Understanding coverage
In Compliance Maps, coverage is a percentage measurement that indicates the extent to which applicable requirements are covered by controls.
Is the requirement applicable and covered?
To understand how coverage is calculated, first consider whether the requirement is applicable. If the requirement is applicable, you need to consider whether or not it is covered.
- Applicable the indication that the requirement is relevant or appropriate for your organization's consideration.
- Covered the indication that the requirement is met.Note
If all requirements within a standard or regulation are defined as Covered, a checkmark
displays next to the standard or regulation on the Compliance Maps page in the Covered column. If at least one requirement within the standard or regulation is defined as Not Covered, a red "x" 
displays in the Covered column.
How it works
When you click on a requirement and open the Requirement Details side panel, you can indicate whether or not the requirement is applicable and covered.
- If you indicate that the requirement is not applicable, you do not need to specify whether or not the requirement is covered, as the requirement is considered out of scope for your organization.
- If you need to specify the reason for marking a requirement as applicable / not applicable and covered / not covered, you can enter information in the Rationale field.
By default, all parent requirements are applicable and not covered. When you create a new child requirement, the child requirement automatically receives the Applicable and Covered values from the parent requirement.
Applicable vs. non-applicable requirements
- If you specify a requirement as applicable, all parent and child requirements are marked as applicable.
- If you specify a requirement as not applicable, all child requirements are marked as not applicable and the parent requirement remains unchanged.
Example 1: Requirement 1 is changed from applicable to not applicable
| Requirement | Applicable | Action | Is the requirement applicable? |
|---|---|---|---|
| Requirement 1 | Yes | You specify Requirement 1 as not applicable | No |
|
Yes | -- | No |
|
Yes | -- | No |
|
Yes | -- | No |
|
Yes | -- | No |
Example 2: Requirement 1.2 is changed from not applicable to applicable
| Requirement | Applicable | Action | Is the requirement applicable? |
|---|---|---|---|
| Requirement 1 | No | -- | Yes |
|
No | -- | No |
|
No | You specify Requirement 1.2 as applicable | Yes |
|
No | -- | Yes |
|
No | -- | Yes |
Example 3: Requirement 1.2.1 is changed from not applicable to applicable
| Requirement | Applicable | Action | Is the requirement applicable? |
|---|---|---|---|
| Requirement 1 | No | -- | Yes |
|
No | -- | No |
|
No | -- | Yes |
|
No | You specify Requirement 1.2.1 as applicable | Yes |
|
No | -- | No |
Example 4: Requirement 1.2 is changed from applicable to not applicable
| Requirement | Applicable | Action | Is the requirement applicable? |
|---|---|---|---|
| Requirement 1 | Yes | -- | Yes |
|
No | -- | No |
|
Yes | You specify Requirement 1.2 as not applicable | No |
|
Yes | -- | No |
|
No | -- | No |
How is coverage calculated?
If you specify that a requirement is covered:
- all child requirements are marked as covered and the parent requirement remains unchanged
- the coverage of the requirement is recalculated as 100%
If you specify that a requirement is not covered:
- all parent and child requirements are marked as not covered
-
the coverage of the requirement is recalculated as
Coverage(%) = 0% + SumOfCoverageOfDirectChildren / NumberOfDirectChildren
What are direct children?
Direct children are the requirements that are immediately nested under the parent requirement. In the examples below, the direct children of Requirement 1.2 are Requirement 1.2.1 and 1.2.2. Similarly, the direct children of Requirement 1 are Requirement 1.1 and 1.2.
The coverage calculation only applies to applicable requirements.
Example 1: Requirement 1 is changed from not covered to covered
| Requirement | Covered | Coverage | Action | Is the requirement covered? | Recalculated Coverage |
|---|---|---|---|---|---|
| Requirement 1 | No | 0% | You specify that Requirement 1 is covered | Yes | 100% |
|
No | 0% | -- | Yes | 100% |
|
No | 0% | -- | Yes | 100% |
|
No | 0% | -- | Yes | 100% |
|
No | 0% | -- | Yes | 100% |
Example 2: Requirement 1.2 is changed from covered to not covered
| Requirement | Covered | Coverage | Action | Is the requirement covered? | Recalculated Coverage |
|---|---|---|---|---|---|
| Requirement 1 | Yes | 100% | -- | No | 50% |
|
Yes | 100% | -- | Yes | 100% |
|
Yes | 100% | You specify that Requirement 1.2 is not covered | No | 0% |
|
Yes | 100% | -- | No | 0% |
|
Yes | 100% | -- | No | 0% |
Example 3: Requirement 1.2.1 is changed from covered to not covered
| Requirement | Covered | Coverage | Action | Is the requirement covered? | Recalculated Coverage |
|---|---|---|---|---|---|
| Requirement 1 | Yes | 100% | -- | No | 75% |
|
Yes | 100% | -- | Yes | 100% |
|
Yes | 100% | -- | No | 50% |
|
Yes | 100% | You specify that Requirement 1.2.1 is not covered | No | 0% |
|
Yes | 100% | -- | Yes | 100% |
Example 4: Requirement 1.2 is changed from not covered to covered
| Requirement | Covered | Coverage | Action | Is the requirement covered? | Recalculated Coverage |
|---|---|---|---|---|---|
| Requirement 1 | No | 75% | -- | No | 100% |
|
Yes | 100% | -- | Yes | 100% |
|
No | 50% | You specify that Requirement 1.2 is covered | Yes | 100% |
|
No | 0% | -- | Yes | 100% |
|
Yes | 100% | -- | Yes | 100% |
