11. Subcategories Management
Once you have created or imported frameworks, established domains, and categories, you can begin managing your subcategories.
Subcategories further refine your framework's structure by grouping related controls under categories, providing greater granularity and clarity in your organisation's structure.
By effectively managing your subcategories, you ensure that your framework remains flexible, organised, and aligned with your organisation's evolving needs and objectives.
Key Features for Managing Subcategories
Edit Subcategories
Update the subcategory code, define the subcategory name, and provide a description to accurately reflect its purpose.
Add New Subcategories
Create additional subcategories as needed to expand and enhance your framework.
Delete Subcategories
Remove subcategories that are no longer required to keep your framework current and focused.
Reorder Subcategories
Use the drag-and-drop functionality to reorganise subcategories, improving the logical flow within your framework.
Move Subcategories to Categories
Reassign subcategories to the appropriate category to maintain consistency and alignment.
Set Maturity Levels
Define both current and target maturity levels for each subcategory to monitor progress and establish improvement goals.
Define Applicability
The Define Applicability section allows you to specify which subcategories are relevant to your scope and which are out of scope. This helps optimise resources by focusing on applicable areas. Applicability can be set individually for each subcategories or globally across all subcategories.
Applicability defines whether a control is relevant to the scope and its implementation status. The options are:
Unknown
- This is the default status, indicating that no determination has been made yet regarding the control's applicability.
Implemented:
-
Indicates that the control is applicable and has been implemented.
-
This control is either selected for importation into policies or defined as implemented in other policies based on frameworks.
-
When marking a control as Not Implemented, it is advisable to provide a clear and concise justification for its non-implementation. This helps maintain transparency and supports future planning for addressing gaps.
Not Implemented:
-
Indicates that the control is applicable but has not been implemented. Controls in this category are not automatically imported into policies.
-
Recommendation: Provide a reason for non-implementation (e.g., organisational immaturity, excluded from scope).
Examples of valid reasons include:- Organisational Immaturity: The organisation lacks the necessary resources, processes, or expertise to implement the control.
- Excluded from Scope: The control is not relevant within the defined scope of the framework.
- Pending Implementation: The control is scheduled for future implementation as part of a phased approach.
- Alternative Measures in Place: Equivalent controls or mitigations have been implemented, rendering this control unnecessary.
Not Applicable
- Indicates that the control is not relevant to the scope and is therefore not implemented.
Assign Owners
Owners can be assigned to each framework subcategory to ensure accountability and clarity. Steps to Assign Owners:
-
Click on the "Owners" button.
-
In the drawer, select one or multiple users as owners.
-
Click the blue "Assign Owners" button to save your changes.
Monitor Completion Status
View the total number of controls linked from policies to each subcategory and evaluate their completion levels. This feature offers valuable insights into your framework's current compliance status and target objectives based on policies.
Add and Manage Evidence
Attach supporting documentation (such as policies, procedures, or audit reports) to substantiate the controls within each subcategory. Collaborate and Document: Add comments, document changes, and maintain a history of modifications for transparency and accountability among team members.
Unique standard code
📌 Note: Each subcategory has a unique standard code displayed at the top of its card (e.g., FSC_00001, FSC_00002, etc.), ensuring its uniqueness within your framework.