The Progress Percentage and Control Effectiveness scores are determined automatically. They are based on how far your organization has progressed in evaluating, assessing, and implementing required controls. It also reflects how effective the controls implemented by your organization are to achieve a requirement. It is calculated off on your question responses and the types of Accountability Mechanisms submitted as evidence to demonstrate compliance.
Across several standards, common controls are applied and shared. Each time you respond to a specific question, add an accountability mechanism or complete a task, the progress percentage and control effectiveness score of other standards may change. You will begin to see how the work done to comply with one law or standard is applicable to other laws and standards.
Calculating Control Effectiveness
TrustArc uses a 0-5 scale to measure control effectiveness. The scale itself cannot be customized. However, the targets set by customers can be configured to meet compliance goals, as outlined on the Privacy Journey Roadmap page. This allows for quantitative and aggregate analysis of the impact of relevant controls and associated safeguards on mitigating risks.
80% or 4 is the target for demonstration of control effectiveness. The basis is the control evaluation by a response to an assessment question or task completion. Both should be accompanied by valid supporting documents. TrustArc uses a control evaluation/assessment model to determine and measure control effectiveness, resulting in TrustArc’s standard control effectiveness target of 80%. This means that your organization is able to provide evidence. It also implies that your organization has adopted, documented, and implemented the controls across the department, business unit, or organization.
100% control effectiveness or a 5 is achieved if controls are tested and verified to be in place by an independent auditor or another independent reviewer, such as in the context of an assurance or certification program. Examples of testing include situations in which someone actually tests the control and process:
- during a financial audit
- SOC 2
- Certification to ISO 27001
- APEC accreditation