Help Center
News
Help Center
News
Sign in
Document
Documents & PoliciesQuestionnairesControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterFrameworksRecord of Processing Activities (ROPA)Exporting your ROPAVendorsImpact Assessments (IA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
DPIA
Assessments
ROPA
Assets
International Standards & Frameworks
TOMs & Controls
Categories & Attributes
Data Collection Points
Legal Basis
Legitimate Interest
Documents & Policies
Retention & Deletion
Data Flow
Vendors
Questionnaires
Manage
Process Risk OverviewData Flow Map
Dashboards
AI Assistance & Automation
Projects
Tasks
Meetings & Activities
Workflows & Automations
Reporting
React & Resolve
TasksProjectsIncidents & BreachesData Subject Requests
Risk Scenarios & Treatments
Incidents & Breaches
Release Notes
Q2 2026
Q1 2026
Q4 2025
Q3 2025
Q2 2025
Q1 2025
Q4 2024
Q3 2024
Q2 2024
Q1 2024
Q4 2023
Q3 2023
Q2 2023
Q1 2023
Q4 2022
Q3 2022
Getting Started
Quickstart GuideQuestionnairesTasksProcess Risk OverviewIT SettingsFrameworksThe Information Security / Asset Risk ModelData Subject RequestsDownloading an elementLegitimate Interest DocumentationsAssigning Audiences to ElementsDocuments & PoliciesControls & Technical and Organizational Measures (TOMs)General SettingsCreating attributes that fit your industryDocument list for onboardingThe Data Protection Risk ModelIncidents & BreachesProjectsManaging audiencesAdd documents to vendorsHow to answer an assessment/questionnaireSetting up the first organization or companyData Collection Point (DCP)Use AI to create elementsSetting Risk models in General SettingsSharing ElementsHow can a user change the language?Data Flow MapRecord of Processing Activities (ROPA)Time MachineCreate and evaluate assessments Company Widget FeatureAsset RegisterVendorsImpact Assessments (IA)Creating organizational unitsExporting your ROPAMeetings & ActivitiesTerms for legitimate processingRetentions & Deletions PeriodsHow to create a new user and how to change the password for loginReport ExplorerMaturity modelAdding risk scenarios to assets or asset groupsRelevant Risk SzenariosPriverion GRC Platform overviewDocument list for onboardingHow can a user change the language?Setting up the first organization or companyCreating attributes that fit your industry
User account
Sharing & Group functions
Features
How-To Guides & Tips
Get Help
Legal
Settings
General Settings
Compliance settings
Identity and access management
IT Settings
Risk Settings

Frameworks

Compliance officers, DPOs, and auditors use the Frameworks screen to systematically assess their organisation's conformity against recognised standards — ISO 27001, DORA, NIS 2, AI Act, and more — recording implementation status, attaching evidence, and building a living, audit-ready compliance record without ever leaving DPMS.

The Frameworks screen is your central workspace for working through compliance assessments against international and industry standards. Whether you are mapping controls for ISO 27001, preparing for a DORA audit, or tracking progress against a custom internal control set, this is where every finding, justification, and piece of evidence gets recorded. Because all changes save automatically in real time, the screen acts as a living audit trail — no spreadsheets, no manual version control, and no risk of forgetting to hit Save.

This screen sits at the heart of DPMS's compliance module. The data you record here feeds directly into the compliance dashboards and reports that management and auditors rely on. Without controls being assessed on this screen, those dashboards remain empty.

How to open it

In the left-hand navigation, go to ComplianceFrameworks. Click any framework record in the list to open its detail view. You will need at minimum read access to the Frameworks area; full editing of controls requires edit permission on the Frameworks object type. If you cannot see the menu item at all, contact your DPMS administrator to review your role permissions.

What you see

When you open a framework record, the screen divides into three main zones.

On the far left is a thin strip with a circle toggle icon. Clicking it opens the Element Menu — a vertical tab list that lets you jump between the different sections of the record (Controls, Linked Assets, Reviews & Approvals, and others). When the menu is open it occupies the left fifth of the screen; you can collapse it any time to give the control list more room. DPMS remembers your preference between sessions.

Across the top of the main area is a breadcrumb trail showing where you are (e.g. Frameworks › ISO 27001:2022 › Controls), with small arrow buttons ( and ) that let you step to the previous or next framework record without going back to the index. A clock icon on the right opens the activity log, and a three-dot menu gives access to administrative options such as sharing.

