The ICT Controls module manages the catalog of technical, organizational, and procedural controls your organization has implemented to mitigate ICT risks. Controls map directly to risks, regulatory requirements, and industry standards, forming a key component of your DORA ICT risk management framework, NIS2 cybersecurity measures, and ISO 27001 Statement of Applicability.
Controls List Page
The controls list provides a filterable view of all registered ICT controls with their key attributes.
Filters
| Filter | Options | Description |
|---|---|---|
| Search | Free text | Search by control title or description text. |
| Type | Preventive, Detective, Corrective | Filter by control type classification. Preventive controls stop incidents from occurring, Detective controls identify incidents that have occurred, and Corrective controls restore normal operations after an incident. |
| Status | Planned, In Progress, Implemented, Not Applicable | Filter by the implementation status of the control. |
| Effectiveness | Effective, Partially Effective, Ineffective, Not Tested | Filter by the last assessed effectiveness of the control. |
Table Columns
| Column | Description |
|---|---|
| Title | The control title. Click to open the detail/edit form. |
| Type | Badge showing the control type: Preventive (blue), Detective (amber), Corrective (purple). |
| Status | Badge showing the implementation status: Planned (gray), In Progress (blue), Implemented (green), Not Applicable (gray outline). |
| Effectiveness | Badge showing assessed effectiveness: Effective (green), Partially Effective (amber), Ineffective (red), Not Tested (gray). |
| Regulatory Mappings | Small indicators showing which frameworks this control is mapped to (DORA, NIS2, ISO 27001). |
Creating or Editing a Control
Click New Control to create a new entry, or click an existing control title to edit it.
Basic Information
| Field | Type | Description |
|---|---|---|
| Title | Text input | A clear, concise name for the control (e.g., "Multi-Factor Authentication", "Network Intrusion Detection System", "Automated Patch Management"). Required |
| Description | Textarea | A detailed description of the control, including its scope, how it operates, and what it protects against. Optional |
Control Classification
| Field | Type | Description |
|---|---|---|
| Control Type | Radio buttons | Classify the nature of the control: • Preventive — Controls that prevent incidents or threats from materializing. Examples: firewalls, access controls, encryption, security policies, training. • Detective — Controls that detect incidents or anomalies during or after occurrence. Examples: SIEM, IDS/IPS, log monitoring, audit trails, anomaly detection. • Corrective — Controls that restore normal operations and remediate after an incident. Examples: incident response procedures, backup restoration, disaster recovery, rollback mechanisms. |
Status and Effectiveness
| Field | Type | Description |
|---|---|---|
| Implementation Status | Select dropdown | The current state of the control's deployment: • Planned — Approved but not yet being implemented. • In Progress — Currently being developed, configured, or deployed. • Implemented — Fully deployed and operational. • Not Applicable — The control has been evaluated and determined not to apply to this organization's context. |
| Effectiveness | Select dropdown | The assessed operating effectiveness of the control (leave blank if not yet assessed): • (Blank) — Not yet assessed. • Effective — The control is operating as designed and adequately mitigates the targeted risk. • Partially Effective — The control is in place but has gaps, configuration issues, or coverage limitations. • Ineffective — The control is not operating as intended or fails to mitigate the targeted risk. • Not Tested — The control is implemented but its effectiveness has not been formally tested. |
Controls marked as Ineffective should trigger immediate remediation. Under DORA, financial entities must ensure that ICT controls are adequate and proportionate to the risks they address. An ineffective control may indicate a compliance gap.
Evidence
| Field | Type | Description |
|---|---|---|
| Evidence | Textarea | Document the evidence supporting the control's implementation and effectiveness. This could include references to configuration screenshots, test results, audit reports, policy documents, or system logs. Detailed evidence is essential for audit readiness. Optional |
Maintain thorough evidence for each control. Auditors and regulators will expect to see documented proof that controls are not only implemented but regularly tested and effective. Reference specific documents, dates, and test results.
Regulatory Mapping
Map the control to specific regulatory requirements and standards. This creates traceability between your control catalog and compliance obligations, feeding into gap assessments and audit reporting.
| Framework | Type | Options |
|---|---|---|
| DORA Articles | Grid of checkboxes | Select applicable articles from Art. 5 through Art. 16. These cover the full scope of DORA ICT risk management requirements including: Art. 5 (Governance), Art. 6 (ICT Risk Management Framework), Art. 7 (ICT Systems, Protocols, and Tools), Art. 8 (Identification), Art. 9 (Protection and Prevention), Art. 10 (Detection), Art. 11 (Response and Recovery), Art. 12 (Backup Policies), Art. 13 (Learning and Evolving), Art. 14 (Communication), Art. 15 (ICT-related Incident Management), Art. 16 (Classification of ICT-related Incidents). |
| NIS2 Articles | Grid of checkboxes | Select applicable NIS2 measures from Art. 21(2)(a) through Art. 21(2)(j): • (a) Risk analysis and information system security policies • (b) Incident handling • (c) Business continuity and crisis management • (d) Supply chain security • (e) Security in network and information systems acquisition, development and maintenance • (f) Policies and procedures for assessing cybersecurity risk-management measures • (g) Basic cyber hygiene practices and cybersecurity training • (h) Policies and procedures regarding the use of cryptography and encryption • (i) Human resources security, access control policies, and asset management • (j) Use of multi-factor authentication, secured communications, and secured emergency communications |
| ISO 27001 Controls | Grid of checkboxes | Select applicable ISO 27001:2022 Annex A control domains: • A.5 — Organizational controls (information security policies, roles, segregation of duties, threat intelligence, asset management, access control, supplier relations) • A.6 — People controls (screening, terms of employment, awareness training, disciplinary process, responsibilities after termination, confidentiality agreements, remote working) • A.7 — Physical controls (physical security perimeters, entry controls, securing offices, physical security monitoring, protection against environmental threats, equipment security) • A.8 — Technological controls (user endpoint devices, privileged access management, information access restriction, source code security, secure authentication, capacity management, protection against malware, management of technical vulnerabilities, configuration management, information deletion, data masking, data leakage prevention, monitoring, web filtering, secure coding) • A.9 through A.18 — Additional control domains covering operations security, communications security, system acquisition, supplier relationships, incident management, business continuity, and compliance. |
Review Dates
| Field | Type | Description |
|---|---|---|
| Last Review Date | Date picker | The date this control was last reviewed and its effectiveness assessed. Optional |
| Next Review Date | Date picker | The scheduled date for the next effectiveness review. Regular testing is required under DORA Article 6 and ISO 27001 performance evaluation requirements. Optional |
Controls are linked bidirectionally with risks. When you associate a control with risks in the Risk Management module, that relationship is reflected here as well. This ensures consistent mapping between your risk register and control catalog.