Why are control descriptions important?
All of Strike Graph's controls are pre-populated with 'suggested' or 'template' language, and your organization can choose to implement them exactly as they are written. However, if your organization implements (or plans to implement) a control differently, the control language must be customized. Auditors will test your organization's controls based on the language within the control description, so accuracy is key.
What changes to control descriptions should be made?
Control description changes usually entail the following, but any revisions should be made as necessary. Contact your Customer Success Manager (CSM) if control language-related questions arise.
Difference in process
Difference in scope
Difference in frequency
Difference in process
Sometimes, your organization may implement a control with small differences from the default control language. If this is the case, you can remove phrases, revise wording, or add information to ensure accuracy in your description.
Example: Tech Competence control
Original Control Language: The new hire screening process includes a consideration of skills and competencies of the candidate. Each job candidate is interviewed by personnel within the employing department to determine if education, experience, and technical competency are appropriate for the job function. Background checks are also performed prior to hire.
Revised Control Language: The new hire screening process includes a consideration of skills and competencies of the candidate. Each job candidate is interviewed by personnel within the employing department to determine if education, experience, and technical competency are appropriate for the job function. Interview notes are reviewed internally by appropriate team members and reference checks are performed prior to hire.
Difference in scope
Sometimes, the template control language may include elements that are not in scope for your organization (e.g., a VPN). If this is the case, you can simply remove those elements from your control description.
Example: Administrator Access control
Original Control Language: Administrator access to the application, database, network, VPN, and operating system is restricted to authorized users.
Revised Control Language: Administrator access to the application, database, network, and operating system is restricted to authorized users.
Keep in mind that if you are removing wording from a control, you should also deactivate the relevant evidence items (for example, if you don't have a VPN, you can deactivate the evidence items asking for VPN admins, or VPN passwords).
Difference in frequency
Some control descriptions include a stated frequency for how often the control is reviewed. If this is the case, the frequency should be updated to be accurate for your organization’s review frequency (e.g., quarterly, monthly, etc.).
Example: Asset Inventory control
Original Control Language: An inventory of information assets, including hardware, software, processing facilities, and data, is maintained and updated at least annually.
Revised Control Language: An inventory of information assets, including hardware, software, processing facilities, and data, is maintained and updated at least quarterly.
Difference in risk mitigation
All controls are designed to mitigate risks, so you may find that your organization already mitigates a risk with a process similar to one of our suggested controls, but the process may not be exactly the same. If this is the case, you can replace that suggested control with the process that you are performing.
To accomplish this, you can either:
Activate a new control
Feel free to browse Strike Graph’s control library and activate additional controls (even if they are not marked as “suggested”). The SOC 2 framework is flexible and allows you to mitigate risks using your own customized control library.
If you don’t see an existing control within our control library that fits your needs, you can create a custom control. More information on creating custom controls can be found here.
For more information on customizing and navigating your control library, check out our "Control Library Demonstration" video!