Controls are the foundation of your compliance program in SecurAtlas. This page explains how the unified control library is organized, what each control status means, how severity and maturity affect your risk score, and how controls connect to compliance frameworks.
The unified control library
SecurAtlas provides a library of 64 security controls drawn from the baseline deployment profile. Every organization works from the same library regardless of which compliance frameworks you have selected. This unified model means you implement a control once and it can satisfy requirements across multiple frameworks simultaneously — no duplication, no conflicting guidance.
Controls are grouped into categories that reflect the major domains of a security program:
- Access Control — identity, authentication, authorization, and privilege management
- Incident Response — detection, escalation, and recovery procedures
- Data Protection — encryption, data classification, and handling requirements
- Asset Management — inventory, lifecycle, and configuration of systems and devices
- Additional categories covering areas such as vulnerability management, business continuity, and third-party risk
Each control has a unique control_key (for example, AC-1), a descriptive title, and a category assignment.
Control statuses
Every control has one of four statuses:
| Status | Meaning |
|---|
not_started | You have not begun implementing this control |
in_progress | Implementation is underway but not yet complete |
implemented | The control is fully in place |
not_applicable | The control does not apply to your organization |
not_applicable are excluded from your score calculation. All other statuses contribute to your overall posture, with implemented controls receiving the most favorable weighting.
Severity scale
Each control has a severity rating from 1 to 5, indicating how critical it is to your security program:
| Severity | Description |
|---|
| 1 | Low impact — supplementary or best-practice control |
| 2 | Minor impact — useful but not foundational |
| 3 | Moderate impact — meaningful contribution to posture |
| 4 | High impact — significant protection against common threats |
| 5 | Required — foundational control; must be implemented |
Severity 5 controls are required controls. Marking them as implemented is not enough — they receive no credit toward your compliance score until supporting evidence has been uploaded and validated. Self-attestation alone is insufficient for required controls.
Maturity scale
Each control has a maturity rating from 1 to 5 that reflects how consistently and thoroughly the control is implemented:
| Maturity level | Description |
|---|
| 1 | Initial — ad hoc, undocumented |
| 2 | Developing — some documentation or process exists |
| 3 | Defined — documented and consistently followed |
| 4 | Managed — measured, monitored, and reviewed |
| 5 | Optimizing — continuously improved and formally tested |
implemented.
SecurAtlas also calculates an effective maturity for each control. This is a computed value that adjusts the stated maturity downward when evidence quality is low. If your evidence does not strongly support the claimed implementation level, the effective maturity — and the corresponding score contribution — will be reduced.
Framework mappings
Each control in the library maps to one or more requirements across the compliance frameworks you have activated. A single control can satisfy requirements from ISO 27001, SOC 2, NIST CSF, and other frameworks at the same time. When you implement a control and attach evidence, all aligned framework requirements benefit from that work automatically.
For more on how frameworks use these mappings, see Compliance Frameworks.