Subcontrols

Subcontrols are granular components or sub-requirements within larger compliance controls that provide detailed, specific requirements for achieving control objectives.

What Are Subcontrols?

Subcontrols break down complex controls into smaller, more manageable components that can be implemented, tested, and verified independently. They provide detailed specifications for control implementation while maintaining the hierarchical relationship to their parent control.

Compliance Significance

Subcontrols are essential for:

Granular Implementation: Breaking complex controls into manageable implementation units
Detailed Testing: Enabling specific testing of individual control components
Precise Mapping: Mapping specific requirements to implementation activities
Audit Granularity: Providing detailed audit trails for control components
Risk Mitigation: Addressing specific risk scenarios within broader control objectives

Subcontrol Categories

Technical Subcontrols

Purpose: Specific technical implementation requirements
Examples: Encryption algorithms, access control mechanisms, logging requirements
Implementation: Technical configuration and system settings
Verification: Automated testing and technical validation

Administrative Subcontrols

Purpose: Process and procedure requirements
Examples: Approval workflows, documentation requirements, training mandates
Implementation: Policy development and process implementation
Verification: Process audits and compliance checks

Physical Subcontrols

Purpose: Physical security and environmental requirements
Examples: Access controls, environmental monitoring, equipment protection
Implementation: Physical security measures and controls
Verification: Physical inspections and monitoring

Operational Subcontrols

Purpose: Ongoing operational requirements
Examples: Monitoring procedures, maintenance activities, incident response
Implementation: Operational procedures and workflows
Verification: Operational audits and performance monitoring

Properties

Core Information

ID: Unique identifier for the subcontrol
Reference Code: Specific reference code for the subcontrol
Name: Descriptive name of the subcontrol
Description: Detailed description of the subcontrol requirement
Control ID: Parent control this subcontrol belongs to

Implementation Details

Implementation Type: Technical, administrative, physical, or operational
Implementation Priority: Priority level for implementation
Implementation Status: Current status of implementation
Implementation Date: When the subcontrol was implemented

Verification and Testing

Verification Method: How the subcontrol is verified
Test Frequency: How often the subcontrol should be tested
Last Verification: Date of most recent verification
Verification Results: Results from the latest verification

What Are Subcontrols?​

Compliance Significance​

Subcontrol Categories​

Technical Subcontrols​

Administrative Subcontrols​

Physical Subcontrols​

Operational Subcontrols​

Properties​

Core Information​

Implementation Details​

Verification and Testing​