9. Domains Management
Once you have created or imported frameworks, you can begin managing your domains. Domains serve as the foundational structure of your frameworks, organising controls into manageable sections.
For example:
- In ISO 27001:2022, domains include: Organisational Controls, People Controls, Physical Controls, and Technological Controls.
- In NIST CSF 2.0, domains include: Govern, Identify, Protect, Detect, Respond, and Recover.
Key Features for Managing Domains
Add New Domains
- Create additional domains as needed to expand your framework.
Edit Domains
- Update the domain code
- Define the domain name
- Provide a description to accurately reflect its purpose.
Delete Domains
- Remove domains that are no longer required to keep your framework current.
Reorder Domains
- Use the drag-and-drop functionality to reorganise domains, enhancing the logical flow.
Define Applicability
- Specify which domains are applicable based on your scope, marking others as out of scope. This helps focus resources on relevant areas. Applicability can be set individually for each domain or globally across all domains.
Define Applicability
The Define Applicability section allows you to specify which domains are relevant to your scope and which are out of scope. This helps optimise resources by focusing on applicable areas. Applicability can be set individually for each domain or globally across all domains.
Applicability defines whether a control is relevant to the scope and its implementation status. The options are:
Unknown
- This is the default status, indicating that no determination has been made yet regarding the control's applicability.
Implemented:
-
Indicates that the control is applicable and has been implemented.
-
This control is either selected for importation into policies or defined as implemented in other policies based on frameworks.
-
When marking a control as Not Implemented, it is advisable to provide a clear and concise justification for its non-implementation. This helps maintain transparency and supports future planning for addressing gaps.
Not Implemented:
-
Indicates that the control is applicable but has not been implemented. Controls in this category are not automatically imported into policies.
-
Recommendation: Provide a reason for non-implementation (e.g., organisational immaturity, excluded from scope).
Examples of valid reasons include:- Organisational Immaturity: The organisation lacks the necessary resources, processes, or expertise to implement the control.
- Excluded from Scope: The control is not relevant within the defined scope of the framework.
- Pending Implementation: The control is scheduled for future implementation as part of a phased approach.
- Alternative Measures in Place: Equivalent controls or mitigations have been implemented, rendering this control unnecessary.
Not Applicable
- Indicates that the control is not relevant to the scope and is therefore not implemented.
Assign Owners
Owners can be assigned to each framework domain to ensure accountability and clarity.
Steps to Assign Owners:
-
Click on the "Owners" button.
-
In the drawer, select one or multiple users as owners.
-
Specify whether the ownership should be applied recursively to underlying categories and subcategories.
-
Click the blue "Assign Owners" button to save your changes.
Set Maturity Levels
- Define both current and target maturity levels for each domain to monitor progress and set improvement goals.
Add and Manage Evidence
- Attach supporting documentation—such as policies, procedures, or audit reports—to substantiate the controls within each domain.
Add Comments
- Add comments to collaborate and document: document changes, and maintain a modification history for transparency and accountability among team members.
Unique standard code
📌 Note: Each domain has a unique standard code displayed at the top of its card (e.g., FD_00001, FD_00002, etc.), ensuring its uniqueness within your framework.