What are control progress flags?
Each control within your Strike Graph Control Library has six customizable attributes: name, description, status, owner, frequency, and progress. These attributes can and should be customized for relevancy to your unique organization.
Reviewing the activated controls in your Control Library, and customizing them to more closely align with your specific organization’s practices, is usually the first step in establishing a compliance program.
The focus of this article will be on control progress. First, it is important to note that assigning progress flags to controls serves as an internal tool. In other words, do not fret if you find that the majority of controls within your library are “Not In Place” within your organization as you take your first pass through the Control Library. Instead, consider the "Not In Place" controls as being on your organization's to-do list to implement.
Why control progress flags are useful
Once control progress has been assigned to a control, your organization will be able to filter for that control by utilizing its progress flag. In this way, once each control within your entire Control Library has a progress status, your organization will be able to quickly conceptualize where most of your time and energy needs to be devoted.
To find out the total number of controls that are flagged within your library as “Not In Place,” “Partially In Place,” or “In Place,” filter according to the specific flag. The number can be seen in the top right corner, just below the Search button.
To see a visual of the same metrics that the control library filtering provides, navigate to the control monitoring tab on the left side of the screen and view the “donut” charts.
Notice the difference in the two charts above; it is common, and perfectly acceptable, for your organization’s donut chart to look like the one on the left as you are just embarking on your compliance journey. However, prior to entering an audit, your chart will need to look like the image on the right (i.e. every single control within your Library is “In Place”).
Not only should progress flags be assigned during your organization’s first pass through your Control Library, but they should be consistently revisited to reflect the advancement that has occurred within your organization.
Furthermore, control progress flags should be kept up-to-date so that:
Accurate control lists are created within your Security Overview Report.
Only controls that are “In Place” will map to their linked risk category and be generated within the Security Overview Report.
The control monitoring “donut” charts accurately track the progress that your organization is making towards SOC 2 compliance.
Your CSM can see controls that your organization has yet to flag as “In Place,” and can potentially offer guidance on control implementation or alternate controls to implement that would still afford your organization with appropriate coverage.
How to determine what progress flag should be assigned
Now that we have discussed what control progress flags are and why they are a helpful internal tool, let’s look at how to actually assign the progress accurately. The following bullets offer guidance for how to assign progress flags:
In Place: The control is operating and effective, and evidence is readily available to be gathered and uploaded.
Partially in Place: The control is in the process of being developed/ implemented and cannot be adequately evidenced yet.
Not in Place: The control needs to be developed and implemented before evidence can be made available.
Note: Your organization can decide on your own unique definitions for each progress flag, as long as your team is in agreement. For example, if you are pursuing PCI or an ISO certification, Not in Place would mean the control is out of scope for your organization, but you need to call it out in your SAQ or Statement of Applicability.
Assigning progress flags to a control
Step 1: Navigate to your control library and select a control by clicking anywhere within the control’s row.
Step 2: Click on the edit button that is next to the control name.
Step 3: Click the “Save Changes” button.
Congrats, you have successfully assigned a control progress flag!
Note: Don’t forget to consistently update progress flags when applicable to ensure that your organization is accurately representing the efforts that you are making in regards to developing, implementing, and evidencing your controls.