Controls: categories, testing, and what they link to

Every control has a category (preventive / detective / corrective / deterrent), a type (technical / administrative / physical), and a status (implemented / partially implemented / not implemented / not applicable).

Controls sit at the centre of the data model. A single control can be linked to:

• Many framework sections — so one MFA control covers NIST IA-02, ISO 27001 A.8.5, SOC 2 CC6.1, etc. in one go.
• Many risks — which drives the residual-score narrative.
• Many policies — a control implements a policy-level requirement.
• Many evidence records and many test records — what auditors actually want to see.
• Audit findings — a finding can point at the control that failed.
• Vulnerabilities — a vuln can cite the control that compensates or that failed.

Log test runs from the detail pane — each test captures result (pass/fail/partial), test type (manual/automated/hybrid), date, tester, and optional linked evidence. Regular testing is what makes the "implemented" status credible. A control marked implemented with no tests is the first thing an auditor asks about.