Cowork Canvas
Workflows Mapping Book a Walkthrough
Book a Walkthrough

IT & Security Controls Workflows

Free, open-source IT and security controls workflow templates. Preview the steps, then import them directly into your CoworkCanvas instance.

All Internal Audit SOX Regulatory Controls
  • AI Operations Monitoring & Incident Response — Controls · 10 steps
    Operate the monthly review of the deployed AI estate: confirm automatic event logging and retention and work performance, anomaly, and drift alerts to closure; verify human-oversight staffing and intervention records; and screen AI uses against intended use and legal prohibitions. Triage reports from the AI concern channels, execute any required incident communications and regulator reporting within mandated timeframes, and retain all resolution records.
  • Audit Logging Coverage & Integrity Operations — Controls · 11 steps
    Operate the monthly cycle that verifies audit logging is enabled across systems, applications, and network components against the security-relevant event catalog, validates record content completeness and clock synchronization, and confirms log protection, tamper alerting, and retention against the documented schedule. The cycle produces a coverage matrix, clock-drift report, and retention and capacity attestation each month.
  • Authentication Platform & Session Policy Operations — Controls · 10 steps
    Monthly authentication-platform operating cycle: verify MFA enforcement and enrollment across remote, privileged, and sensitive-data access, confirm secure log-on and federation channels, defend against brute-force and anomalous logons, and enforce session lock, termination, and concurrent-session limits together with the system-use and last-logon notifications shown at every sign-in.
  • Authorized Software & Component Integrity Control — Controls · 11 steps
    Operate the monthly software-estate cycle: reconcile installed software against the approved catalog and allowlist, remove or escalate unauthorized installations, and confirm installation rights stay restricted to authorized personnel from trusted sources with usage tracked against license entitlements. For everything entering the estate, verify supplier trust and signature integrity before installation, blocking and investigating anything that fails.
  • Business Continuity & DR Test Exercise — Controls · 8 steps
    Plan and run a business continuity or disaster recovery exercise against RTO and RPO objectives, capture gaps, and update the plans.
  • Change & Release Management (CAB) — Controls · 12 steps
    Operate the weekly Change Advisory Board and the per-change pipeline for every application, database, infrastructure, configuration, and procedure change: request intake, security and risk impact analysis, environment segregation and configuration-baseline verification, acceptance testing, CAB authorization, and controlled deployment with rollback plans and post-implementation verification. Emergency changes follow the expedited path and are ratified at the next CAB, all under one evidence set.
  • Continuous Controls Monitoring (ISCM) Cycle — Controls · 13 steps
    Run recurring control monitoring by collecting metrics, comparing thresholds, triaging degradation, updating POA&M, reporting health, and tuning cadence.
  • Control Design — Controls · 11 steps
    Design a new control from objective definition through attribute specification, risk mapping, evidence and test approach definition, and final control record creation.
  • Controlled Hardware & System Maintenance — Controls · 11 steps
    Operate the maintenance desk that schedules, approves, documents, and reviews hardware and system maintenance, repair, and replacement per manufacturer and organizational requirements, sanitizing equipment before off-site work and verifying security controls after every completion. Control the maintenance tools, personnel, and nonlocal sessions that touch in-scope systems, from inspection and approved-personnel checks to authenticated, recorded, and terminated remote connections.
  • Cryptographic Key Management Review — Controls · 8 steps
    Periodic cryptographic hygiene review: inventory keys and certificates, verify custody and rotation, flag weak algorithms, and remediate.
  • CSF 2.0 Profile & Maturity Assessment — Controls · 17 steps
    Build a controls-scoped CSF Current Profile, Target Profile, Tier assessment, gap plan, and CISO-ready roadmap.
  • Cybersecurity Incident Response — Controls · 20 steps
    Operate the controls-scoped detect-to-respond loop from validation through containment, eradication, recovery, POA&M updates, and technical lessons learned.
  • Data Encryption & In-Use Protection Operations — Controls · 11 steps
