Criteria marked as "Needs Attention" on the framework tree

On the Compliance Dashboard, you can find a visual representation of the frameworks that you are establishing or maintaining compliance against. On your compliance journey, implementing and maintaining controls is a foundational step in earning trust with your customers. Controls are not just a "set it and forget it" measure, rather they are efforts that should be used to continuously monitor the effectiveness of your compliance program. Controls are the backbone of your IT security and data protection efforts.

Having controls active and in place help determine whether or not you satisfy specific framework criteria. The status of your control will dictate whether or not a framework criteria is satisfied or needs attention. If a criteria has any active linked control(s) with a needs attention status, then the criteria will also be shown as needs attention. If all of the active linked controls have a satisfied status, then the linked criteria will also have a satisfied status.

In this example, the linked controls under Establishes Requirements for Vendor and Business Partner Engagements for SOC 2 are in needs attention status. Therefore, the criteria is also in needs attention status.

If a criteria has sub-criteria, it's likely that the parent criteria will not have any linked controls. For this reason, criteria inherit the status of any of their sub-criteria. In this example, Vendor Risk Management criteria has a needs attention status because its sub-criteria have needs attention statuses.

Once a criteria has all of its active linked controls and active sub-criteria satisfied, then the criteria will be satisfied.

You may encounter a scenario where criteria are not applicable to your organization. For example, some HIPAA criteria may be applicable to 'covered entities' and your organization is not one, or some ISO 27701:2019 criteria are applicable to Processors and your organization is a Controller. In these scenarios, the criteria can be deactivated.

Alternatively, you may encounter a scenario where nested criteria may be deactivated so that you have a better sense of what needs attention. This often appears with SOC 2 and can be addressed by understanding the concept of control coverage.

If you see a nested criteria that needs attention, open the related controls. If the controls are not applicable to the organization, then it is likely the nested criteria can be deactivated. This can be confusing, so feel free to chat with our Customer Success team to learn more if this scenario is applicable to you.

For example, these physical access controls: Visitor Sign-In, Badge Access System, and Data Center Physical Access, may not be applicable to a SaaS startup, so this nested criteria (Creates or Modifies Physical Access) may be deactivated.

Your coverage analysis is a calculation of all of your active criteria for the framework. This chart indicates your coverage percentage based on the number of satisfied criteria over your total active criteria. This may include active nested criteria that may be candidates for deactivation (see above).

You can also find this coverage progress in the headers for your framework in the Compliance Dashboard.