corner and adding the Assessment Name, the Question, A brief description of how to satisfy the requirement for the assessment, and the Evidence Requirement. Select Proceed.
6. Assign Self-Assessment Ownership to an internal team member, or you can invite a new owner into your program. Select Create Assessment.
   • Any assessments that you have created you will be able to delete.
7. Once you have completed your edits, select Update Control.

Automated Tests

Once you have set up your integrations, you will be able to leverage automated tests. Automated tests run automatically at the set evaluation frequency for each control. Once an automated test has been run, the evidence for that control will be fetched automatically. If an automated test fails, you can click on the view activity icon to see the failed resources and how to remediate the test.

Video: Running Automated Tests on TrustOps

Step by step guide to run automated tests

1. You can run tests one by one by selecting the Run Test icon (play button) under the action items.
2. To bulk select all tests to run at once, check the box at the top of the Automated Tests page and select Run Tests.
3. For tests that did not pass, select the View Activity icon to see why it did not pass. There should be a recommendation on this page to help you pass the test.

Alternative way to run automated tests

1. In TrustOps, locate the Systems page on the panel on the left side of the screen.
   • Some of the systems will have a green dot in the corner. That means this system has automated tests ready for you to run.
2. To bulk select all tests to run at once, check the box at the top of the Automated Tests page and select Run Tests.
3. View activity page – can look at failed resources

Self Assessments

Not all tests can be automated due to the fact that some require human judgment or they have not yet been automated. For self assessments you will need to run the test and collect the required evidence manually. Below you will find a detailed video of how you can take a self assessment:

Video: Running Self Assessments on TrustOps

Step by step guide to complete a self assessment

1. Scroll down the page to your Program Summary. Locate the Control Status box. Select the Not Run controls button.
   • It is possible that some controls that are not run yet are automated, but most of the time the controls that have not run are self assessments.
2. Select the control that is not run. Under Actions, you can select the play button to Take Assessment. Answer the questions that follow and select Finish.
   • Select the View Activity button under Actions to find the What You Need To Do section. This will help you get a better understanding of what needs to be done to pass the self assessment.
   • Select the View Activity button under Actions to see the Related Evidence section. This can give you an idea of the evidence you should provide to prove you are doing the task you answered Yes to.

Adding Evidence

Anyone can say they have a certain control in place, but the only way to prove it is by providing documentation. Your auditor will go through the evidence to make sure that you are actually doing what you say you are doing. Below you will find a video of how you can add evidence to a test:

Video: Adding Evidence on TrustOps

Step by step guide to add evidence

1. Select the control you would like to add evidence to.
2. The tests will be listed out under the Self-Assessment section of the page.
   • If a test has not been run yet, you will need to run the test by selecting the Take Assessment action icon on the right side of the screen (play button). Answer yes or no and add any relevant comments. Select Finish.
3. Select the three ellipsis icon and from the drop-down menu select Add Evidence.
   • When uploading evidence, you have three different options.
     • Link: Add a link to a file or a folder.
     • Upload: Upload an individual file or a ZIP file.
     • Attach from Inventory: Select records from your connected systems to use as evidence.

Excluding a Control, Test or Resource

Exclusion allows you to remove certain resources controls or tests from your program that may not apply to your business environment. In order to exclude a control or a resource, you will need to provide the business justification at the time of exclusion. Additionally, exclusions are global, once you exclude the control resource or test, it will remain excluded till they are explicitly included.

Now that you have learned how to set up a program with controls and policies, dive into each TrustCloud Joyfully Crafted Controls (TCCCF) and learn more about each control requirement.

Sharing Controls with customers

The TrustShare application in TrustCloud makes it easy for startups, SMBs, and enterprises to securely invite and share their trust and compliance program with their customers, including information about their controls.

Check out the getting started guide in TrustShare to set up your TrustShare

Learn about controls in detail

We’ve aggregated a list of articles about controls, to make it easy for you to learn about all topics related to controls: