FAQ
Which items can link to which
Quick reference: every link type the product supports and how to make them.
1 min readLast updated 26 April 2026
Every link lives in its own M:N map table and is tenant-scoped. Here's the full matrix.
| From | To | Where in UI |
|---|---|---|
| Control | Framework section | Control detail → "frameworks" actions |
| Control | Risk | Risks detail → linked controls; or Controls → "link to risks" |
| Control test | Control | Controls detail → "Log test" |
| Control test | Evidence | Included in the test form as evidence IDs |
| Evidence | Control or Policy | Set at upload time on the Evidence page |
| Policy | Control | Policies view modal → "Linked controls" panel |
| Policy | Risk | Policies view modal → "Linked risks" panel |
| Policy | Acknowledgments / Campaigns | Policies view modal → Ack panel / Campaigns panel |
| Asset | Risk | Assets detail → "Link risk" |
| Incident | Risk | Incidents detail → "Linked risks" panel |
| Vulnerability | Asset / Control / Risk | Set on the Vulnerability record directly |
| Vendor | Data type | Vendors detail → "Data types processed" |
| Audit finding | Control | Set on the Finding record |
| BCP BIA | Plan | BCP detail → "New BIA" |
Unlinked records are still queryable (you won't fail validation for leaving things dangling) but they don't count toward any framework percentage, don't contribute to residual scoring, and don't tell the audit story. The gentle nudge: the longer you use the product, the tighter you should pull these links.