Create a compliance map

Centralize the documentation of requirements and their mapped controls, and automatically aggregate testing results and issues to easily assess compliance requirements coverage and report on compliance status in real-time.

Before you start

Before you can manage compliance, you need to:

To aggregate testing results and issues data from projects, you or someone on your team must complete the following tasks:

Note

  • Interface terms are customizable, and fields and tabs are configurable. In your instance of Diligent One, some terms, fields, and tabs may be different.
  • If a required field is left blank, you will see a warning message: This field is required. Some custom fields may have default values.

Permissions

Users assigned Compliance Maps Privileges with Read/Write access can create a compliance map.

Why are some standards and regulations locked?

While working in Compliance Maps, you may notice that some imported standards and regulations are locked. These actions are indicated with a lock icon , indicating that they're read-only.

This is because when we source these standards and regulations, the providers sometimes specify that customers can't modify the content from the templates they provide. As a result, modification actions are unavailable, including editing any part of any standards, regulations, or associated requirements; adding child requirements; and deleting requirements.

Workflow

Add standards or regulations

Add a standard or regulation to your compliance map manually, or import available standards and regulations from the Compliance Library. (To generally view standards and regulations in the Compliance Library, see Importing standards and regulations, section Manage Diligent-provided standards or regulations .)

  1. Open the Compliance Maps app.

    The Compliance Maps page opens.

  2. Complete any of the following tasks:
    TaskSteps
    Import available standards or regulations
    1. Click Import standard or regulation.

      The Compliance Library opens.

    2. Search for and select the relevant standards or regulations you want to import.

      Some standards and regulations are only available in read-only format. For more information, see Importing standards and regulations.

      Note

      Certain standards and regulations are only available by subscribing to Diligent Content Suites. For more information, see Content & Intelligence Gallery.

    3. Click Import.
    4. Once the import is complete, click the Open button for the newly-imported standard or regulation.

      Result – You will return to the Compliance Maps home page with the side panel open for the newly-imported standard or regulation, and the standard or regulation expanded in the list view to show its top-level requirements.

    5. Skip the steps under Add requirements and proceed to Specify if requirements are applicable and covered.
    Accessing additional standards and regulationsSome standards and regulations display a Contact for access label. Contact your Customer Success Manager to learn how to access these standards and regulations.
    Manually add a standard or regulation
    1. Click Create new.

      The Add standards and regulations side panel opens.

    2. Enter the following information:
      • Title Name the standard or regulation.

        The character limit is 255. The name must be unique.

      • Description (optional) Provide a description of the standard / regulation.
        Note

        Rich text fields cannot exceed 524,288 characters.

    3. Do one of the following: 
      • To add the standard or regulation and close the panel, click Save and Close.

        The standard or regulation is added to the compliance map.

      • To add a requirement to the standard or regulation, click Save and create requirement, and proceed to step 3 of Add requirements.

Add requirements

Add requirements to populate your compliance map.

  1. If you imported a standard or regulation, expand the standard or regulation by clicking the side arrow .
  2. Click + Add Child.

    The Add requirement side panel opens.

  3. Enter the following information:
    • ID Enter the identifier of the requirement.
    • Title (optional) Optional. Name the requirement.

      If you do not enter a title, the first 255 characters of the requirement description displays as the title in the tree view, and is stripped of any HTML or rich text formatting.

    • Description Provide a description of the requirement.
      Note

      Rich text fields cannot exceed 524,288 characters.

  4. Do one of the following:

    • Save and create requirement Select this option to save the requirement and add another requirement at the same hierarchical level in the tree view.

      Note

      If you need to add a sub-requirement, or a requirement at a different level in the hierarchy, click Save and Close, navigate to the appropriate requirement, and click + Add Child.

    • Save and Close Select this option to save the requirement and close the Add requirement side panel.

      The new requirement is highlighted in the tree view and ordered based on ID. In the case that two requirements have the same ID, a secondary ordering method is automatically applied based on the date the requirement was created.

      Note

      All requirements are ordered automatically. You cannot configure the order of requirements.

      Note

      The number of requirements added to a standard or regulation appears beside the name of that standard or regulation in the list.

Specify if requirements are applicable and covered

Apply professional judgment and rationalize optimal coverage that's sufficient for the organization.

  1. From the Compliance Maps page, click the title of the requirement.

    The Requirement details side panel opens.

    Tip

    The following keyboard shortcuts are available for working with requirements:

    • Arrow keys allows you to navigate up and down the tree view.
    • Enter opens the Requirement details side panel for the selected requirement.
    • Esc closes the Requirement details side panel.
  2. Next to Applicable, specify whether or not the requirement is applicable to the organization by switching the toggle to Yes or No.

  3. If you selected Yes to Applicable, next to Covered, specify whether or not the requirement is covered by switching the toggle to Yes or No.

    Note

    By default, all parent requirements are applicable and not covered. When you create a new child requirement, the child requirement inherits the Applicable and Covered values from the parent requirement.

  4. Optional. Next to Rationale, specify the reason for marking a requirement as applicable / not applicable and covered / not covered.
    Tip

    You can also copy rationale statements from related requirements. For more information, see Work with related requirements.

