Mapping Explained: Mapping Authorities to Control Sets to Assessments

You are here:
← All Topics

Authorities (Standards, Laws and Regulations – think external references), Internal Control Sets (Policies and Control Frameworks – think internal references) and Assessments are the three main content types available within the 6clicks platform.


Authorities refer to any external reference document, i.e. standards, laws and regulations that are applicable to an organisation. Authorities are made up of Provisions, which are individual statements. 6clicks manages all Authority Documents in the system.

PLEASE NOTE: Authorities can be requested to be ingested onto the 6clicks platform – contact Louis at [email protected] to request additional Authority Documents.

A typical Provision looks like this:

Sample NIST 800-53 r4 provision document in 6clicks

Internal Control Sets

Internal Control Sets refer to an organisation’s internal reference document (think company policy) and are made up of Controls, which represent individual statements. Policies act as internal guidelines and are based directly on a single Authority or multiple Authorities that apply to an organisation.

A typical control looks like this:

Sample CAIQ control in 6clicks


Assessments refer to a set of questions separated into categories, or as we call them Question Domains. A typical assessment is made up of questions. An Assessment can be designed to assess against an Authority or Internal Control Set or could simply be a maturity assessment.

Accessing this content within 6clicks

You can access all three modules via the left-hand navigation menu.

Understanding how these areas relate

The power of 6clicks lies in its flexibility. When designing an Assessment, the Questions that make up the assessment can be associated (mapped) to either Controls (making up an Internal Controls Set) or Provisions (making up an Authority). Alternatively, no associations (mapping) are required, and the Assessment can be independent of any Authority or Control Set.

6clicks is also designed to allow Teams to associate (map) Provisions to Controls. This allows Teams to create Internal Control Sets (think internal company policies or guidance) based on external Authorities (standards, laws and regulations).

The associations/mappings are enabled by the 6clicks Mapper, which provides transparency for teams to ensure relevant compliance obligations are fulfilled and internal control sets and/or assessments are employed, managed and updated appropriately.

Sourcing starting content from the Marketplace

Authorities, Internal Control Sets and Assessments can all be downloaded as in-app content within the Marketplace module. Within the Marketplace, these items can be published as standalone items or as packages with associations (mappings) included.

To get our users started, we have added an assortment of publicly available marketplace content (such as NIST, PCI DSS, ISO 27001), as well as licensed best-practice guidance from industry-leading organisations (including Cloud Security Alliance, Shared Information Gathering and Center for Internet Security).

To get started with the Marketplace, read this article.