Continuous Compliance
Continuous compliance is the practice of automatically and consistently monitoring, assessing, and enforcing compliance requirements in real time or on an ongoing basis — instead of relying on periodic audits or manual checks.
Compliance Percentage Calculation
Compliance Percentage = Applicable Compliant Controls / All Applicable Controls
Standards
Documented requirements or best practices that define the expected level of quality, security, or compliance an organization must achieve. Standards often align with industry frameworks, regulations, or internal policies.
Controls
Specific measures, processes, or tools implemented to meet a standard and reduce risk. Controls can be technical, administrative, or physical, and are designed to prevent, detect, or correct undesirable events.
Control Categorization Rules
-
Applicable Controls are those that are chosen by the client, depending on the frameworks and standards that are applicable to their business.
-
Not Applicable Controls are those that the client does NOT choose because they do not apply to the standards and frameworks related to the client’s business.
-
It is mandatory to mark applicable controls: Implemented or non-implemented status.
Custom Controls
On COMPASS, Custom controls are controls that can be created by the organization according to their needs. The name of the custom controls will start with the organization name. For e.g. if your organization name is Alpha, the ID will start with ALPH
Tasks
Individual actions or activities assigned to responsible parties to implement, verify, or maintain controls and ensure compliance with relevant standards.
Task Review Due Date refers to the date by which the Compliance Manager must complete the review of the task, including verifying the uploaded documentation, validating the submission, and marking the task as either approved or rejected.
Risk Scoring Model
A structured framework that evaluates and rates risks by considering their potential impact and likelihood. When properly configured, it enables companies to consistently assess, prioritize, and manage risks through a repeatable, data-driven process rather than relying on subjective judgment.
Risk Register
A centralized log of all identified risks within an organization, capturing details such as their description, impact, likelihood, and assigned owner. When linked to a risk scoring model, it enables the calculation of an overall organizational risk percentage, supporting consistent evaluation, prioritization, and management of risks.
Risk Treatment Plan
A documented strategy outlining the actions, responsibilities, timelines, and resources required to address identified risks. It specifies how each risk will be managed—whether by mitigating, transferring, avoiding, or accepting it—and tracks progress to ensure effective reduction of the organization’s overall risk exposure.
Issues
On COMPASS, issues serve as a mechanism to report and manage concerns related to risks, controls, tasks, or responses provided in assessments. They can be tracked, assigned to issue owners for resolution, and addressed through appropriate actions, including treatment or exception requests.
Domains
Domains refer to areas of specialization or categories that encompass specific aspects of securing digital systems, networks, and data. These domains help organize and structure the wide range of tasks, technologies, and responsibilities involved in protecting information assets.
Standards Library on COMPASS
The Standards library on Compass comes pre-populated with relevant standards and related controls for your company.