Controls

In OpenComply, compliance rules, called controls, represent specific compliance requirements or best practices to assess.

Structure of Controls

Control rules consist of two parts:

Metadata

• ID: Unique identifier for the control.

• Title: A brief title describing the control.

• Description (Optional): A detailed description of the control.

• Severity: Indicates the importance or criticality of the control.

Policy

Instructions on how to verify that the control is met.

Types of Controls

Controls with Inline Policies

Controls with inline policies contain both the compliance requirement (what must be done) and the policy (how to check it) within a single YAML file.

Controls with Referenced Policies

To improve reusability, controls can reference other policies. These are called Controls with Referenced Policies. This approach allows for:

• Reusability: Common policies can be reused across multiple controls.

• Customization: Policies can be tailored to fit specific compliance needs.

• Consistency: Ensures uniform application of policies across different controls.

Next Steps

In the following sections, we will explore two approaches: Controls with Inline Policies and Controls with Referenced Policies, to demonstrate effective compliance rule management.