Create a compliance map
Centralize the documentation of requirements and their mapped controls, and automatically aggregate testing results and issues to easily assess compliance requirements coverage and report on compliance status in real-time.
Before you start
Before you can manage compliance, you need to:
To aggregate testing results and issues data from projects, you or someone on your team must complete the following tasks:
Note
- Interface terms are customizable, and fields and tabs are configurable. In your instance of Diligent One, some terms, fields, and tabs may be different.
- If a required field is left blank, you will see a warning message: This field is required. Some custom fields may have default values.
Permissions
Users assigned Compliance Maps Privileges with Read/Write access can create a compliance map.
Why are some standards and regulations locked?
While working in Compliance Maps, you may notice that some imported standards and regulations are locked. These actions are indicated with a lock icon , indicating that they're read-only.
This is because when we source these standards and regulations, the providers sometimes specify that customers can't modify the content from the templates they provide. As a result, modification actions are unavailable, including editing any part of any standards, regulations, or associated requirements; adding child requirements; and deleting requirements.
Workflow
Add standards or regulations
Add a standard or regulation to your compliance map manually, or import available standards and regulations from the Compliance Library. (To generally view standards and regulations in the Compliance Library, see Importing standards and regulations, section Manage Diligent-provided standards or regulations .)
- Open the Compliance Maps app.
The Compliance Maps page opens.
- Complete any of the following tasks:
Task Steps Import available standards or regulations - Click Import standard or regulation.
The Compliance Library opens.
- Search for and select the relevant standards or regulations you want to import.
Some standards and regulations are only available in read-only format. For more information, see Importing standards and regulations.
NoteCertain standards and regulations are only available by subscribing to Diligent Content Suites. For more information, see Content & Intelligence Gallery.
- Click Import.
- Once the import is complete, click the Open button for the newly-imported standard or regulation.
Result – You will return to the Compliance Maps home page with the side panel open for the newly-imported standard or regulation, and the standard or regulation expanded in the list view to show its top-level requirements.
- Skip the steps under Add requirements and proceed to Specify if requirements are applicable and covered.
Accessing additional standards and regulations Some standards and regulations display a Contact for access label. Contact your Customer Success Manager to learn how to access these standards and regulations. Manually add a standard or regulation - Click Create new.
The Add standards and regulations side panel opens.
- Enter the following information:
- Title Name the standard or regulation.
The character limit is 255. The name must be unique.
- Description (optional) Provide a description of the standard / regulation.Note
Rich text fields cannot exceed 524,288 characters.
- Title Name the standard or regulation.
- Do one of the following:
- To add the standard or regulation and close the panel, click Save and Close.
The standard or regulation is added to the compliance map.
- To add a requirement to the standard or regulation, click Save and create requirement, and proceed to step 3 of Add requirements.
- To add the standard or regulation and close the panel, click Save and Close.
- Click Import standard or regulation.
Add requirements
Add requirements to populate your compliance map.
- If you imported a standard or regulation, expand the standard or regulation by clicking the side arrow .
- Click + Add Child.
The Add requirement side panel opens.
- Enter the following information:
- ID Enter the identifier of the requirement.
- Title (optional) Optional. Name the requirement.
If you do not enter a title, the first 255 characters of the requirement description displays as the title in the tree view, and is stripped of any HTML or rich text formatting.
- Description Provide a description of the requirement.Note
Rich text fields cannot exceed 524,288 characters.
- Do one of the following:
Save and create requirement Select this option to save the requirement and add another requirement at the same hierarchical level in the tree view.
NoteIf you need to add a sub-requirement, or a requirement at a different level in the hierarchy, click Save and Close, navigate to the appropriate requirement, and click + Add Child.
- Save and Close Select this option to save the requirement and close the Add requirement side panel.
The new requirement is highlighted in the tree view and ordered based on ID. In the case that two requirements have the same ID, a secondary ordering method is automatically applied based on the date the requirement was created.
NoteAll requirements are ordered automatically. You cannot configure the order of requirements.
NoteThe number of requirements added to a standard or regulation appears beside the name of that standard or regulation in the list.
Specify if requirements are applicable and covered
Apply professional judgment and rationalize optimal coverage that's sufficient for the organization.
- From the Compliance Maps page, click the title of the requirement.
The Requirement details side panel opens.
TipThe following keyboard shortcuts are available for working with requirements:
- Arrow keys allows you to navigate up and down the tree view.
- Enter opens the Requirement details side panel for the selected requirement.
- Esc closes the Requirement details side panel.
- Next to Applicable, specify whether or not the requirement is applicable to the organization by switching the toggle to Yes or No.
-
If you selected Yes to Applicable, next to Covered, specify whether or not the requirement is covered by switching the toggle to Yes or No.
NoteBy default, all parent requirements are applicable and not covered. When you create a new child requirement, the child requirement inherits the Applicable and Covered values from the parent requirement.