Work with related requirements

If you have imported standards or regulations from the Compliance Library, you can view related requirements, or copy rationale statements from related requirements.

Diligent collates related requirements based on industry approved mappings. The maximum number of related requirements you can view is 300. For more information, see Relationships between controls and requirements.

  1. From the Compliance Maps page, click the title of the requirement.

    The Requirement details side panel opens.

  2. Under Status, click Show requirements. The Related requirements side panel opens and displays a list of related requirements.
  3. Complete any of the following tasks:
    • View a related requirement in a new tab Click the hyperlinked title of the related requirement.
    • Copy the rationale from a related requirement to the requirement you are currently working on In the Related requirements side panel, next to Rationale, click Copy and paste.
      • If the related requirement does not have a rationale statement, the Copy and paste button is disabled.
      • If the requirement you are working on already has a rationale statement, the copied rationale is appended to the bottom of the existing rationale.

        Tip

        To make further adjustments to the rational statement, you can edit it after copying.

    • Import standards or regulations that contain related requirements If there are available related requirements that have not been imported to your compliance map, in the Related requirements side panel, under the Rationale field, click on the title of an authoritative document to begin the import process.
  4. Click Close to close the Requirement details and Related requirements side panels.

Map controls to requirements

Showcase your organization's adherence to specifications relevant to the business by mapping controls to requirements. Mapped requirements also appear in Control X-Ray and help auditors familiarize themselves with a control based on mapped requirements.

You can map controls to requirements, either by following automatic suggestions or by manually browsing controls.

Note

The maximum number of controls you can map to a single requirement is 300.

In the English version of Diligent One, we have introduced Maestra, a machine learning system to suggest relevant controls for specific requirements. Currently, Maestra is only available in English, so the steps for mapping controls to requirements vary by which language you're using Diligent One in.

  1. From the Compliance Maps page, click the title of the requirement. The Requirement details side panel opens.
  2. In the Requirement details side panel, click Map controls. The Select Controls to Map side panel opens.
    Note

    If you do not see Map controls, it means that you are viewing an ancestor or descendant of a requirement that cannot be mapped. You must remove existing mappings in the group before you can map additional controls. For more information, see Relationships between controls and requirements.

    • Click Suggested Controls to see a list of suggestions from Maestra, Diligent's machine learning service. You can do any of the following:
      • Click the name of a control to see it in a new tab.
      • Click the name of a framework a control is coming from to see it in a new tab.
    • Click Browse Controls to browse through controls by framework in your Diligent One instance. You can do any of the following:
      • Search for a control by entering a keyword in the search box.

        You can search for controls by Objective title, Control ID, Control title, or Control description. Search terms are highlighted in the results.

      • Click Filter to filter controls by frameworks or objectives.

        The search works in combination with any applied filters. If you select a framework or objective filter, and you search for a control, you are only searching within the specified framework or objective.

      • Click the side arrow to expand a framework and view a list of objectives. Click the side arrow next to the objective to view a list of controls.
      • If applicable, click View more to show all frameworks in the Diligent One instance.
  3. Click Map beside each control you want to map to the requirement. Each mapped control appears in the Requirement details panel, under Mapped controls. The following information is displayed in a summary view for each mapped control:
    • Control ID The control identification code
    • Owner The person responsible for the control
    • Control title The title of the control
    • Description Detailed information about the control
    • Framework The framework where the control is coming from
    • Testing results Control tests that have passed, failed, and controls that have not yet been tested
    • Issues An aggregate number of open issues across all project controls linked to the framework control

      Clicking the issue count link provides a pop-up list of issues. You can click an individual issue to navigate to detailed information.

      Note

      The aggregate issue count is based on all open published issues from active projects that are associated with walkthroughs, test plans, and testing rounds.

  4. Optional. Complete any of the following steps:
    • To indicate the percentage of the requirement that the control covers, adjust the Control weight.

      You can indicate a value between 0 - 100%. The default coverage is 100%.

    • To navigate to the control in the framework, click the control ID link.
    • To navigate to the framework, click the framework link.
    • To remove the control association from the requirement, click Unmap.
    • To map additional controls to the requirement, click + Map controls.
    • To view a list of controls that have been automatically mapped to a single ancestor requirement, or all descendant requirements, and the aggregate number of issues for each control, view the Related controls section.
      • Clicking the control ID link redirects you to the Control page in the applicable framework.
      • Clicking the requirement link redirects you to the details of the requirement mapped to the related control.
      • Clicking the issue count link provides a pop-up list of issues.

        You can click an individual issue to navigate to detailed information.

  5. Click Close to close the Select Controls to Map and Requirement details side panels.
  1. From the Compliance Maps page, click the title of the requirement. The Requirement details side panel opens.
  2. Diligent suggests controls to map to requirements if you have already mapped the controls to related requirements. If there are controls to suggest, you can accept or dismiss those suggestions.

    Suggestion control cards are sorted first by relationship strength (equivalent, strongly related, moderately related), then by requirement name, and then by control ID.

