What Are Linked Sub-Controls?
Think of linked sub-controls like shared reference materials in a compliance program.
Imagine you’re managing compliance for a company, and you have a detailed security policy document with all the evidence showing how it’s implemented. Now, this same security policy might be relevant for multiple different compliance requirements across different frameworks or sections.
Instead of having to upload the same documents and write the same implementation notes multiple times, linked sub-controls let you create “shortcuts” that point to the original work. It’s like having multiple bookmarks that all point to the same comprehensive folder of documentation.
How It Works in Practice
The Traditional Problem
Before linked sub-controls, if you needed the same type of evidence for different compliance requirements, you had to:
- Upload the same documents multiple times
- Write similar implementation notes repeatedly
- Keep multiple copies of the same information in sync
- Waste time duplicating work across similar requirements
The Linked Sub-Control Solution
Now, when you encounter a compliance requirement that’s similar to something you’ve already addressed:
- Search and Find: You search for existing sub-controls that already have the evidence you need
- Create a Link: You create a new sub-control that “links” to the existing one with all the documentation
- Automatic Sharing: The new sub-control automatically displays all the evidence, documents, and implementation details from the original
- Independent Assessment: You can still assess this new requirement separately based on its specific context
Real-World Example
Let’s say you have:
- Original: A sub-control for “Password Policy Implementation” under your ISO 27001 framework
- Complete Evidence: Policy documents, training records, system screenshots, audit reports
Later, you’re working on SOC 2 compliance and encounter:
- New Requirement: “Access Control Procedures” which needs very similar evidence
Instead of starting from scratch, you:
- Create a linked sub-control for the SOC 2 requirement
- Link it to your existing “Password Policy Implementation”
- Instantly have all the same evidence available
- Assess it independently for the SOC 2 context (maybe it fully meets SOC 2 but only partially met ISO 27001)
Why Evidence is Shared But Assessments Are Separate
This design reflects how compliance really works:
Evidence Should Be Shared Because:
- Same Reality: Your password policy is the same regardless of which framework asks about it
- Single Source of Truth: Updates to the policy document should be reflected everywhere it’s referenced
- Efficiency: Why upload the same 50-page policy document multiple times?
- Consistency: Ensures you’re not accidentally showing different versions of the same evidence
Assessments Should Be Independent Because:
- Different Context: The same evidence might fully satisfy one requirement but only partially satisfy another
- Auditor Perspective: Different auditors may view the same evidence differently
- Risk Levels: The same control might be high-risk in one framework but medium-risk in another
The Key Benefits
1. Dramatic Time Savings
- No more re-uploading the same documents dozens of times
- No more rewriting similar implementation notes
- Set up comprehensive evidence once, reference it everywhere
2. Consistency and Accuracy
- Single source of truth for each piece of evidence
- When you update a document, it’s updated everywhere it’s linked
- Reduces errors from maintaining multiple copies
3. Better Compliance Coverage
- Easier to identify where existing work can satisfy new requirements
- Encourages thorough documentation since it can be reused
- Helps spot gaps where you truly need new evidence
4. Flexible Assessment
- Each compliance requirement can still be evaluated on its own merits
- Auditors can see the same evidence but make independent judgments
- Supports different risk levels and compliance statuses for the same underlying control
5. Scalability
- As your compliance program grows, the efficiency gains multiply
- New frameworks become easier to implement
- Reduces the overhead of maintaining multiple compliance standards
The Bottom Line
Linked sub-controls solve the fundamental tension in compliance management: you want to reuse work wherever possible (because evidence gathering is expensive and time-consuming), but you also need flexibility to assess the same evidence differently depending on the specific requirement and context.
It’s like having a comprehensive filing system where one well-organized folder can serve multiple purposes, but each use of that folder can still receive its own evaluation and status based on what’s needed in that specific situation.
This approach makes compliance programs more efficient, more consistent, and more maintainable as they scale across multiple frameworks and requirements.