How to Work Through Compliance Controls in Humadroid (ISO 27001 & SOC 2)

When running a compliance project in Humadroid, you'll eventually reach the most critical part: working through individual controls. These controls are the foundation of any compliance framework. Whether you're using ISO 27001 or SOC 2, or just undertaking an internal company's compliance project, the approach is similar, but the expectations and documentation may vary.

Before diving in and working on the controls one by one, we recommend taking time to review the full control set. This will provide you with a high-level understanding of what is expected, how different controls interconnect, and where your organization's potential gaps may lie. With that overview, addressing each control becomes more contextual and meaningful.

🔄 As you go through each control, you’ll also be able to better understand which of your identified risks align with specific controls. When adding risks to your project, you can easily link them to corresponding controls, creating a more connected and actionable compliance strategy.

What Are Controls?

Controls, sometimes called “control points,” are specific safeguards, procedures, or activities that an organization implements to mitigate risks to its information assets. In the realm of information security, a control can be technical (e.g., firewall rules), procedural (e.g., incident response procedures), or organizational (e.g., security policies).

Purpose of Controls

• Risk Mitigation: Controls aim to reduce the likelihood or impact of threats (e.g., unauthorized access, data leakage, service disruption).

• Compliance: Many regulations and standards, like ISO 27001 and SOC 2, mandate that organizations demonstrate specific controls are in place (see below)

• Governance and Assurance: Controls establish clear practices and documentation so that internal teams, external auditors, and stakeholders can verify that information security is managed systematically.

Relationship Between Policies, Standards, and Controls

• Policies/Standards: Define high-level objectives and rules (e.g., “We must encrypt data at rest”).

• Controls: Translate those objectives into specific actions or mechanisms (e.g., “Use AES-256 encryption for all database backups”).

• Procedures/Guidelines: Provide step-by-step instructions for implementing controls (e.g., “Run pg_dump with the –encrypt flag”).

🔐 ISO 27001: Understanding and Completing Controls

ISO 27001 is centered around the concept of Annex A Controls, which support the organization's broader Information Security Management System (ISMS). These controls are grouped into four key sections introduced in ISO/IEC 27001:2022:

• A.5 Organizational Controls – Governance, policies, roles, and responsibilities

• A.6 People Controls – Background checks, awareness training, disciplinary processes

• A.7 Physical Controls – Physical access, equipment security, secure disposal

• A.8 Technological Controls – Access management, encryption, backups, monitoring

We recommend starting with a full overview of these sections. Understanding the structure will help you recognize how individual controls interrelate.

📄 Example – A.6.4: Disciplinary Process

What it requires: A formal disciplinary process must exist to take corrective action in case of information security breaches.

Your evidence might include:

• A disciplinary policy document outlining procedures

• HR guidelines describing escalation steps

• Historical log or summary of enforcement actions taken

✅ What’s Expected of You

• Review the control’s objective and understand its intent

• Assign ownership of the control (recommended for distributed accountability)

• Implement controls by adding evidence of how it works in your organization

• Upload supporting documentation (e.g., access logs, policies, asset registers)

🔄 Required vs Optional

ISO 27001 controls aren’t optional. While organizations may justify exclusions in the Statement of Applicability (SoA), any exclusion must be reasoned and documented.

🔐 SOC 2: Understanding and Completing Controls

SOC 2 is structured around the Trust Services Criteria (TSC), which include Security, Availability, Confidentiality, Processing Integrity, and Privacy.

The TSC is the official source of information for SOC 2 and should be thoroughly read by anyone preparing for a SOC 2 audit. Check the full Trust Service Criteria document

Familiarizing yourself with these categories in advance will help you understand the scope of your audit and ensure comprehensive coverage.

• Security (Common Criteria) – Required for all audits

• Availability – If you promise high uptime or SLAs

• Confidentiality – If you manage confidential client data

• Processing Integrity – For transaction accuracy and completeness

• Privacy – If you process personally identifiable information (PII)

Again, reviewing all categories before starting helps you understand what’s in scope.

📄 Example of understanding a control point – CC6.3: Authentication

• What it requires: Systems require authentication using strong credentials

• Your evidence might include:

  • Password policy

  • MFA settings screenshots

  • Admin account provisioning checklist

🔄 Required vs Optional

All controls under the Security category (the Common Criteria) are mandatory. Other TSC categories (Availability, Confidentiality, etc.) are only required if they’re in scope. For instance, if you don’t process sensitive personal data, Privacy controls may not apply.

🧰 What Humadroid Provides for Both Frameworks

Regardless of whether you select ISO 27001 or SOC 2, Humadroid provides a standardized control workspace. Each control in your chosen framework includes:

• Control title and description

• Area to describe the implementation

• Space to attach related evidence

• Linking to supporting documents

• History tracking of assessments

• Control ownership and review reminders

• Assessment history

This consistent interface simplifies the process and helps your team stay aligned during compliance preparation.

🧠 Best Practices When Working Through Controls

• Don’t leave descriptions blank - even if you upload a file

• Use versioned documents from your Compliance > Documents section

• Assign owners to controls so you can track accountability

• Set review dates to stay audit-ready throughout the year

• Be honest about partial implementations - these are helpful in tracking progress

By understanding what each control requires and preparing the necessary documentation, you can make audit preparation faster and reduce compliance risk.