Two Ways to Set Compliance Status
Compliance status for obligations, policies and controls can be set automatically, or manually by users.
Normally, the compliance status of an obligation, policy or control is automatically determined, based on the attributes of the resource plus the compliance status of the other key resources that are attached to it ("Attached Key Resources" or "AKRs").
For example, a compliance obligation will be automatically set to "compliant" if all of the policies and must-have controls attached to it are compliant. If, however, some of the obligation's attached policies and must-have controls are compliant but some are not, the obligation will be considered "partially compliant".
What Counts as an AKR?
The data model for compliance resources is as follows:
Framework > Obligation > Policies & Controls > Evidence Tasks
Frameworks (e.g. laws, standards, agreements etc.) dictate the specific obligations that organizations must meet. Polices and controls are the means by which organizations operationalize their obligations to help ensure they are being met. Evidence tasks help to ensure that needed controls are in place and functioning as expected.
Optionally, users can attach other resources to obligations, policies, controls, and evidence tasks, depending on how their client administrators have configured the system to support their compliance processes. For example, risks, action plans, indicators/metrics, and incidents can all be connected to compliance resources where appropriate.
Note, however, that only active "Attached Key Resources" (AKRs) will impact the logic for automatically determining compliance status.
Resource | AKRs |
Obligation | Sub-obligations, Policies, Must-have Controls |
Policy | Sub-policies, Must-have Controls |
Control | Evidence Tasks (coming soon) |
Automated compliance status flows up the hierarchy, not down. For example, a failing evidence task will impact the status of the controls above it, which will in turn affect the compliance status of the obligations above the control. The compliance status of an obligation will not, however, affect the status of the policies and controls underneath it.
Furthermore, only controls which have been set as "must-have" controls will impact the status of resources above them. Must-have status is a property of the relationship between a control and the resource it is attached to. For example, a control may be must-have to one obligation or policy, but not to others. Must-have status is set through the ellipsis menus shown shown in the optional Attached Controls sub-section that can be enabled on the Obligation Details and Policy Details screens.
Note that related policies do not affect compliance status of policies they are connected to (as opposed to sub-policies, which do).
Finally, the system evaluates only active AKRs. AKRs that that are inactive, draft, or archived are excluded from automated compliance logic.
Compliance Status Values - Automated Rules
Status | Rule |
Compliant | The resource has at least one active AKR and all active AKRs are "Compliant". (Inactive AKRs are ignored). |
Partially Compliant | Any active AKR is Partially Compliant, or there is a mix of Compliant and Non-Compliant/Unknown active AKRs. |
Non-Compliant | At least one active AKR is Non-Compliant and no other active AKRs are Compliant or Partially Compliant. |
Unknown | A resource has no active AKRs, or all active AKRs have Unknown or Not Applicable status. This is the default status for newly created resources. |
Not Applicable | Can only be set manually by a user override. This is never auto-calculated. This is a way for users to connect resources for information purposes, while ensuring their status never affects compliance status calculations. |
Manual Override
On any resource's details screen, you can:
Click "set value" to manually set the compliance status to any of the five values
The screen will display who set it and when
Click "reset" to revert to the auto-calculated value
This manual override feature is helpful when a user's business judgement overrides the system's suggested status (or where data is incomplete and automated status cannot be determined yet).
Note that once set manually, the compliance value selected by the user will continue to override the automatic compliance status values until reset is selected.