Compliance Features

Overview

Openlane Console provides a complete compliance management system with five core modules: Controls, Policies, Procedures, Risks, and Evidence. These modules work together to help organizations achieve and maintain compliance across multiple frameworks.

All compliance features are located in the /app/(protected) directory and share common patterns for CRUD operations, filtering, and relationship mapping.

Controls

Security controls are the foundation of compliance programs. Controls represent security measures, safeguards, and processes that protect your organization.

Control Structure

Controls can be organized hierarchically:

Control (Parent)
├── Subcontrol 1
├── Subcontrol 2
└── Subcontrol 3
    ├── Control Objective 1
    └── Control Objective 2

Control Management

Access controls at /controls:

// apps/console/src/app/(protected)/controls/page.tsx
const Page: React.FC = () => {
  return <ControlSwitcher />
}

View Controls
Create Control
Subcontrols
Control Objectives

The Control Switcher provides multiple views:

List View: Tabular display of all controls
Tree View: Hierarchical visualization
Framework View: Grouped by compliance framework
Status View: Filtered by implementation status

Controls can be filtered by:

Framework (SOC 2, ISO 27001, HIPAA, etc.)
Status (Not Started, In Progress, Implemented, Verified)
Owner/Assignee
Tags and categories

Navigate to /controls/create-control to create a new control:

Basic Information

Control name (e.g., “Access Control”)
Control ID/Reference (e.g., “CC6.1”)
Description
Category/Family

Control Details

Control type (Preventive, Detective, Corrective)
Implementation status
Owner and assignees
Due date
Priority level

Framework Mapping

Map control to compliance frameworks:

SOC 2 Trust Service Criteria
ISO 27001 Annex A controls
NIST CSF categories
Custom frameworks

Evidence Requirements

Define what evidence is needed:

Evidence type (screenshots, logs, policies)
Collection frequency
Acceptance criteria

Create subcontrols for complex controls:

// Navigate to parent control
/controls/{parentId}/create-subcontrol

Use Cases for Subcontrols:

Break down complex controls into manageable pieces
Assign different aspects to different owners
Track implementation progress granularly
Map to multiple framework requirements

Define specific objectives for controls:

/controls/{controlId}/control-objectives

Example objectives for Access Control:

“Ensure only authorized users access systems”
“Implement least privilege access”
“Review access rights quarterly”
“Disable inactive accounts within 30 days”

Control Implementation

Track control implementation at /controls/{id}/control-implementation:

Implementation Phases

Design: Define how the control will be implemented
Build: Implement technical/process controls
Test: Validate control effectiveness
Operate: Put control into production
Monitor: Ongoing effectiveness monitoring

Implementation Evidence

Document implementation with:

Configuration screenshots
Policy documents
Procedure documentation
Training materials
Test results

Control Testing

Regular testing validates effectiveness:

Frequency: Monthly, quarterly, or annually
Test Procedures: Step-by-step validation
Sample Selection: Items to test
Expected Results: Pass/fail criteria
Actual Results: Test outcomes

Control Mapping

Map controls to frameworks at /controls/{id}/map-control:

// Map a control to multiple frameworks
const mappedFrameworks = [
  { framework: 'SOC 2', criteria: 'CC6.1' },
  { framework: 'ISO 27001', control: 'A.9.2.1' },
  { framework: 'NIST CSF', category: 'PR.AC-1' },
]

Edit mappings at /controls/{id}/edit-map-control.

Clone Controls

Duplicate existing controls at /controls/{id}/clone-control:

Copy control structure and objectives
Maintain framework mappings
Reset implementation status
Assign to new owner

Cloning is useful for:

Creating similar controls for different systems
Reusing control templates
Standardizing across departments

Policies

Internal policies document organizational rules and requirements.

