Help Center
News
Help Center
News
Sign in
Document
Documents & PoliciesQuestionnairesControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterFrameworksRecord of Processing Activities (ROPA)Exporting your ROPAVendorsImpact Assessments (IA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
DPIA
Assessments
ROPA
Assets
International Standards & Frameworks
Control setsIGDTA overview
TOMs & Controls
Categories & Attributes
Data Collection Points
Legal Basis
Legitimate Interest
Documents & Policies
Retention & Deletion
Data Flow
Vendors
Questionnaires
Manage
Process Risk OverviewData Flow Map
Dashboards
AI Assistance & Automation
Projects
Tasks
Meetings & Activities
Workflows & Automations
Reporting
React & Resolve
TasksProjectsIncidents & BreachesData Subject Requests
Risk Scenarios & Treatments
Incidents & Breaches
Release Notes
Q2 2026
Q1 2026
Q4 2025
Q3 2025
Q2 2025
Q1 2025
Q4 2024
Q3 2024
Q2 2024
Q1 2024
Q4 2023
Q3 2023
Q2 2023
Q1 2023
Q4 2022
Q3 2022
Getting Started
Quickstart GuideQuestionnairesTasksProcess Risk OverviewIT SettingsFrameworksThe Information Security / Asset Risk ModelData Subject RequestsDownloading an elementLegitimate Interest DocumentationsAssigning Audiences to ElementsDocuments & PoliciesControls & Technical and Organizational Measures (TOMs)General SettingsCreating attributes that fit your industryDocument list for onboardingThe Data Protection Risk ModelIncidents & BreachesProjectsManaging audiencesAdd documents to vendorsHow to answer an assessment/questionnaireSetting up the first organization or companyData Collection Point (DCP)Use AI to create elementsSetting Risk models in General SettingsSharing ElementsHow can a user change the language?Data Flow MapRecord of Processing Activities (ROPA)Time MachineCreate and evaluate assessments Company Widget FeatureAsset RegisterVendorsImpact Assessments (IA)Creating organizational unitsExporting your ROPAMeetings & ActivitiesTerms for legitimate processingRetentions & Deletions PeriodsHow to create a new user and how to change the password for loginReport ExplorerMaturity modelAdding risk scenarios to assets or asset groupsRelevant Risk SzenariosPriverion GRC Platform overviewDocument list for onboardingHow can a user change the language?Setting up the first organization or companyCreating attributes that fit your industry
User account
Sharing & Group functions
Features
How-To Guides & Tips
Get Help
Legal
Settings
General Settings
Compliance settings
Identity and access management
IT Settings
Risk Settings

Control sets

Manage control sets that define security and privacy controls used in frameworks.

Control Sets

The Control Sets screen is where your organisation's compliance catalogue comes to life. It is the central place for DPOs, Information Security Managers, Compliance Officers, and IT Administrators to create and maintain the structured libraries of controls — whether based on internationally recognised standards like ISO 27001 or custom internal frameworks — that every risk assessment, maturity score, and compliance report in DPMS measures against. Without at least one configured and active control set, many downstream features simply have nothing to work with.

How to open it

In the left-hand sidebar, navigate to IT Settings, then select International Standards. The index page lists all control sets and standards already configured in your organisation. From there:

  • Click Create to build a new control set from scratch.
  • Click the edit action next to any existing record to open it for modification.
Heads up: Access requires either the Control Set management permission or the International Standards IT Settings permission. If you hold neither, the page loads but shows a "403 Forbidden" message instead of the form.

Screenshot

Screenshot

What you see

The form is built around three functional modes that share the same URL. A back arrow in the top-left corner always returns you to wherever you came from. The page title tells you which mode you are in: "Create Standard / Control Set" when building something new, "Edit [record name]" when editing the structure of an existing record, and "Edit Existing Standards" or "Edit Existing Control Sets" when managing already-published items.

In the top-right corner sits the main action button — it changes its label depending on what you are doing: Create, Save, or Enter Edit Mode. This button sometimes disappears entirely (when the form is waiting for you to select a record), which can be surprising if you encounter it for the first time.

The General tab presents the configuration fields on a white card. When you switch to the structure builder (the Group Information tab), the entire background turns light blue — a deliberate visual signal that you are now working inside the drag-and-drop editor.

Working with this screen

Setting up a control set for the first time

When you click Create on the International Standards index, the form opens in creation mode. The record-selection dropdown is hidden, and you see the name field and type selector immediately.

  • Name your control set. Type a clear name in the Name field — this is what will appear in dropdown lists and reports across the entire platform. Click the translation icon next to the field to provide the name in additional languages your DPMS installation supports.
  • Choose a type. The Standard / Control Set dropdown is the most important decision on this form, and it cannot be changed after you save. Select Standard if you are representing a formal compliance framework (such as ISO 27001 or GDPR) — doing so makes a risk model assignment mandatory and links this record to the risk management module. Select Control Set if you are building an internal control catalogue where no risk model linkage is required but controls are mandatory. A small reference table on screen shows the difference at a glance.
  • If you chose Standard, select a risk type. The Risk Type dropdown appears and lets you choose between Privacy and Information Security. This tells DPMS which domain of risk assessments this standard governs. Like the Type field, this cannot be changed after saving.
  • Configure the parameters. Three toggles control optional capabilities for every control in this set:
  • Control Applicability — enables users working with this set's controls to mark each control as "applicable" or "not applicable" to their organisation. This is essential for ISO 27001's Statement of Applicability process.
  • Control Audit — unlocks audit evaluation fields on controls, enabling formal internal audit processes against this set.
  • Average Maturity — enables aggregated maturity scoring across all controls, which feeds into compliance dashboards and maturity charts.
  • Optionally import from existing sets. The Control Import multi-select lets you pull the control structure from one or more existing standards or control sets into your new one. This is a significant time-saver if your new set shares many controls with an existing ISO standard — you avoid rebuilding the hierarchy from scratch. Note that imported controls are a snapshot; future changes to the source set do not automatically update your new set.
  • Click Create. DPMS saves the record and immediately opens the Group Information tab so you can begin building the control structure.

Building the group, section, and control hierarchy

After creating a control set (or when editing an existing one), you land on the Group Information tab — the drag-and-drop structure builder. The light-blue background signals you are in editing mode.

The hierarchy has three levels: Groups (top-level domains, like "Annex A — Organisational Controls"), Sections (subdivisions of a group, like "A.5.1 — Policies"), and Controls (the individual requirements).

  • Add a group. You will see a default empty group. Type a short code (e.g., "A") and a name (e.g., "Rights of Data Subjects") into the two text fields on the group row. To add more groups, click the green + button on the green banner below any group — the button expands into three choices: Add Group, Add Section, and Add Control.
  • Add sections inside a group. Click Add Section to create a section nested within the group. Give it a code and a name. Sections can also be dragged to a different group entirely — grab the grip icon (the six-dot handle) on the left side of the row.
  • Add controls. Click Add Control (either inside a section or directly in a group for standalone controls). Each control card has a Name field (the short reference label) and a Description field (the full requirement text). Both support the translation mechanism.
  • Add a to-do list to a control. Toggle the TO-DO LIST switch on a control to Activated. A green + button appears; click it each time you want to add an implementation task (for example, "Create request form," "Define response timeline"). To-do items can be reordered by dragging. Toggle the switch off to hide and disable the list without deleting it.
  • Reorder anything. Drag groups, sections, controls, and to-do items using their grip handles. The order you set here is the order users will see throughout DPMS.
  • Delete items. Click the red circular minus button on the right of any group, section, control, or to-do item to remove it. There is no confirmation dialog — deletion is immediate within the editor. However, nothing is permanent until you click Save.
  • When your structure is complete, click Save in the top-right. DPMS saves the full hierarchy and returns you to the International Standards index.
Heads up: All changes in the structure editor exist only in memory until you click Save. If you navigate away or close the tab without saving, every addition, deletion, and reorder is lost.

Translating the control set into other languages

Once your structure is built, you can auto-translate all group names, section names, control names, descriptions, and to-do items at once.

  • At the top of the Group Information tab, you will see a row of language buttons (for example, EN, DE, FR). Click the button for the language you want.
  • DPMS shows a "Translating…" spinner and disables all text fields. A request is sent to the translation service with your full control hierarchy. All fields are populated with the translated text when the response arrives.
  • Review the auto-translations. Click into any field to correct it manually. Your manual edits update only the selected language variant.
  • Click Save to commit both the original language and the translated content.
Heads up: If you click a language button again after making manual corrections, the translation service will overwrite your edits with a fresh machine translation. Always make final manual corrections after your last translation request.

Renaming or removing a published standard

When a standard has already been published and activated in your organisation, editing its name or removing it follows a different path — DPMS opens the Edit Existing Standards tab automatically.

