Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.matproof.com/llms.txt

Use this file to discover all available pages before exploring further.

What is a control?

A control is a specific security or operational requirement that a compliance framework mandates. Every framework is made up of controls — DORA has around 70, ISO 27001 has 93, and SOC 2 has roughly 60 criteria. Examples of controls:
  • “Implement multi-factor authentication for all privileged accounts”
  • “Conduct annual penetration testing of critical systems”
  • “Maintain a documented incident response plan”
When you activate a framework in Matproof, its full control set is automatically populated into your Controls module.
Controls are only visible when Advanced Mode is enabled for your organization. Go to Settings → Organization to enable it.

Control structure

Each control contains:
FieldDescription
StatusNot started / In progress / Implemented / Not applicable
OwnerThe team member responsible for this control
EvidenceEvidence tasks linked to this control
PoliciesInternal policies that satisfy this control
RisksRisks that this control mitigates
Framework mappingWhich frameworks reference this control

How controls map to frameworks

Controls are the shared layer beneath multiple frameworks. A single control — like “Encrypt data at rest” — can satisfy requirements across DORA, ISO 27001, and SOC 2 simultaneously. When you collect evidence for a control, all frameworks that reference it are updated automatically.
If you are pursuing multiple certifications, prioritize controls that appear in more than one framework first. Check the Framework mapping field on each control to see overlap.

Updating control status

  1. Go to Controls and open a control
  2. Click Status and select the current state
  3. Add a note if needed (useful for partial implementations)
Status options:

Not started

Control has not been addressed yet.

In progress

Implementation is underway but not complete.

Implemented

Control is fully implemented and evidenced.

Not applicable

Control does not apply to your organization’s scope.
Marking a control as Not applicable requires a justification note. Auditors will review these during assessments.

Linking evidence

Evidence tasks are the primary way controls move to Implemented status. To link evidence to a control:
  1. Open the control
  2. Click Add evidence
  3. Select an existing evidence task or create a new one
  4. Once the evidence task is marked complete, the control status updates automatically
You can link multiple evidence items to a single control. The control is considered implemented when all required evidence is collected and unexpired.

Assigning owners

Every control should have an owner — the person accountable for implementation and ongoing compliance.
  1. Open a control
  2. Click Owner → search for a team member
  3. The owner receives notifications when evidence expires or the control status changes
Owners do not need to collect evidence themselves. They are accountable for ensuring it gets done.

Filtering and searching

Use filters to focus on what matters:
FilterUse case
FrameworkView controls for a specific framework (e.g., DORA only)
StatusFind all controls that are not started or in progress
OwnerSee what a specific person is responsible for
Evidence expirySurface controls with expiring evidence

Exporting for audits

Before an audit, export your controls for review:
  1. Go to Controls
  2. Apply any filters (e.g., by framework)
  3. Click Export
  4. Choose CSV or the full evidence package (ZIP)
The export includes control names, statuses, owners, linked evidence, and policy references — matching the structure auditors expect.