DemandFlow Support Centre

Home Knowledge Base Submit a Ticket

SECCONTROL: Security Control

ReferenceEntity Reference16/04/2026Updated 16/04/2026
An ISO 27001 Annex A security control record for the Statement of Applicability, tracking implementation status, evidence, and justification.

SECCONTROL: Security Control

The SECCONTROL entity: An ISO 27001 Annex A security control record for the Statement of Applicability, tracking implementation status, evidence, and justification.

Default definition. This article describes the default SECCONTROL definition shipped with DemandFlow. Administrators can add, remove, rename, or re-type fields, change which ones are required, and alter the layout from the Definitions screen in Settings. Your tenant's current schema may differ from what is shown here. To read the current definition at any time, GET the DEFINITION object whose id matches SECCONTROL.

Entity properties

PropertyValue
Entity codeSECCONTROL
Display nameSecurity Control
PluralSecurity Controls
Level90050

Use cases

SECCONTROL implements the Statement of Applicability (SoA) required by ISO 27001 clause 6.1.3(d). Each record represents one Annex A control from ISO 27001:2022. The controlCategory field maps to the four themes in Annex A (Organisational, People, Physical, Technological).

The applicable checkbox and justification field handle control exclusions (auditors require documented justification for excluded controls). Implementation status tracks progress from Not Started through to Certified. The evidence fields document what proof exists that the control is operating effectively.

Fields

Control Details

FieldTypeRequiredNotes
controlReftextYesControl Reference
nametextYesControl Name
controlCategoryenumYesCategory (Annex A Theme) Valid ids: organisational (A.5 Organisational Controls), people (A.6 People Controls), physical (A.7 Physical Controls), technological (A.8 Technological Controls).
descriptiontext (multi-line)Control Description

Applicability

FieldTypeRequiredNotes
applicablebooleanIs this control applicable to your organisation?
justificationtext (multi-line)YesRequired by ISO 27001 6.1.3(d) - explain why this control is or is not applicable
implementationStatusenumYesImplementation Status Valid ids: notStarted (Not Started), planned (Planned), partial (Partially Implemented), implemented (Fully Implemented), notApplicable (Not Applicable).
maturityLevelenumMaturity Level Valid ids: 1 (1 - Initial / Ad-hoc), 2 (2 - Managed), 3 (3 - Defined), 4 (4 - Quantitatively Managed), 5 (5 - Optimising).

Ownership

FieldTypeRequiredNotes
ownerreference → userYesControl Owner
implementerreference → userImplemented By
lastAssessedDatedateLast Assessed Date
nextAssessmentDatedateNext Assessment Date

Related Risk

FieldTypeRequiredNotes
riskTreatmentenumRisk Treatment Valid ids: mitigate (Mitigate / Reduce), accept (Accept), transfer (Transfer), avoid (Avoid).
residualRiskLevelenumResidual Risk Level Valid ids: low (Low), medium (Medium), high (High).

Implementation Details

FieldTypeRequiredNotes
implementationDetailstext (multi-line)Describe the specific measures, tools, and processes used
relatedPoliciestext (multi-line)List policy references that support this control

Evidence

FieldTypeRequiredNotes
evidenceDescriptiontext (multi-line)What evidence exists to demonstrate this control is operating effectively?
gapstext (multi-line)Any gaps or weaknesses in the current implementation
improvementPlantext (multi-line)Planned improvements to address gaps

Attachments

  • (file): file attachment field.

Additional panels

  • Activity timeline panel attached.

Relationships

  • Lookups: owner points at a user; implementer points at a user.

Creating a Security Control via the API

POST /v1/objects
Authorization: Bearer <your-pat>
Content-Type: application/json

{
  "entity":   "SECCONTROL",
  "level":    90050,
  "comboKey": "SUB:|ENT:",
  "controlRef":    "Example value",
  "name":    "Example name",
  "controlCategory":    "organisational",
  "justification":    "Example Justification for Inclusion/Exclusion"
}

Listing Security Controls records

GET /v1/entities/SECCONTROL/SUB

See also

seccontrolsecurity controlsecurity controlsentitydefinitionreference

Was this article helpful?

← Back to Knowledge Base
Powered by DemandFlow