Utilizing sub-controls in ZenGRC

  • 21 January 2022
  • -
  • -
R
Rank
Userlevel 3
Badge +2

Just general inquiry, team is trying to figure out best way to utilize subcontrols in ZenGRC and wanted to get thoughts on what others have done.

Example is Access Review control, you might have one access review control, but there would be separate evidence for separate systems that require a privileged access review. Team has discussed creating multiple controls and naming (Control1.a, Control1.b, Control1.c etc.) or using processes within the System of Record and mapping to the different systems.

Please respond with anyways your organizations are handling this thanks!

3 replies

R
Rank
Userlevel 3
Badge +2

Hi Dennis. We managed these at the "Request" object level. The control is just a single one - "Access Review Control", but then there are different Requests mapped to this control, each having evidence for each system. Hope this helps.

R
Rank
Userlevel 3
Badge +2

^ this definitely works as long as you receive audit requests from the audit teams as one request per system and not a request where everything is lumped into one - for example: "for the in-scope systems, provide most recent access review". if that happens seems like the best option is to have auditors create one access review request per system.Using product or system field might help you keep inventory of scope of the individual control too.As for access review control for us, we use another tool which will have it all aggregated into one output so the evidence would be the same regardless of which system it is tied to. At least that is the plan but will see how the audit team feels in a few months

R
Rank
Userlevel 3
Badge +2

we do it a little differently. We have one control and multiple systems. So to test the control, we open an audit for each system for each year (or quarter or whatever) and scope the applicable controls. That way you can filter by control (to see all assessment across all systems), filter by system (to see all the assessment for that one system), or by audit (see all controls tested within the audit).

Reply


Terms & ConditionsCookie settings
I'm not ready yet X