Below the breadcrumb is a blue header bar containing the standard selector dropdown, a search bar, a view-type switcher (Controls or Maturity), and an Export to Excel button. Beneath that, the main content area shows the Overview summary widget and then the full hierarchical list of controls.

Working with this screen

Selecting a standard to assess

When you first arrive, the screen loads whichever standard you last worked with (your preference is stored locally). To switch to a different standard, click the dropdown in the blue header bar and select from the list — built-in standards like ISO 27001:2022, BSI Grundschutz, DORA, NIS 2, AI Act, CIS CSC, and any custom control sets your organisation has created are all available here.

Once you make a selection, the controls list reloads automatically for that standard. Note that switching standards clears any active search filters you had applied, so if you were in the middle of a filtered view, you will need to re-enter your search terms.

If DPMS does not have a translation of the selected standard in your current interface language, a yellow information banner appears above the controls list. This is not an error — you can still assess every control; the original language text is simply displayed instead.

Assessing controls for the first time

The controls are arranged in a hierarchical list, grouped by category (for example, "Organisational Controls" or "People Controls" in ISO 27001). Use the Search bar in the header to jump straight to a specific control by name or code — handy when a standard has hundreds of controls.

Click anywhere on a control's row header to expand the detail panel below it. Inside you will find:

  • Applicability dropdown (shown when the standard supports it) — choose Applicable or Not Applicable. If a control genuinely does not apply to your organisation, marking it Not Applicable removes it from your implementation and conformity calculations.
  • Implementation dropdown — choose Fully Implemented, Partially Implemented, or Not Implemented. This is the primary field that drives your compliance scores.
  • Justification text area — type a free-text explanation of how the control is being addressed, or why it is marked as it is. DPMS auto-saves your text one second after you stop typing, so you do not need to do anything special to preserve your work.
  • Evidence panel (right side) — attach supporting documents, tasks, or technical and organisational measures (TOMs) as evidence. Use the Type of evidence dropdown to choose the evidence category, then search for and select the specific item. Each piece of evidence you attach becomes a clickable link that opens the original record in a new tab.
  • Responsible Persons — assign one or more colleagues from your organisation to be responsible for this control. They appear in exports and reports.

All these changes are persisted immediately — there is no Save button to click on the control detail panel.

Conducting an internal audit (Audit mode)

When your organisation is conducting a formal internal or external audit, you can switch any individual control into Audit mode. Open the control's detail panel and look for the vertical toggle at the bottom right of the panel labelled CONTROL (top) and AUDIT (bottom). Clicking it flips the panel into audit mode — the background changes to a yellow/black colour scheme so it is visually distinct.

In audit mode:

  • Select Evidence Review — pick one of the evidence items already linked to the control. An eye icon lets you open the evidence in a new tab to inspect it.
  • Findings text area — record the auditor's observations about that piece of evidence.
  • Conformity verdict for the evidence — choose Conform, Minor, Major, or Cannot be Assessed to record what the evidence demonstrates.
  • At the bottom right, set the Average Maturity (a CMMI scale from Initial to Optimising) and the Overall Conformity verdict for the control as a whole.

The auditor's name is filled in automatically from the logged-in account. As soon as you save findings for a control, the Overview widget at the top of the screen updates to reflect the new audit figures.

Heads up: Audit mode is per-control, not per-session. Switching one control to Audit mode does not affect any other control. Each time you open a control it starts in Control mode; you will need to switch manually if you want to record audit findings.

Reviewing historical compliance state

Every change ever made to a control is preserved in DPMS's log. To see how a control looked at a point in the past, expand the control and click the Log button next to the mode switch. The panel is replaced by a log timeline slider. Drag the slider to an older entry — DPMS shows you the exact justification text, linked evidence, responsible persons, and conformity verdict that were in place at that moment. All fields are read-only in the log view. This is particularly valuable when an external auditor asks "what was your status on this control on date X?" — you can answer with a precise, time-stamped record.

You can also review the full change history for the entire framework record (not just one control) by clicking the clock icon in the top-right breadcrumb area. This opens the activity log drawer as a slide-in panel on the right.

Getting a high-level maturity overview

Rather than reading through every individual control, switch to the Maturity view using the view-type selector in the header bar (next to the search box). DPMS renders a spider (radar) diagram showing the average maturity score for each control category. This is useful for board-level or management reporting — at a glance you can see which categories are well-developed and which need attention. A legend on the right lets you toggle individual categories on and off, and you can switch between different assessment periods (years) if historical data is available.

To return to the detailed control list, switch the selector back to Controls.