- Optional. Next to Rationale, specify the reason for marking a requirement as applicable / not applicable and covered / not covered.Tip
You can also copy rationale statements from related requirements. For more information, see Work with related requirements.
Work with related requirements
If you have imported standards or regulations from the Compliance Library, you can view related requirements, or copy rationale statements from related requirements.
Diligent collates related requirements based on industry approved mappings. The maximum number of related requirements you can view is 300. For more information, see Relationships between controls and requirements.
- From the Compliance Maps page, click the title of the requirement.
The Requirement details side panel opens.
- Under Status, click Show requirements. The Related requirements side panel opens and displays a list of related requirements.
- Complete any of the following tasks:
- View a related requirement in a new tab Click the hyperlinked title of the related requirement.
- Copy the rationale from a related requirement to the requirement you are currently working on In the Related requirements side panel, next to Rationale, click Copy and paste.
- If the related requirement does not have a rationale statement, the Copy and paste button is disabled.
- If the requirement you are working on already has a rationale statement, the copied rationale is appended to the bottom of the existing rationale.
Tip
To make further adjustments to the rational statement, you can edit it after copying.
- Import standards or regulations that contain related requirements If there are available related requirements that have not been imported to your compliance map, in the Related requirements side panel, under the Rationale field, click on the title of an authoritative document to begin the import process.
- Click Close to close the Requirement details and Related requirements side panels.
Map controls to requirements
Showcase your organization's adherence to specifications relevant to the business by mapping controls to requirements. Mapped requirements also appear in Control X-Ray and help auditors familiarize themselves with a control based on mapped requirements.
You can map controls to requirements, either by following automatic suggestions or by manually browsing controls.
Note
The maximum number of controls you can map to a single requirement is 300.
In the English version of Diligent One, we have introduced Maestra, a machine learning system to suggest relevant controls for specific requirements. Currently, Maestra is only available in English, so the steps for mapping controls to requirements vary by which language you're using Diligent One in.
- From the Compliance Maps page, click the title of the requirement. The Requirement details side panel opens.
- In the Requirement details side panel, click Map controls. The Select Controls to Map side panel opens.Note
If you do not see Map controls, it means that you are viewing an ancestor or descendant of a requirement that cannot be mapped. You must remove existing mappings in the group before you can map additional controls. For more information, see Relationships between controls and requirements.
- Click Suggested Controls to see a list of suggestions from Maestra, Diligent's machine learning service. You can do any of the following:
- Click the name of a control to see it in a new tab.
- Click the name of a framework a control is coming from to see it in a new tab.
- Click Browse Controls to browse through controls by framework in your Diligent One instance. You can do any of the following:
- Search for a control by entering a keyword in the search box.
You can search for controls by Objective title, Control ID, Control title, or Control description. Search terms are highlighted in the results.
- Click Filter to filter controls by frameworks or objectives.
The search works in combination with any applied filters. If you select a framework or objective filter, and you search for a control, you are only searching within the specified framework or objective.
- Click the side arrow to expand a framework and view a list of objectives. Click the side arrow next to the objective to view a list of controls.
- If applicable, click View more to show all frameworks in the Diligent One instance.
- Search for a control by entering a keyword in the search box.
- Click Suggested Controls to see a list of suggestions from Maestra, Diligent's machine learning service. You can do any of the following:
- Click Map beside each control you want to map to the requirement. Each mapped control appears in the Requirement details panel, under Mapped controls. The following information is displayed in a summary view for each mapped control:
- Control ID The control identification code
- Owner The person responsible for the control
- Control title The title of the control
- Description Detailed information about the control
- Framework The framework where the control is coming from
- Testing results Control tests that have passed, failed, and controls that have not yet been tested
- Issues An aggregate number of open issues across all project controls linked to the framework control
Clicking the issue count link provides a pop-up list of issues. You can click an individual issue to navigate to detailed information.
NoteThe aggregate issue count is based on all open published issues from active projects that are associated with walkthroughs, test plans, and testing rounds.
- Optional. Complete any of the following steps:
- To indicate the percentage of the requirement that the control covers, adjust the Control weight.
You can indicate a value between 0 - 100%. The default coverage is 100%.
- To navigate to the control in the framework, click the control ID link.
- To navigate to the framework, click the framework link.
- To remove the control association from the requirement, click Unmap.
- To map additional controls to the requirement, click + Map controls.
- To view a list of controls that have been automatically mapped to a single ancestor requirement, or all descendant requirements, and the aggregate number of issues for each control, view the Related controls section.
- Clicking the control ID link redirects you to the Control page in the applicable framework.
- Clicking the requirement link redirects you to the details of the requirement mapped to the related control.
- Clicking the issue count link provides a pop-up list of issues.
You can click an individual issue to navigate to detailed information.