Policy Management

Access policies at /policies:

// apps/console/src/app/(protected)/policies/page.tsx
const Page: React.FC = () => {
  return <PolicySwitcher />
}

Create Policy
Policy Lifecycle
Version Control
Policy Relationships

Navigate to /policies/create to create a policy:

Policy Name: e.g., “Information Security Policy”
Policy Number: Document control number
Version: Version tracking (1.0, 2.0, etc.)
Owner: Policy owner/sponsor
Approver: Who must approve changes
Review Schedule: How often to review
Effective Date: When policy takes effect
Content: Full policy text (supports Markdown)

Policy Templates

Common policy templates:

Information Security Policy
Acceptable Use Policy
Access Control Policy
Data Classification Policy
Incident Response Policy
Business Continuity Policy
Vendor Management Policy
Privacy Policy

Procedures

Procedures provide step-by-step instructions for implementing policies and controls.

Procedure Management

Access procedures at /procedures:

// apps/console/src/app/(protected)/procedures/page.tsx
const Page: React.FC = () => {
  return (
    <>
      <PageHeading heading="Procedures" />
      <ProceduresTable />
    </>
  )
}

Create Procedure
Procedure Format
Execution Tracking

Navigate to /procedures/create:

Title: e.g., “User Provisioning Procedure”
Procedure ID: Reference number
Related Policy: Link to governing policy
Owner: Procedure owner
Frequency: How often executed (daily, monthly, etc.)
Steps: Detailed step-by-step instructions
Roles: Who performs each step
Tools: Systems/tools used
Evidence: What evidence is generated

Procedures support rich formatting:

## Purpose
This procedure defines the process for provisioning new user accounts.

## Scope
Applies to all new employees and contractors.

## Procedure Steps

### 1. Request Submission
- Manager submits access request ticket
- Include: user name, role, start date, required systems

### 2. Approval
- IT Security reviews request
- Verifies appropriate access for role
- Approves or denies within 24 hours

### 3. Account Creation
- IT provisions accounts in required systems
- Assigns appropriate group memberships
- Sends credentials via secure channel

### 4. Documentation
- Log provisioning in access management system
- Attach approval to ticket
- Close ticket

Risks

Risk management identifies, assesses, and mitigates organizational risks.

Risk Management

Access risks at /risks:

// apps/console/src/app/(protected)/risks/page.tsx
const RisksPage: React.FC = () => <RiskTable />

Create Risk
Risk Register
Risk Monitoring
Risk Relationships

Navigate to /risks/create:

Risk Identification

Risk title/description
Risk category (Security, Privacy, Operational, etc.)
Risk source (Internal, External, Third-party)
Affected assets/systems

Risk Assessment

Likelihood (1-5):

1: Rare (< 10% probability)
2: Unlikely (10-30%)
3: Possible (30-50%)
4: Likely (50-70%)
5: Almost Certain (> 70%)

Impact (1-5):

1: Negligible
2: Minor
3: Moderate
4: Major
5: Catastrophic

Risk Score = Likelihood × Impact (1-25)

Risk Treatment

Choose treatment strategy:

Mitigate: Implement controls to reduce risk
Accept: Accept the risk (document justification)
Transfer: Transfer to third party (insurance, outsourcing)
Avoid: Eliminate the risk source

Mitigation Plan

For mitigated risks:

Mitigation controls to implement
Target completion date
Responsible party
Residual risk score

The risk register displays:

Risk	Category	Inherent Risk	Residual Risk	Status	Owner
Data breach via stolen credentials	Security	20 (High)	8 (Medium)	Mitigating	CISO
Ransomware attack	Security	25 (Critical)	10 (Medium)	Mitigating	IT Director
Third-party vendor breach	Security	15 (High)	6 (Low)	Mitigated	Vendor Manager

Color coding:

Critical (20-25): Red
High (15-19): Orange
Medium (8-14): Yellow
Low (1-7): Green

Risk Heat Map

Visualize risk portfolio:

         Impact →
      1    2    3    4    5
L  1  ░    ░    ░    ▒    ▒
i  2  ░    ▒    ▒    ▒    ▓
k  3  ░    ▒    ▒    ▓    ▓
e  4  ▒    ▒    ▓    ▓    █
l  5  ▒    ▓    ▓    █    █
i
h
o
o
d
↓

░ = Low (1-7)
▒ = Medium (8-14)  
▓ = High (15-19)
█ = Critical (20-25)

Evidence

Evidence collection provides proof of control effectiveness and compliance.