Exporting your assessment to Excel

To share your assessment results with stakeholders outside DPMS — for example, for a board report or an external auditor — click the Export to Excel icon (an arrow-from-a-document icon) in the blue header bar. DPMS generates and downloads an Excel file containing all controls with their applicability, implementation status, justification, conformity verdict, and evidence links. The button is greyed out until a standard is selected and fully loaded, and is temporarily locked while an export is already in progress to prevent duplicate downloads.

Sharing a framework record

If you need to give an external party or another team controlled access to a framework record, click the three-dot menu () in the top right of the screen. If sharing is enabled for your organisation, a Sharing option appears. Clicking it takes you to the record's sharing configuration tab where you can grant access.

Field reference

Applicability — Whether the control is relevant to your organisation. Choose Applicable or Not Applicable. Only shown when the selected standard has the applicability feature enabled. Leave this at the default if your standard does not use it.

Implementation — The degree to which the control has been put into practice. Fully Implemented, Partially Implemented, or Not Implemented. Always shown; required to drive compliance scores.

Justification / General Findings — A free-text explanation. In Control mode this is labelled "Justification" (or "Additional Justification" if the control is marked Applicable). In Audit mode it becomes "General Findings". Supports multiple languages; use the translation icon buttons to add translations inline. Auto-saves one second after you stop typing.

Type of evidence — Defines the category of evidence you are attaching: Documents, Tasks, or TOMs. Must be selected before the evidence search dropdown appears.

Evidence search — Multi-select dropdown for finding and attaching specific evidence items. Searches across the selected evidence type.

Responsible Person — One or more users from your organisation who are accountable for this control. Searchable by name.

Average Maturity (Audit mode only) — A CMMI-derived scale: Initial, Managed, Defined, Quantitatively Managed, or Optimising. Feeds the spider diagram.

Conformity (Audit mode only) — Overall verdict for the control: No Conformity Set, Conform, Observation, Minor Non-Conformity, Major Non-Conformity, or Cannot Be Assessed.

Select Evidence Review (Audit mode only) — Which piece of linked evidence the auditor is currently reviewing.

Findings (Audit mode only) — The auditor's observations about the selected piece of evidence. Auto-saves with the same debounce as the Justification field.

Conformity for evidence (Audit mode only) — Per-evidence conformity verdict: Conform, Minor, Major, or Cannot Be Assessed.

How this connects to the rest of DPMS

The Frameworks screen does not exist in isolation — it is the assessment engine that powers several other parts of DPMS:

  • Dashboards and compliance widgets read the implementation and conformity data you record here. Until you assess controls on this screen, those widgets show no meaningful data.
  • Risk register — you can link risks directly to individual controls (in the "Linked Mitigated Risks" field) to demonstrate that a risk is mitigated by a specific control. The risk record in turn shows which controls it is linked to.
  • Policies & Documents, Tasks, and TOMs registers — evidence you attach here links back to those registers, creating a traceable chain between your policies, operational tasks, technical measures, and the framework controls they support.
  • Asset register — the Linked Assets tab (visible in the Element Menu) lets you associate assets with the framework, giving you a view of which assets are in scope for the standard.
  • Sharing / User Management — the three-dot menu's Sharing option and the Responsible Person field connect this screen to DPMS's access control and user management areas.

After completing your initial assessment on this screen, the natural next steps are: review the Overview widget to identify gaps, visit the Risk register to link unmitigated risks, and run the Excel export to share progress with stakeholders or your external auditor.

Tips & common pitfalls

Heads up: There is no Save button for control details. Every dropdown selection saves the moment you make it; text areas save one second after you stop typing. If you type something incorrect, correct it immediately — you can verify what was actually saved by clicking the Log button inside the control.
Tip: Use the and arrows in the breadcrumb to step through framework records one by one during a bulk review session. This is faster than going back to the index list each time.
  • Switching standards clears your filters. If you have used the search bar to narrow the control list, switching to a different standard in the dropdown will reset those filters. Re-enter your search terms after switching.
  • The Export button requires a fully loaded standard. Click Export only after the controls list has finished loading. If the standard has just been switched, wait a moment before exporting.
  • Concurrent editing shows a warning toast. If a colleague saves a change to the same control at the same moment as you, DPMS will block your save and show a notification. Close and re-open the control row to load the latest state, then re-enter your changes.
  • The Overview widget shows "No data" bars until controls are assessed. This is normal for a freshly imported standard. Start working through controls and the bars will populate automatically.
  • Language alerts are informational only. A yellow banner means the standard has no translation in your current language. You can still complete a full assessment — the controls appear in their original language.


Was this article helpful?

English
Powered by Product Fruits