Control maintenance best practices

Hyperproof is structured so that controls are the center point for all of your compliance operations. This means "everything else"—requests, risks, requirements, evidence, issues, and so on—is linked to your controls. Hyperproof refers to this method as continuous compliance operations (ComOps).

Tip

Maintaining your program's controls is critical in order to sustain a healthy compliance program—if your controls are healthy, your program is healthy, and a healthy program means that you're compliant!

Control health

When program health is turned on, Hyperproof determines control health based on the following criteria:

Testing - The control must have successfully passed the testing phase.
Implementation - The control must be implemented in your compliance program.
Freshness - The control must be up-to-date.
Proof - The control must have at least one piece of linked proof.
Past due issues - If an issue is linked to the control, the issue must not be past due.

Note

This best practice guide uses Hyperproof's default control health calculations. It's possible to customize your organization's control health, however, it's only recommended to do so if the default settings do not suit your organization's needs! See Customizing your program's health.

Control health statuses

Hyperproof has three control health statuses:

Critical - Hyperproof assigns the status of critical if testing proves ineffective and if the implementation status is set to unknown, not started, or in progress.
At risk - If testing is set to not tested or in progress, the control is considered at risk. The control is also considered at risk if the freshness status is unknown or expired, and if the control contains no linked proof.
Healthy - For a control to be deemed healthy, using the default health calculation, testing on a control must be effective, implementation must be completed, it must be fresh, there must be at least one piece of proof linked to it, and all linked issues must be current.

Basic control management

In addition to ensuring that your controls are healthy, it's recommended to do the following:

Assign each control in your program to an owner. This ensures that there is at least one team member responsible for maintaining the control.
Set a recurring review cadence on controls that automatically notifies the control owner when it needs to be reviewed. This can be done in several different ways: freshness, tasks, repeating tasks, or automated control testing.
Link controls to one or more requirements from one or multiple compliance frameworks. Each requirement in your compliance program should be linked to at least one control.
Link proof directly to controls either manually or automatically (recommended).
Set up automated tests on your controls.

In this section: