Relationships between controls and requirements

Showcase your organization's adherence to specifications relevant to the business by mapping controls to requirements.

Mapping controls

A requirement can be covered by many controls and a control may cover many requirements. When you map a control to a requirement, you define the measures or courses of action for assuring the achievement of an organization's compliance with requirements.

Note

You can only map controls to requirements you have specified as Applicable. For more information, see Create a compliance map.

Limitations

The maximum number of controls you can map to a single requirement is 300.

What happens when you map a control to a requirement?

When you map a control to a requirement:

  • testing results and issues information is aggregated in a summary view in the Requirement details side panel for each requirement
  • you cannot map additional controls to ancestors or descendants of the requirement

Example

Scenario

You map Requirement 1.2 to Control A.

Requirement 1 - (Control A)

  • Requirement 1.1
  • Requirement 1.2 - Control A
  • Requirement 1.3

Result

  • Control A becomes a related control for Requirement 1.

  • You are not able to map additional controls to Requirement 1.
  • In order to map Requirement 1 to a different control, you need to remove the existing mapping between Requirement 1.2 and Control A, or map additional controls to Requirement 1.2.

Unmapping controls

At anytime, you can unmap controls from requirements. When you do this, the link between the control and requirement is removed, and aggregate testing results and issues information is removed from the compliance map.

When are controls automatically unmapped from a requirement?

If a scenario occurs where controls will be automatically unmapped from a requirement, you are prompted to confirm your action in Compliance Maps before the controls are unmapped.

Scenario Occurrence Result
Specifying a requirement as not applicable You previously specified a requirement as applicable, mapped controls to the requirement, and later decide to specify the requirement as not applicable.

All controls mapped to the requirement and any descendant requirements in its group are unmapped.

Changing scope You change the scope of a standard or regulation, and have previously mapped controls to requirements that will be out-of-scope. All controls mapped to out-of-scope requirements are unmapped.

Related controls

Related controls for a requirement are controls that have been mapped to a requirement's ancestors or descendants.

Relationships between controls and requirements are displayed in the Related controls section in the Requirement details side panel for each requirement.

Examples

Example 1: Related controls (Ancestor)

You define the following relationships:

Requirement 1

  • Requirement 1.1 → Control A
  • Requirement 1.2 → Control B
  • Requirement 1.3

Result Relationships between controls and requirements are defined up-tree. The letters in brackets indicate the related controls.

Requirement 1 → (Control A; Control B)

  • Requirement 1.1 → Control A
  • Requirement 1.2 → Control B
  • Requirement 1.3

Example 2: Related controls (Descendants)

You define the following relationships:

Requirement 1 → Control A; Control B

  • Requirement 1.1
  • Requirement 1.2
  • Requirement 1.3

Result Relationships between controls and requirements are defined down-tree. The letters in brackets indicate the related controls.

Requirement 1 → Control A; Control B

  • Requirement 1.1 → (Control A; Control B)
  • Requirement 1.2 → (Control A; Control B)
  • Requirement 1.3 → (Control A; Control B)

Related requirements

Organizations typically need to be compliant with multiple standards and regulations that may have related or overlapping requirements. Related requirements indicate that controls implemented for one requirement should effectively address another (related) requirement.

How it works

Diligent has collated certain related requirements to support efficiency in the mapping process. These related requirements may be from the same standard / regulation or from different standards / regulations.

If you have imported standards or regulations from the Compliance Library, you can view related requirements and copy rationale statements from related requirements. For details on the Compliance Library, see Importing standards and regulations, section Manage Diligent-provided standards or regulations .

Note

Use of the related requirements feature is at your discretion and risk, and is subject to the terms and conditions of your subscription. You are responsible to apply professional judgment to determine the appropriate procedures, tests, or controls for your own use.

If the related standard or regulation is not already part of your subscription, or you would like access to other such standards or regulations, please contact your Diligent account representative to acquire access to your desired third-party content.

For more information, see Content & Intelligence Gallery.

Relationship strengths

Diligent categorizes related requirements using the following relationship strengths: 

Relationship strength Description Example
Equivalent

Effectively identical

Where covering A always requires covering B and vice versa

  • A) NIST SP 800-171: 3.1.12 Monitor and control remote access sessions.
  • B) NIST Cybersecurity Framework version 1.1: PR.AC-3 Remote access is managed.
Strongly related

Corresponding or very similar

Where covering A usually requires covering B

  • A) NIST SP 800-171: 3.2.2 Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
  • B) NIST Cybersecurity Framework version 1.1: PR-AT-5 Physical and cybersecurity personnel understand their roles and responsibilities.
Moderately related

Some overlapping elements

Where covering A sometimes requires covering B

  • A) NIST SP 800-171: 3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
  • B) NIST Cybersecurity Framework version 1.1: PR.AC-4 Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties.

Suggested controls

If you previously mapped a control to a related requirement, the control mapping is displayed as a suggestion in Compliance Maps. These suggestions help compliance teams show adherence to multiple standards and regulations more efficiently, and expedite the control mapping process.

You can choose to map suggested controls to a requirement or dismiss the suggestion. Dismissing a suggestion permanently removes it for all users in the Diligent One instance. Once dismissed, the suggestion is never presented for the requirement again.