Best practices for creating or editing content within control sections: Control Objective, Required Evidence & Test Procedures
Introduction
To get the most accurate and consistent results from control checks with Trustero AI, we recommend following our proven best practices for control content formatting.
This article will cover guidelines for the three control sections the AI depends on most:
Control Objective
The control objective provides the controls context and guardrails. It answers: “What is covered within this control?” “Why does this control even exist and why is it important?”
The objective is a high-level, succinct and precise summarization of the control’s purpose. Controls exist to mitigate a potential threat to the organization that could lead to an adverse impact (system downtime, loss of trust and integrity, or monetary loss).
Standard Format:
[the what] [the action] [the why]
Example
Control IM03: Admin Account Activity Logging and Events - Primary Infrastructure
Standard Format: [the what] [the action] [the why]
Using the Format: [Admin user activities, exceptions, faults and information security events] [are logged, stored securely, and analyzed][to detect potential security incidents and support investigations for primary infrastructure systems]
Final Control Objective: Admin user activities, exceptions, faults, and information security events are logged, stored securely, and analyzed to detect potential security incidents and support investigations for primary infrastructure systems.
Required Evidence
Required Evidence specifies the artifacts needed to verify that a control is operating effectively. The evidence is the output of the control operationalization. It should be detailed explicitly and uniformly, with the goal for the AI Control Checks to accurately assess compliance with the control objectives.
Standard Format:
- [Type of evidence]
- [Type of evidence]
Example:
Control BC02: Redundancy of Information Processing Facilities
Control Objective
Information processing facilities (e.g., data centers) are implemented with redundancy sufficient to meet defined availability requirements, ensuring continued operations during disruptions.
Required Evidence
- Disaster Recovery Plan
- Architecture Diagram of Redundant Infrastructure
- System-Generated Inventory of Data Storage and Load Balancers
Test Procedures
Test Procedures detail how the evidence will be examined to confirm compliance and control effectiveness. Each test procedure should directly correlate with one of the listed required evidence for the same control. This format will direct Trustero AI to evaluate the evidence against all aspects of the control tests accurately.
Standard Format:
[Title of Test that aligns with Type of Evidence name]: [Examine/Validate/Confirm/Verify/Check] [piece of evidence] [where/how] [contains/includes/is or isn’t] [what to test/look for]
Example:
Using the same control example as above, each test procedure should correspond to one of the three evidence types bulleted. For best results, each procedure should also be its own line item.
Control BC02: Redundancy of Information Processing Facilities
Control Objective
Information processing facilities (e.g., data centers) are implemented with redundancy sufficient to meet defined availability requirements, ensuring continued operations during disruptions.
Required Evidence
- Disaster Recovery Plan
- Architecture Diagram of Redundant Infrastructure
- System-Generated Inventory of Data Storage and Load Balancers
Test Procedures
- Disaster Recovery Plan Validation: Validate that the Disaster Recovery Plan identifies key individuals responsible for managing redundancy and disaster recovery processes.
- Architecture Diagram Validation: Validate that an architecture or network diagram documenting the redundancy of information processing facilities exists and has been reviewed or updated within the previous calendar year.
- System-Generated Inventory Validation: Validate that a system-generated list of load balancers and data storage currently in use by the organization is provided. Confirm that the inventory includes essential details such as ID, name, and location for each load balancer to ensure it is detailed and accurate.
Test Procedure Words to Avoid
Avoid using words that lack clear, verifiable criteria, as they create ambiguity for the AI Control Checks. Do not use the following words and phrases:
- Accurately/Accurate - lacks specific criteria for verification. Instead, specify the exact measure or standard.
- Correctly/Correct - similarly vague; describe the expected condition or outcome directly.
- Such as - instead of giving open-ended examples, list the specific items or details required.
- Timely - specify the exact timeframe or deadline (e.g., within 24 hours, by the end of the month).
- Promptly - provide a specific timeframe or deadline to clarify the expectation (e.g., within one business day).
- Appropriately - clarify what constitutes appropriate action or outcome by defining specific criteria or standards.
- Sample - avoid sampling; aim to test the entire population when possible.
- Regular - specify the exact cadence (e.g., weekly, quarterly, annually).
- Current - specify timeframes (e.g., within the last 30/60/90 days).
- All - define how “all” is determined; avoid generalizations.
- Applicable - specify the context or conditions that make something applicable.
- Clear - be specific about what makes something "clear"; define the required level of detail or documentation.
- Consistency with XYZ - detail what "consistency" means in practice; specify alignment criteria or indicators.
- In Line With XYZ - explicitly call out specific items or conditions rather than using vague relational terms.
By following these content formatting best practices, organizations can enhance the accuracy of Trustero AI control check results for effective risk management and ongoing compliance.
For more on optimizing control content, see: Understanding and Optimizing Control Guidance for Accurate AI Results