How to work with controls
Overview
Where to find it in ISOPlanner: https://portal.isoplanner.app/controls/overviewControls become available either by activating a standard or by adding custom controls yourself. A control is usually a subject for which policies or procedures can be defined in order to implement the control. As controls are uses for monitoring the risks, in the overview of the Controls, column “Risks” shows how many risks are linked to each particular Control. By clicking on a risk number of a control, system opens a list/overview of all the links that particular control is linked to.
If controls are not relevant for your ISO standards, you may disable the menu option altogether in Menu Administration-Settings, Tab: “Modules”. This does not result with loss of information, it only makes the ISOPlanner Element not visible to the users.
For instructions on how to manage the list of controls, including on how to search, filter, do bulk changes and create report, see list actions.
Analytics
The overview of controls has a tab called ‘Analytics’. This will show you graphs with the number of controls per Sharing permission, standard controls per owner but also a pie chart overview of controls and the related monitoring tasks. It shows how many tasks are linked directly or through a parent control.

Controls
Properties
Each control has the following properties:
- Code
- Owner
- Group
- Applicability
- Status
- Monitoring
- Tags
- Control
- Implementation
- Background Information
Applicability and Status on the Statement of Applicability
Two properties specific to Controls are Applicability and Status.

Applicability is a field that allows you to define why a control is applicable. There are 7 different options for Applicability:
- Best practice
- When to use: If the Control is generally recognized as a good and professional standard within information security, even without specific legal or contractual obligations.
- Example: Encryption of laptops in order to protect personal data
- Risk analysis
- When to use: If the control is based on a risk analysis. This means that a specific risk has been identified and measures are being taken to mitigate risk.
- Example: Extra access control on systems with sensitive data after a risk assessment.
- Laws and regulations
- When to use: If the control is mandatory based on legislation or regulation.
- Example: Logging of access to patient files according to Wabvpz.
- Contract
- When to use: If the control arises from a contractual obligation with a customer, supplier of external party.
- Example: Storage of data within EU based on customer agreements.
- Interface
- When to use: If the control is necessary for a secure connection or collaboration with other systems or organizations.
- Example: Technical security measures for a secure API connection with an external provider.
- Outsourced
- When to use: If the control is necessary due to outsourcing of services or processes and you want to ensure that the external party takes the correct security measures.
- Example: VPN requirement for remote IT administrators.
- Not applicable – if none of the above reasons are met. Choosing the option “out of Scope” disables the field Status and the field “implementation text” is being replaced with the “Out of scope reason” one. In that field, the reason(s) why the control is out of scope need to be specified. If a standard or framework defines a set of controls then you may be required to provide this information for each of them.
In the SoA report, Applicability is visible as Yes or No in the column “In scope” an in the Column “Reason (not) in scope”, the choice(s) from the Applicability field are stated. If a control is marked as Out of scope, the reason why the Control is marked is out of scope will be visible in the column “Reason (not) in scope”.
Status is a field which allows you to define the status of each control. Available options are: To do, Designing, Implementing and Implemented. In the SoA report, field Status is visible in the Column “Implemented” whereas Status “To do” will be stated in the report as “No”, Status: “Implemented” as: “Yes” and “Designing” and “Implementing” will be shown in the report as “In progress”.
The Control field is pre-filled and read-only if it comes from an activated standard. For a custom control, it is editable. When more than one standard is activated with an overlap in controls, multiple tabs (one for each standard) will be showing the controls from different standards.
The Implementation field is editable, this is where you describe how you have implemented the control. In this field a badge can be created, referring to a document which needs to be linked in the ‘Library’ tab of the Related information panel. In that panel, in the tab “Risks”, risks related to this control can be linked and in the tab “Context” other elements such as other controls, objectives, KPIs etc can also be linked to a control.
View

The ‘View’ button allows you to change the view on your control.
- Tabs per standards element (default): Shows the controls from all related standards in tabs, with the implementation field below it.
- Among each other: Shows the controls from all related standards as a list, with the implementation field below it.
- Full screen: As ‘among each other’ but with other user interface elements like the menu hidden for more screen real estate.
Tasks & Events
When a control is opened, by default it shows a ‘Details’ tab. There is also a ‘Tasks & Events’ tab where you can create new tasks in the context of the control which is currently open.
Monitoring tab
Each control has a ‘Monitoring’ tab. This tab shows you all tasks related to the control but also all tasks related to sub-controls, for a certain time period, which can be defined by the user.
For each of these tasks, the following information is shown:
- Name
- Start date
- Recurrence pattern
- Total score
- Score per instance
The score is calculated with a proprietary algorithm that takes into account whether all checklist items were marked as done successfully and whether the task was completed on time.
The score per instance is a graph that is shown if it is a recurring task, with the score for each time the task was completed.
Dashboard
In this Tab, widgets related to this Control can be added.
Related standards
The ‘Related standards’ button allows you to modify the relationship between your control and ISO- and custom standards.
If you have created a custom standard, then creating new controls and linking them to your custom standards with this button is the way to fill your custom standard with controls.
Linked implementation
If you are using organisational units, with the option “linked implementation”, same or related controls in different organisational units can be linked. For more information on this option, see organisational units
Related information
The pane which can be opened on the left contains more information related to control. For example, in the ‘Library’ tab you can link documents to the control. That may include a document that describes your control. If the linked document lives in SharePoint, then you can include the document content in a tab in ISOPlanner with the control.
Also, in the ‘Context’ tab, you can link requirements and other controls to this control. Read more about related information.
