Updating Controls

Your IT environment changes constantly. Control documentation must evolve to reflect current reality.

When to Update Controls

Update controls when:

• Technology changes: New systems, cloud migrations, tool replacements
• Process changes: Updated procedures or workflows
• Incidents occur: Security events reveal control gaps
• Audits identify gaps: Auditor findings requiring remediation
• Regular reviews: Scheduled control re-assessment

[Screenshot: Control Update Form] Placeholder: Control detail page with edit functionality

What to Update

Review and update:

• Implementation description: How the control is actually implemented
• Evidence links: Add new policies, screenshots, or documentation
• Status: Reflect current implementation state
• Owner: Update if responsibility changed
• Related entities: Link to new risks, incidents, or assets

Change Tracking

Control updates are automatically logged:

• Who made the change
• When it was made
• What was changed
• Complete audit trail for compliance

[Screenshot: Control Change History] Placeholder: Version history showing control updates

Scheduled Reviews

Establish regular control review cycles:

• Critical controls: Monthly review
• Standard controls: Quarterly review
• Low-impact controls: Annual review

Use automation to create review reminder tasks on schedule.

Next Steps

• Set up recurring workflows for control reviews
• Document control changes from incidents