Understanding Controls Inside OneClickComply

What Is a Control?

A control is a specific requirement defined by a compliance framework, such as ISO 27001, SOC 2, or Cyber Essentials. Each control represents something an organisation must demonstrate it is doing in order to meet the standard. During a certification review, auditors will assess an organisation's controls to determine whether it meets the framework's requirements.

Examples of controls include SOC 2 CC6.1 or ISO 27001 A.8.1. Each one addresses a particular element of security or operational practice.

In the OneClickComply platform, each control is tracked with a status; not started, in progress, compliant, or failing, and can be assigned an owner who is responsible for meeting those requirements.

Controls can also be formally scoped out of a framework, provided a valid reason is given, as auditors will require a explanation for why a control has been excluded.

How Controls Connect to Other Platform Features

The new functionality of the OneClickComply platform allows users to see exactly what items are linked to a control, making it possible to see the full picture of what is influencing its status.

The following items are associated with controls:

Detections

Detections are security misconfigurations and vulnerabilities discovered by scanning connected cloud environments, and are linked to the compliance controls they relate to. For example, if a scan finds that multi-factor authentication is not enforced for administrator accounts, the resulting Detection is linked to any control that requires strong access management.

This relationship means that a control's status reflects real, verified findings from the organisation's environment, rather than relying solely on manual reporting.

For a detailed explanation of Detections, please see our dedicated support articles.

Risks

Each entry in the platform's risk register can be linked to one or more controls. Risks carry a likelihood score (1–5), an impact score (1–5), and an overall score derived from those values.

By linking risks to controls, the platform makes it possible to see which compliance requirements carry associated risk exposure and whether those risks are being actively managed. This is a key expectation in many compliance audits, such as ISO 27001 and SOC 2.

Evidence

Evidence items, such as documents, screenshots, logs, and automated captures, prove that prove a control has been met, and are stored against the relevant controls. Evidence is version-controlled and can carry an expiry date, which helps ensure that proof of compliance remains current.

The platform supports several evidence types: Policies, Reports, Configurations, Logs & Monitoring, Assessments, and Training.

The OneClickComply platform also automatically gathers evidence for various actions, such as when the OneClickFix feature is used. This automated evidence capture helps to reduce the manual burden of collecting proof during audit preparation.

Tasks

Tasks are work items that represent actions required to address compliance gaps. They can be automatically created from Detections, generated from questionnaires or audit findings, or even created manually. Each task supports priority levels (P1 to P4), assignee allocation, due dates, and recurrence scheduling.

Tasks can be linked to Detections, and because Detections are themselves linked to controls, this creates a traceable chain: from the compliance requirement, to the issue affecting it, to the work item that addresses it.