    • In the Requirement details side panel, within the Suggestion control card, click Map beside a suggestion you'd like to accept.
    • To permanently ignore suggestions, click Dismiss in the control card. If you mistakenly dismiss a suggestion, you can still view a list of mapped controls for related requirements in the side panel, and manually map controls.
  3. In the Requirement details side panel, click + Map controls.

    The Framework controls side panel opens and lists the frameworks in the Diligent One instance. If controls have previously been mapped to the requirement, the controls are automatically selected.

    Note

    If you do not see + Map controls, it means that you are viewing an ancestor or descendant of a requirement that cannot be mapped. You must remove existing mappings in the group before you can map additional controls. For more information, see Relationships between controls and requirements.

  4. Do any of the following:
    • Search for a control by entering a keyword in the search box.

      You can search for controls by Objective title, Control ID, Control title, or Control description. Search terms are highlighted in the results.

    • Click Show filters to filter controls by frameworks or objectives.

      The search works in combination with any applied filters. If you select a framework or objective filter, and you search for a control, you are only searching within the specified framework or objective.

    • Click the side arrow to expand a framework and view a list of objectives. Click the side arrow next to the objective to view a list of controls.
    • If applicable, click View more to show all frameworks in the Diligent One instance.
  5. Select the appropriate control(s) and click Done. Each mapped control appears in the Requirement details panel, under Mapped controls. The following information is displayed in a summary view for each mapped control:
    • Control ID The control identification code
    • Owner The person responsible for the control
    • Control title The title of the control
    • Description Detailed information about the control
    • Framework The framework where the control is coming from
    • Testing results Control tests that have passed, failed, and controls that have not yet been tested
    • Issues An aggregate number of open issues across all project controls linked to the framework control

      Clicking the issue count link provides a pop-up list of issues. You can click an individual issue to navigate to detailed information.

      Note

      The aggregate issue count is based on all open published issues from active projects that are associated with walkthroughs, test plans, and testing rounds.

  6. Optional. Complete any of the following steps:
    • To indicate the percentage of the requirement that the control covers, adjust the Control weight.

      You can indicate a value between 0 - 100%. The default coverage is 100%.

    • To navigate to the control in the framework, click the control ID link.
    • To navigate to the framework, click the framework link.
    • To remove the control association from the requirement, click Unmap.
    • To map additional controls to the requirement, click + Map controls.
    • To view a list of controls that have been automatically mapped to a single ancestor requirement, or all descendant requirements, and the aggregate number of issues for each control, view the Related controls section.
      • Clicking the control ID link redirects you to the Control page in the applicable framework.
      • Clicking the requirement link redirects you to the details of the requirement mapped to the related control.
      • Clicking the issue count link provides a pop-up list of issues.

        You can click an individual issue to navigate to detailed information.

  7. Click Close to close the Select Controls to Map and Requirement details side panels.

Track compliance progress

Filter the list of requirements to track compliance progress.

From the Compliance Maps page, complete any of the following tasks:

TaskStepWhat you see
View all applicable requirements across all regulations and standards

Click Applicable.

A list of all applicable requirements, whether or not they have been marked as covered
View requirements that have not been identified as coveredClick Not covered (Gaps).

A list of applicable requirements that are have not been identified as covered

View requirements that have been identified as coveredClick Covered.A list of applicable requirements that have been identified as covered
View requirements that have been specified as not applicable Click Not Applicable.

A list of all non-applicable requirements

Search for requirementsEnter a keyword or phrase in the search box.A list of requirements that match your search term or phrase.

View summary information about a standard, regulation, or requirement, including:

  • the extent to which it is covered or not covered
  • whether or not it has been identified as covered
  • whether or not it has been associated with at least one control
  • the aggregate number of open issues associated with it
  • the current assurance calculation for a standard, regulation, or requirement
Consult the Coverage, Covered, Issues, Controls and Assurance columns in the nested tree view.
  • Coverage The percentage of requirements for a standard or regulation that have been identified as covered. Learn how coverage is calculated.
  • Covered An indication ( or ) of whether or not a requirement is covered (based on your identification of the requirement as Covered or Not Covered. Standards and regulations are considered covered when all of their requirements have been identified as covered.
  • Issues An aggregate issue count associated with each standard or regulation, and with the topmost (root) requirements in the tree. Clicking the issue count link provides a popup list of issues. You can click an individual issue to navigate to detailed information.
  • Controls An icon () indicates requirements that have had at least one control mapped to them.
  • Assurance A calculation that represents your organization's confidence in requirements being met. Learn how compliance assurance is calculated.

Generate a summary report

Demonstrate your organization's compliance progress by generating a summary report.

  1. Click Compliance Summary Report.
  2. Download the Excel report (.xlsx) to your computer.

    Any applied filters that you apply on the Compliance Maps page are reflected in the report. Each standard/regulation is displayed on a separate worksheet.

    Tip

    Manually created requirements that are indexed alphanumerically in your compliance map may be ordered differently in your Excel report. To achieve the same ordering, you can use the following naming strategy for your requirements:

    • Parent requirement alphabetical ID

      Example A1

    • Child requirements alphabetical ID + numerical ID

      Examples A1-01, A1-02, A1-03