What Are Controls?
A control is a specific requirement or safeguard that your organization must implement to achieve compliance. Examples include:- Requiring multi-factor authentication for all users
- Encrypting data at rest and in transit
- Conducting regular access reviews
- Maintaining an incident response plan
- Performing background checks on employees
Control Statuses
Every control in your library has one of four implementation statuses:| Status | Description | Dashboard Impact |
|---|---|---|
| Implemented | The control is fully in place with supporting evidence and policies | Counts toward your readiness score |
| Partially Implemented | Some aspects are in place but the control is not fully satisfied | Counts at 50% toward readiness |
| Not Implemented | The control has not been addressed yet | Identified as a gap |
| Not Applicable | The control does not apply to your organization’s scope | Excluded from scoring |
Browsing Controls
Navigate to Compliance > Controls to view your full control library. The control list provides:- Search and filter - Find controls by keyword, framework, status, category, or assigned owner
- Framework filter - View controls for a specific framework or across all frameworks
- Status filter - Focus on gaps by filtering for “Not Implemented” controls
- Sorting - Sort by priority, framework, category, or status
- Pagination - Controls are paginated for performance with large lists
Control Detail View
Click on any control to view its full details:- Description - What the control requires
- Framework mappings - Which frameworks this control satisfies and the confidence score for each mapping
- Linked evidence - Evidence artifacts attached to this control
- Linked policies - Policies that support this control
- Linked tests - Automated or manual tests that verify this control
- Owner - The person responsible for this control’s implementation
- Notes - Internal notes and implementation details
Linking Controls to Evidence
Evidence demonstrates that a control is implemented. Each control may require one or more types of evidence.View Requirements
Open a control and check the Evidence Requirements section. This lists the types of evidence needed to satisfy the control (screenshots, configuration exports, policy documents, logs, etc.).
Attach Evidence
Click Link Evidence to associate existing evidence from your evidence vault, or upload new evidence directly. You can also connect integrations to collect evidence automatically.
Linking Controls to Policies
Policies provide the documented procedures and rules that support your controls. To link a policy to a control:- Open the control detail view
- Navigate to the Policies tab
- Click Link Policy and select the relevant policy from your policy library
Policies created from LowerPlane templates are automatically linked to the appropriate controls. You only need to manually link policies that were uploaded or created outside of templates.
Linking Controls to Tests
Tests verify that a control is operating effectively on an ongoing basis. Tests can be:- Automated - Run by LowerPlane using data from connected integrations (e.g., verifying MFA is enabled for all users)
- Manual - Require a person to verify and record the result (e.g., confirming physical access controls are in place)
Cross-Framework Control Mapping
One of LowerPlane’s most powerful features is cross-framework control mapping. When a control maps to multiple frameworks:- Implementing the control once satisfies requirements in all mapped frameworks
- Evidence attached to the control covers all mapped frameworks
- The readiness score updates across all applicable frameworks simultaneously
Viewing Mappings
On any control’s detail page, the Framework Mappings section shows:- Each framework the control applies to
- The specific requirement ID in each framework (e.g., ISO A.9.2.1, SOC 2 CC6.2)
- The confidence score indicating alignment strength
- Whether the framework-specific requirement has any additional nuances
Controls with a confidence score below 80% may require additional framework-specific evidence or documentation. Review the mapping details to understand what additional steps might be needed.
Bulk Operations
LowerPlane supports bulk operations to help you manage controls efficiently:- Bulk status update - Select multiple controls and change their status simultaneously
- Bulk assign owner - Assign a team member as the owner of multiple controls at once
- Bulk mark as not applicable - Mark multiple controls as N/A with a shared justification
- Export - Export your control list to CSV for offline review or reporting
- Navigate to Compliance > Controls
- Use the checkboxes to select the controls you want to update
- Choose the desired action from the bulk action toolbar that appears
Control Ownership
Assigning owners to controls ensures accountability and helps distribute compliance work across your team. Control owners are responsible for:- Maintaining the control’s implementation
- Ensuring evidence is current and not expired
- Responding to audit inquiries about their assigned controls
- Completing any linked tests on schedule
Best Practices
Start with high-overlap controls
Start with high-overlap controls
Prioritize controls that map to the most frameworks. Implementing these first maximizes your coverage across all enabled frameworks with the least effort.
Use Not Applicable sparingly
Use Not Applicable sparingly
Only mark controls as N/A when you have a clear, documentable justification. Auditors will question N/A designations, so keep notes explaining your reasoning.
Assign owners early
Assign owners early
Distribute control ownership across your team from the beginning. This prevents bottlenecks and ensures subject matter experts are responsible for relevant controls.
Review controls quarterly
Review controls quarterly
Set a cadence for reviewing control statuses, evidence freshness, and test results. Compliance is not a one-time event; it requires continuous maintenance.