Turn evidence into defensible control assessments.

Your controls, understood.

Select frameworks, bring in evidence, and let Control+S map artifacts to controls with rationale, maturity scores, gaps, recommendations, and exportable deliverables.

Evidence
acceptable-use-policy.pdf
Policy document
aws-iam-roles.json
Admin access review
okta-mfa-export.csv
MFA enrollment
Control+S
Frameworks
SOC 2
ISO 27001
CIS Controls
Best on desktopRead the whitepaper

For consultants, vCISO teams, and internal GRC teams running CIS, ISO 27001, SOC 2, NIST, CPCSC, TPN, and more.

Multi-framework coverage, built in

CIS Controls v8.1.2ISO/IEC 27001:2022SOC 2NIST CSF v2.0NIST SP 800-53NIST SP 800-171MPA / TPNPCI DSS 4.0CMMC 2.0CPCSCFedRAMPDORANIS 2GDPRCIS Controls v8.1.2ISO/IEC 27001:2022SOC 2NIST CSF v2.0NIST SP 800-53NIST SP 800-171MPA / TPNPCI DSS 4.0CMMC 2.0CPCSCFedRAMPDORANIS 2GDPR

For consulting & vCISO teams

More margin on every fixed-scope assessment.

Consulting and vCISO teams price assessments around expert time. Control+S handles the first-pass evidence mapping, scoring, and rationale, so your team spends fewer hours reaching the same defensible outcome, and expert time moves out of repetitive interpretation and back into review, judgment, and client advisory.

A fixed-scope engagement

Manual interpretation
Margin retained

Same client outcome, fewer delivery hours

Scope

Start with what is actually in scope.

Pick the frameworks and systems in play, then narrow to the control families that matter. Action, scope, strength, and exceptions are captured as structured parameters, not loose prose.

Project · Scoping
ISO 27001ISO/IEC 27001:2022Scope complete
ScopeParametersControls
Identity & Access Management14 controlsIn scope
Cryptography8 controlsIn scope
Logging & Monitoring11 controlsIn scope
Physical & Environmental9 controlsOut of scope
33 of 42 controls in scopeSave & continue

Close the gaps

Know exactly what to request.

Control+S turns the frameworks in scope into a prioritized intake plan: the evidence to request from the client, an example artifact for each, and the controls every item would cover. Less back-and-forth, fewer wasted hours.

Coverage · Intake plan

Intake plan

Evidence to request from the client, prioritized

Generate plan
HighAsset inventory export with classification tags7 controls

Example artifact

asset-register-2026.xlsx

Controls addressed (3)

CIS v8:1.1ISO 27001:A.5.9SOC 2:CC6.1
HighMFA enrollment report for privileged accounts5 controls
MedBackup restoration test results, last quarter4 controls
LowEndpoint protection coverage report2 controls

Evidence

Upload evidence once.

Evidence lives at the workspace level, tagged by source and type. A single upload maps across every framework project in scope, so you never re-collect the same artifact for each audit.

Workspace · Evidence

Drop evidence to upload

Uploaded once, mapped across every framework

FileLinked controlsStatus
okta-mfa-exportcsv
#mfa#identity· File upload
4 fw · 12 ctrlMapped
access-review-q1pdf
#access#review· File upload
3 fw · 7 ctrlMapped
branch-protectionpng
#sdlc· File upload
2 fw · 4 ctrlAnalyzing

Reconciliation

From files to control-level judgment.

Control+S reconciles your evidence against each requirement, producing a maturity score, the evidence it cited, written rationale, and the gaps that still need closing.

Control · Assessment
CIS v86.7Centralize Access Control
Maturity: 4 · ManagedAutomated: 4·Last evaluated 2 days ago
Rationale

Access centrally managed through Okta with enforced MFA; quarterly access reviews evidenced for employee accounts.

Cited evidence
okta-mfa-export.csvaccess-review-q1.pdf
Identified gaps
  • No evidence of MFA enforcement for service accounts
  • Quarterly review cadence not documented for contractors

Posture

Move from files to an assessment matrix.

A live control matrix rolls every score into category and framework views, with completion tracking and filters, so you always know exactly where the assessment stands.

Project · Control overview
CIS v8Control progress
Avg maturity 4.0
41 controls at 4+

96% complete · 54 of 56 assessed

Initial
Optimizing

Judgment

The assessor stays in control.

Every automated score is a starting point. Override it, leave a reviewer note, set priority, and reanalyze as new evidence lands. The final score is always a human decision.

Control · Review
ISO 27001A.8.2Privileged Access RightsHigh
Automated3
Final4
Manual overrideReset to automated
JDJ. Doe · Lead auditor
Observation

JIT elevation now enforced for admin access; break-glass events logged to the SIEM and reviewed weekly.

Observation recorded · reanalyzing the automated score…

Share

Share a client-safe view.

Send a framework-scoped, password-protected, expiring snapshot, or invite an auditor to challenge and accept controls directly. The rest of your workspace stays private.

Share · Customer glimpse

Shareable link

controls.run/s/3f9a2c8eCopy
SOC 2 onlyPasswordExpires in 14 days
Client previewRead-only
Compliance snapshot· Acme Corp · SOC 2
Access Control
4/512 / 12
Data Protection
4/59 / 10
Logging & Monitoring
3/58 / 11

Deliver

Turn the assessment into deliverables.

Generate Word reports that capture the current state of the assessment, scoped per framework, ready to hand to the client when the cycle closes.

Deliverables · Reports

Reports

Word documents of the current assessment

Generate report
DocumentGenerated

SOC 2 Readiness Assessment

SOC 21.4 MB
2 days ago

ISO 27001 Gap Report

ISO 270010.9 MB
5 days ago

CIS v8 Maturity Summary

CIS v8·
Just now

The work, mostly done. The judgment, yours.

~80%

of the assessment drafted before you review

100%

of scores cite the evidence behind them

You

make the final call on every control

Help shape Control+S.

The full assessment flow is live and in active development. We work with a small group of consulting, vCISO, and GRC teams to shape how each feature works against real engagements. Join them, and help build the tool your own team actually wants to use.

Running a larger program? .