Living Control Set Glossary
Key terms used across the Living Control Set feature an related articles.
A
Aligned Control
A control that has been linked to another similar control that performs the same or similar function and produces comparable evidence. Aligned controls are managed independently and each one maintains its own notes, status, and evidence.
Assessment Objective (AO)
A specific, verifiable statement used to determine whether a control has been fully implemented. Each control in the LCS can have one or more AOs that define what evidence or action is required to meet it. Also referred to as a Parameter in the CRT.
B
Baseline
The initial state of any engagement; either the first Living Control Set (LCS) or the first framework overlay that establishes the organization’s starting maturity and compliance position.
Baseline Controls
The foundational set of controls established during the initial engagement. These form either the first Living Control Set or the controls specific to a single framework overlay.
C
Class
A category used to group controls within the Master Control Library based on a specific compliance framework or security domain. When building or expanding a Living Control Set, classes are used to filter and select the applicable controls.
Compensating Control
A control used to cover a deficiency where a specific framework control cannot be met as defined. A compensating control provides the required coverage in its place and requires documentation, notes, and an approved waiver for a specified period of time.
Compliance Admin
The entitlement required for a user to access the Living Control Set. Users with the Compliance Admin entitlement will see the LCS icon on their dashboard, which serves as the entry point for creating or viewing the Living Control Set.
Conformity Analysis
The process of comparing an organization's Living Control Set against a defined compliance framework to identify gaps, overlaps, and areas for improvement. A Conformity Analysis is performed within a Conformity Engagement.
Conformity Assessment
An assessment that validates whether an organization's controls meet the requirements of a specific compliance framework. Control details are inherited from the Living Control Set rather than entered independently.
Conformity Engagement
An engagement created to compare an organization's Living Control Set against the requirements of a specific regulatory or compliance framework such as CMMC, HIPAA, or PCI. A Conformity Engagement surfaces deltas between the LCS and the framework and supports framework-specific assessments without duplicating work.
Control
A term used in the CRT interface that refers to individual safeguards that make up the Living Control Set and can be filtered, selected, and assessed within the platform.
Controls
A technical, administrative, or physical safeguard implemented to improve the organization’s security, compliance, and resilience posture. Controls include policies, procedures, standards, guidelines, practices, and technologies used to manage risk and demonstrate compliance.
CRT (Cyturus CRT)
The Cyturus Cyber Resilience Tracker. The platform that enables organizations to assess, manage, and mature their cybersecurity, compliance, and resilience posture through integrated modules including assessment management, policy management, risk tracking, and maturity management.
D
Delta
The difference between the controls in a Conformity Assessment and the controls in your Living Control Set. Specifically, the delta represents the controls that exist in the Conformity Assessment but are not yet part of your LCS. These are surfaced automatically when a Conformity Engagement is created and can be merged into the LCS as a new iteration of the LCS engagement.
Discretionary Security Requirements (DSR)
Controls selected for the Living Control Set based on an organization's specific risks, threats, and security goals beyond what is strictly required by law or regulation. DSRs represent the organization's intentional security posture above the compliance floor.
Domain
A logical grouping of related controls that share a common security objective or area of focus. Domains provide structure for organizing controls and policies within the Living Control Set and are used as a filter in the LCS Dashboard.
Domain Objective
A measurable milestone within a domain that indicates progress toward maturity and effective control implementation.
E
Enhanced Virtual Examination
The AI engine in the CRT that analyzes uploaded policies, procedures, and other organizational documentation to identify relevant controls and Assessment Objectives in the Master Control Library. EVE can be used to generate an initial Living Control Set based on the organization's existing documentation.
I
Iteration
A point-in-time version of an assessment within an engagement. Each iteration captures the state of controls at the time it was created. The LCS Dashboard always reflects the most recent iteration. When delta controls are merged from a Conformity Assessment, the system creates a new iteration of the LCS engagement rather than modifying the existing one.
L
Living Control Set (LCS)
An organization's central, active set of controls in the CRT. The LCS defines the controls the organization implements and operates against to manage security, compliance, and risk. It is built from the Master Control Library and evolves as the organization's requirements change. A client can only have one Living Control Set.
LCS Engagement
The engagement record in the CRT that contains the Living Control Set. It appears in the Engagement List in bold and serves as the foundation from which Conformity Engagements are created.
M
Master Control Library (MCL)
The complete catalog of cybersecurity and data protection controls available in the CRT. The Living Control Set is an organization-specific subset drawn from the MCL. An MCL must be configured before a Living Control Set can be created.
Minimum Compliance Requirements (MCR)
The controls required to meet an organization's legal, regulatory, or contractual obligations. MCRs form the compliance floor of the Living Control Set; the minimum defensible baseline the organization must maintain.
Minimum Security Requirements (MSR)
The combination of Minimum Compliance Requirements (MCR) and Discretionary Security Requirements (DSR). Together, the MSR represents the organization's full defensible baseline of controls, covering both what is legally or contractually required and what the organization has chosen to implement based on its own risk and security goals.
O
OSA / OSC
Organization Seeking Assessment or Organization Seeking Certification. Refers to an organization undergoing an assessment or certification process that has not yet completed formal third-party validation. The terms are used interchangeably depending on context.
P
Parameter
A term formerly used in the CRT interface that refers to an Assessment Objective (AO). Parameters represent the individual verifiable actions or evidence requirements tied to a control. See Assessment Objective (AO).
Practice
A term formerly used in the CRT interface that refers to a control. Practices are the individual safeguards that make up the Living Control Set and can be filtered, selected, and assessed within the platform. See Control.
R
Reusable Evidence
Evidence that has been uploaded for one control and can be linked to other controls, assessments, or engagements without being duplicated. When the original evidence is updated, users associated with linked copies are notified and can choose whether to accept the update or keep their current version.
S
SCF (Secure Controls Framework)
The master reference library of cybersecurity and privacy controls that serves as the foundation for the Master Control Library (MCL) and all Cyturus assessments. The SCF provides the baseline taxonomy from which Living Control Sets are built.
Security Principles
A set of guiding values defined within the SCF that represent core security priorities such as data protection or access management. When creating a Living Control Set, users can select one or more Security Principles, and the controls associated with those principles are automatically included in the LCS.
Standalone Engagement
A standard engagement created independently of the Living Control Set. When a client has an LCS enabled, users are prompted to choose between creating a Conformity Engagement or a Standalone Engagement when generating a new engagement.
Synched Control
When a Control is Synched, the Sub Control inherits the supporting data (notes, summary, evidence, action, status etc) from the Master synched Control. This enables a Organizational LCS Control to be the master control from which each entity receives the Control details. This can be configured between a single Master Control and many Sub Controls across different entities.
T
Threading
The mechanism in the CRT that connects controls, assessment objectives, evidence, frameworks, and risks so that work performed in one area is automatically reflected everywhere it applies. Threading allows a single control to satisfy requirements across multiple frameworks simultaneously and ensures that updates, evidence, and status changes propagate consistently across the system.
W
Work Effort Actions (WEA)
The specific tasks or activities required to complete an Assessment Objective. WEAs translate control requirements into actionable work items for implementation and evidence collection.