  • You will see a list of all active standards or control sets, each on a blue card with a multi-language name input. Click into the name field and type the new name (for example, changing "ISO 27001:2013" to "ISO 27001:2022"). Update all language variants as needed.
  • To remove a standard, click the trash icon on the right of the card. A confirmation bar slides in — click the tick to confirm, or the X to cancel. The deletion is only staged at this point.
  • Read the warning banner at the top of the tab before proceeding. Deleting a standard here has downstream consequences for risk models and other records that reference it.
  • Click Save. DPMS commits all name changes and any deletions to the database and returns you to the index.

Field reference

  • Name — The display name for this control set or standard, shown in dropdowns and reports across DPMS. Supports multiple languages via the translation button. Required before saving.
  • Standard / Control Set (Type) — Determines the record's behaviour across the platform. Standard: requires a linked risk model and has optional controls. Control Set: requires controls but has no mandatory risk model. Cannot be changed after the first save.
  • Risk Type — Visible only when Type is Standard. Select Privacy for privacy risk assessments (ROPA, DPIA) or Information Security for asset risk assessments. Cannot be changed after the first save.
  • Control Applicability Parameter — Toggle. When activated, every control in this set gains an "applicable / not applicable" switch in downstream screens. Required by ISO 27001's Statement of Applicability.
  • Control Audit Parameter — Toggle. When activated, controls in this set show audit evaluation fields when used in audit workflows.
  • Average Maturity Parameter — Toggle. When activated, DPMS aggregates maturity scores across all controls in the set and surfaces the result in compliance dashboards.
  • Control Import — Multi-select searchable dropdown. Choose one or more existing control sets or standards to import their control hierarchy into the new record. Imported content is a one-time snapshot.
  • Group Code field — A short alphanumeric code for the group (e.g., "A" or "A.5"). Maximum 50 characters.
  • Group Name field — The display name for the group (e.g., "Organisational Controls"). Maximum 300 characters.
  • Section Code and Name — Same as group fields; maximum 50 and 300 characters respectively.
  • Control Name — The short reference label for the individual requirement. Maximum 300 characters.
  • Control Description — The full text of the requirement. Maximum 300 characters.
  • To-do item text — The text of an implementation sub-task. Maximum 300 characters.

How this connects to the rest of DPMS

Control sets are among the most foundational records in the system. Everything you configure here cascades into multiple other areas:

  • Risk management: When a Standard type control set is activated, it becomes mandatory in risk model configurations. Without it, risk models in that domain cannot be fully configured.
  • Asset and privacy risk assessments: Controls from this set appear in asset risk assessments and ROPA/DPIA risk evaluations. The Control Applicability and Control Audit toggles you set here determine which options are visible to assessors.
  • Maturity scoring and compliance dashboards: Enabling the Average Maturity parameter unlocks aggregated maturity charts in reporting screens. Without this, per-control maturity data exists but is not rolled up into a single score.
  • Compliance gap analysis and reporting: Every compliance report that measures your organisation against a framework references the control hierarchy you build here.

After finishing this screen, your next step is typically to activate the control set in Risk Settings (if it is a Standard) or to assign it to the relevant risk model configuration. You may also want to set up asset or vendor assessments that reference the new set.

The International Standards index page is the main entry point for this screen, and the Risk Settings screens for active control sets link back here for editing.

Tips & common pitfalls

Heads up: The Type and Risk Type fields are permanently locked after the first save. If you realise you chose the wrong type, you will need to delete the record and start over. Take a moment to confirm your selections before clicking Create.
Heads up: The Save button disappears when you are in edit mode but have not yet selected a record from the dropdown. This is intentional — click the dropdown, find your record, and the button will reappear. Do not mistake the missing button for a page error.
  • Unsaved changes are lost silently. The structure editor holds everything in memory. Clicking the browser's back button, refreshing the page, or navigating to another screen without saving will discard all your work with no warning prompt.
  • Deleting a group removes all its children. The red minus button on a group immediately removes every section and control nested inside it. Because changes are only permanent after Save, you can recover by navigating away without saving — but only if you catch the mistake before clicking Save.
  • Imported controls are a snapshot, not a live link. Controls imported from another set are copied at the time of creation. If the source set is later updated, your control set does not receive those updates automatically. Plan to review imported content periodically.
  • Sections can be dragged across groups. If you accidentally drag a section into the wrong group, simply drag it back. This cross-group movement is intentional and useful for reorganising large frameworks.
  • Always make manual translation corrections after the last auto-translation. Clicking a language button again will overwrite any manual edits in that language with fresh machine translations.


Was this article helpful?

English
Powered by Product Fruits