Evidence Management

Access evidence at /evidence:

// apps/console/src/app/(protected)/evidence/page.tsx
const Page: React.FC = () => <EvidenceDetailsPage />

Upload Evidence
Evidence Repository
Evidence Review
Automated Collection

Navigate to /evidence/create to upload evidence:

Select Evidence Type

Screenshots
Log files
Reports (PDF, DOCX)
Configuration exports
Audit reports
Training certificates
Meeting minutes

Upload Files

// React Dropzone for file uploads
<Dropzone
  onDrop={handleFileDrop}
  accept={{
    'image/*': ['.png', '.jpg', '.jpeg'],
    'application/pdf': ['.pdf'],
    'text/*': ['.txt', '.log'],
  }}
/>

Files are uploaded to Cloudflare R2:

// next.config.mjs
images: {
  remotePatterns: [
    {
      protocol: 'https',
      hostname: '*.r2.cloudflarestorage.com',
    },
  ],
}

Associate Evidence

Link evidence to:

Specific controls
Test procedures
Compliance frameworks
Audit requests
Risks (as proof of mitigation)

Add Metadata

Evidence date (when it was created)
Collection date (when uploaded)
Validity period (how long it’s valid)
Description/notes
Tags for organization

Evidence Viewing

The Console supports viewing various file types:

Images: Inline image viewer with zoom
PDFs: Embedded PDF viewer using react-pdf
Text/Logs: Syntax-highlighted text viewer
Documents: Download for external viewing

Cross-Module Relationships

All compliance modules are interconnected:

Framework → Controls

Frameworks define required controls:

SOC 2 requires CC6.1 (logical access controls)
ISO 27001 requires A.9.2.1 (user registration)

Controls → Policies

Controls implement policies:

Access Control policy implemented by authentication control

Policies → Procedures

Procedures operationalize policies:

Access Control policy executed via User Provisioning procedure

Controls → Risks

Controls mitigate risks:

MFA control mitigates credential theft risk

Controls → Evidence

Evidence proves control effectiveness:

Screenshot of MFA configuration
Report of MFA adoption rate

Next Steps

Dashboard

Monitor compliance status

Organizations

Manage multi-organization compliance

Automation

Automate assessments and tasks

API Reference

Integrate compliance data

Getting Started

Console

Component Library

Architecture

Development

Overview

Controls

Control Structure

Control Management

Control Implementation

Control Mapping

Clone Controls

Policies

Policy Management

Policy Templates

Procedures

Procedure Management

Risks

Risk Management

Risk Heat Map

Evidence

Evidence Management

Evidence Viewing

Cross-Module Relationships

Next Steps

Dashboard

Organizations

Automation

API Reference

Build docs developers (and LLMs) love

Getting Started

Console

Component Library

Architecture

Development

​Overview

​Controls

​Control Structure

​Control Management

​Control Implementation

​Control Mapping

​Clone Controls

​Policies

​Policy Management

​Policy Templates

​Procedures

​Procedure Management

​Risks

​Risk Management

​Risk Heat Map

​Evidence

​Evidence Management

​Evidence Viewing

​Cross-Module Relationships

​Next Steps

Dashboard

Organizations

Automation

API Reference

Build docs developers (and LLMs) love

Overview

Controls

Control Structure

Control Management

Control Implementation

Control Mapping

Clone Controls

Policies

Policy Management

Policy Templates

Procedures

Procedure Management

Risks

Risk Management

Risk Heat Map

Evidence

Evidence Management

Evidence Viewing

Cross-Module Relationships

Next Steps