Understanding coverage

In Compliance Maps, coverage is a percentage measurement that indicates the extent to which applicable requirements are covered by controls.

Is the requirement applicable and covered?

To understand how coverage is calculated, first consider whether the requirement is applicable. If the requirement is applicable, you need to consider whether or not it is covered.

  • Applicable the indication that the requirement is relevant or appropriate for your organization's consideration.
  • Covered the indication that the requirement is met.
    Note

    If all requirements within a standard or regulation are defined as Covered, a checkmark displays next to the standard or regulation on the Compliance Maps page in the Covered column. If at least one requirement within the standard or regulation is defined as Not Covered, a red "x" displays in the Covered column.

How it works

When you click on a requirement and open the Requirement Details side panel, you can indicate whether or not the requirement is applicable and covered.

  • If you indicate that the requirement is not applicable, you do not need to specify whether or not the requirement is covered, as the requirement is considered out of scope for your organization.
  • If you need to specify the reason for marking a requirement as applicable / not applicable and covered / not covered, you can enter information in the Rationale field.
Note

By default, all parent requirements are applicable and not covered. When you create a new child requirement, the child requirement automatically receives the Applicable and Covered values from the parent requirement.

Applicable vs. non-applicable requirements

  • If you specify a requirement as applicable, all parent and child requirements are marked as applicable.
  • If you specify a requirement as not applicable, all child requirements are marked as not applicable and the parent requirement remains unchanged.

Example 1: Requirement 1 is changed from applicable to not applicable

Requirement Applicable Action Is the requirement applicable?
Requirement 1 Yes You specify Requirement 1 as not applicable No
  • Requirement 1.1
Yes -- No
  • Requirement 1.2
Yes -- No

    • Requirement 1.2.1

Yes -- No

    • Requirement 1.2.2

Yes -- No

Example 2: Requirement 1.2 is changed from not applicable to applicable

Requirement Applicable Action Is the requirement applicable?
Requirement 1 No -- Yes
  • Requirement 1.1
No -- No
  • Requirement 1.2
No You specify Requirement 1.2 as applicable Yes

    • Requirement 1.2.1

No -- Yes

    • Requirement 1.2.2

No -- Yes

Example 3: Requirement 1.2.1 is changed from not applicable to applicable

Requirement Applicable Action Is the requirement applicable?
Requirement 1 No -- Yes
  • Requirement 1.1
No -- No
  • Requirement 1.2
No -- Yes

    • Requirement 1.2.1

No You specify Requirement 1.2.1 as applicable Yes

    • Requirement 1.2.2

No -- No

Example 4: Requirement 1.2 is changed from applicable to not applicable

Requirement Applicable Action Is the requirement applicable?
Requirement 1 Yes -- Yes
  • Requirement 1.1
No -- No
  • Requirement 1.2
Yes You specify Requirement 1.2 as not applicable No

    • Requirement 1.2.1

Yes -- No

    • Requirement 1.2.2

No -- No

How is coverage calculated?

If you specify that a requirement is covered:

  • all child requirements are marked as covered and the parent requirement remains unchanged
  • the coverage of the requirement is recalculated as 100%

If you specify that a requirement is not covered:

  • all parent and child requirements are marked as not covered
  • the coverage of the requirement is recalculated as

    Coverage(%) = 0% + SumOfCoverageOfDirectChildren / NumberOfDirectChildren

What are direct children?

Direct children are the requirements that are immediately nested under the parent requirement. In the examples below, the direct children of Requirement 1.2 are Requirement 1.2.1 and 1.2.2. Similarly, the direct children of Requirement 1 are Requirement 1.1 and 1.2.

Note

The coverage calculation only applies to applicable requirements.

Example 1: Requirement 1 is changed from not covered to covered

Requirement Covered Coverage Action Is the requirement covered? Recalculated Coverage
Requirement 1 No 0% You specify that Requirement 1 is covered Yes 100%
  • Requirement 1.1
No 0% -- Yes 100%
  • Requirement 1.2
No 0% -- Yes 100%

    • Requirement 1.2.1

No 0% -- Yes 100%

    • Requirement 1.2.2

No 0% -- Yes 100%

Example 2: Requirement 1.2 is changed from covered to not covered

Requirement Covered Coverage Action Is the requirement covered? Recalculated Coverage
Requirement 1 Yes 100% -- No 50%
  • Requirement 1.1
Yes 100% -- Yes 100%
  • Requirement 1.2
Yes 100% You specify that Requirement 1.2 is not covered No 0%

    • Requirement 1.2.1

Yes 100% -- No 0%

    • Requirement 1.2.2

Yes 100% -- No 0%

Example 3: Requirement 1.2.1 is changed from covered to not covered

Requirement Covered Coverage Action Is the requirement covered? Recalculated Coverage
Requirement 1 Yes 100% -- No 75%
  • Requirement 1.1
Yes 100% -- Yes 100%
  • Requirement 1.2
Yes 100% -- No 50%

    • Requirement 1.2.1

Yes 100% You specify that Requirement 1.2.1 is not covered No 0%

    • Requirement 1.2.2

Yes 100% -- Yes 100%

Example 4: Requirement 1.2 is changed from not covered to covered

Requirement Covered Coverage Action Is the requirement covered? Recalculated Coverage
Requirement 1 No 75% -- No 100%
  • Requirement 1.1
Yes 100% -- Yes 100%
  • Requirement 1.2
No 50% You specify that Requirement 1.2 is covered Yes 100%

    • Requirement 1.2.1

No 0% -- Yes 100%

    • Requirement 1.2.2

Yes 100% -- Yes 100%