- To indicate the percentage of the requirement that the control covers, adjust the Control weight.
- Click Close to close the Select Controls to Map and Requirement details side panels.
- From the Compliance Maps page, click the title of the requirement. The Requirement details side panel opens.
- Diligent suggests controls to map to requirements if you have already mapped the controls to related requirements. If there are controls to suggest, you can accept or dismiss those suggestions.
Suggestion control cards are sorted first by relationship strength (equivalent, strongly related, moderately related), then by requirement name, and then by control ID.
- In the Requirement details side panel, within the Suggestion control card, click Map beside a suggestion you'd like to accept.
- To permanently ignore suggestions, click Dismiss in the control card. If you mistakenly dismiss a suggestion, you can still view a list of mapped controls for related requirements in the side panel, and manually map controls.
- In the Requirement details side panel, click + Map controls.
The Framework controls side panel opens and lists the frameworks in the Diligent One instance. If controls have previously been mapped to the requirement, the controls are automatically selected.
NoteIf you do not see + Map controls, it means that you are viewing an ancestor or descendant of a requirement that cannot be mapped. You must remove existing mappings in the group before you can map additional controls. For more information, see Relationships between controls and requirements.
- Do any of the following:
- Search for a control by entering a keyword in the search box.
You can search for controls by Objective title, Control ID, Control title, or Control description. Search terms are highlighted in the results.
- Click Show filters to filter controls by frameworks or objectives.
The search works in combination with any applied filters. If you select a framework or objective filter, and you search for a control, you are only searching within the specified framework or objective.
- Click the side arrow to expand a framework and view a list of objectives. Click the side arrow next to the objective to view a list of controls.
- If applicable, click View more to show all frameworks in the Diligent One instance.
- Search for a control by entering a keyword in the search box.
- Select the appropriate control(s) and click Done. Each mapped control appears in the Requirement details panel, under Mapped controls. The following information is displayed in a summary view for each mapped control:
- Control ID The control identification code
- Owner The person responsible for the control
- Control title The title of the control
- Description Detailed information about the control
- Framework The framework where the control is coming from
- Testing results Control tests that have passed, failed, and controls that have not yet been tested
- Issues An aggregate number of open issues across all project controls linked to the framework control
Clicking the issue count link provides a pop-up list of issues. You can click an individual issue to navigate to detailed information.
NoteThe aggregate issue count is based on all open published issues from active projects that are associated with walkthroughs, test plans, and testing rounds.
- Optional. Complete any of the following steps:
- To indicate the percentage of the requirement that the control covers, adjust the Control weight.
You can indicate a value between 0 - 100%. The default coverage is 100%.
- To navigate to the control in the framework, click the control ID link.
- To navigate to the framework, click the framework link.
- To remove the control association from the requirement, click Unmap.
- To map additional controls to the requirement, click + Map controls.
- To view a list of controls that have been automatically mapped to a single ancestor requirement, or all descendant requirements, and the aggregate number of issues for each control, view the Related controls section.
- Clicking the control ID link redirects you to the Control page in the applicable framework.
- Clicking the requirement link redirects you to the details of the requirement mapped to the related control.
- Clicking the issue count link provides a pop-up list of issues.
You can click an individual issue to navigate to detailed information.
- To indicate the percentage of the requirement that the control covers, adjust the Control weight.
- Click Close to close the Select Controls to Map and Requirement details side panels.
Track compliance progress
Filter the list of requirements to track compliance progress.
From the Compliance Maps page, complete any of the following tasks:
Task | Step | What you see |
---|---|---|
View all applicable requirements across all regulations and standards | Click Applicable. | A list of all applicable requirements, whether or not they have been marked as covered |
View requirements that have not been identified as covered | Click Not covered (Gaps). | A list of applicable requirements that are have not been identified as covered |
View requirements that have been identified as covered | Click Covered. | A list of applicable requirements that have been identified as covered |
View requirements that have been specified as not applicable | Click Not Applicable. | A list of all non-applicable requirements |
Search for requirements | Enter a keyword or phrase in the search box. | A list of requirements that match your search term or phrase. |
View summary information about a standard, regulation, or requirement, including:
| Consult the Coverage, Covered, Issues, Controls and Assurance columns in the nested tree view. |
|
Generate a summary report
Demonstrate your organization's compliance progress by generating a summary report.
- Click Compliance Summary Report.
- Download the Excel report (.xlsx) to your computer.
Any applied filters that you apply on the Compliance Maps page are reflected in the report. Each standard/regulation is displayed on a separate worksheet.
TipManually created requirements that are indexed alphanumerically in your compliance map may be ordered differently in your Excel report. To achieve the same ordering, you can use the following naming strategy for your requirements:
- Parent requirement alphabetical ID
Example A1
- Child requirements alphabetical ID + numerical ID
Examples A1-01, A1-02, A1-03
- Parent requirement alphabetical ID