    Operate the quarterly sweep of data stores and transmission paths against the encryption standard: at-rest encryption or tokenization with minimized retention, strong cryptography and trusted certificates on every open and external channel, and controlled transmission and removable-media movement, with CISO-approved compensating controls kept current where encryption is infeasible. The same cycle verifies data-in-use protections - field masking, process isolation, enclave configurations, identity-scoped access, and memory clearing - on high-sensitivity workloads.
  • Data Retention & Secure Disposal — Controls · 8 steps
    Enforce retention schedules each cycle: identify expired data, dispose of it verifiably, and protect and sanitize physical media with certificates of destruction.
  • Deception, Honeytoken & OPSEC Concealment Operations — Controls · 12 steps
    Run the standing detection-engineering deception cycle each quarter: deploy, verify, and reposition honeypot/honeynet decoys and honeyclient sandbox detonation ahead of user delivery, and seed, monitor, and test honeytoken, beacon, and watermark taint mechanisms across systems and datasets. In parallel, operate the OPSEC process that identifies critical operational information, analyzes adversary collection paths, and applies concealment and misdirection countermeasures on designated systems, handing any confirmed activation to incident response rather than duplicating containment.
  • Endpoint, Media & Information Handling Custody — Controls · 12 steps
    Operate the monthly endpoint, media, and information-handling custody desk: verify fleet endpoint safeguards and acceptable-use acknowledgments, review off-premises and external-system use, and keep unneeded ports, I/O devices, and sensors restricted. Run removable media end to end — authorization, classification-based storage, tracked movement, and verified sanitization or destruction with retained certificates — and maintain the information-transfer rulebook and agreements covering electronic, physical-courier, and verbal disclosure.
  • Environmental & Utility Systems Maintenance — Controls · 11 steps
    Run the monthly preventive-maintenance calendar that independently tests and maintains fire and water detection systems, environmental monitoring, emergency power and lighting, protected cabling, and electromagnetic shielding, producing the single maintenance-and-inspection log of test records, service tickets, and alarm-notification checks.
  • Equipment Maintenance, Movement & Marking Control — Controls · 11 steps
    Operate the recurring equipment control cycle: run maintenance to manufacturer specification with only authorized personnel and full activity/fault logging, and authorize, monitor, and track every asset delivery, removal, and movement through isolated loading areas. Apply the siting checklist and marking verification at installation or relocation, and tie maintenance, movement, and marking evidence together in the quarterly reconciliation.
  • Facility Access Administration & Monitoring — Controls · 12 steps
    Operate continuous facility-access administration: authorize, issue, and periodically review physical credentials, enforce entry controls and visitor escort/logging, and secure, rotate, and revoke keys, combinations, and badges on compromise, termination, or role change. Run the monthly review of surveillance, intrusion-detection output, physical access logs, and visitor records, investigate anomalies, and confirm data-center/protected-asset access and environmental safeguards with facilities.
  • Identity & Authenticator Lifecycle Administration — Controls · 12 steps
    Operate the standing identity desk: issue unique identifiers for every user, service, and device from the authoritative source, hold shared-identifier requests to documented approval with compensating controls, and run the monthly sweep that deactivates dormant identifiers and enforces non-reuse. Proof identities proportional to assurance level before binding credentials, then administer the authenticator lifecycle end to end: verified issuance with defaults changed and strength enforced, protected storage, transmission, and entry, embedded-credential checks, and scheduled rotation or compromise- and separation-triggered revocation.
  • Identity Assurance Review — Controls · 17 steps
    Review IAL, AAL, and FAL requirements against current identity proofing, authentication, and federation controls, then remediate and validate gaps.
  • Incident Reporting Channels & Spillage Response — Controls · 10 steps
    Operate the standing incident-reporting capability: run the monitored mailbox, hotline, and service portal with full acknowledgment and triage routing, execute the information-spillage response procedure end to end, and maintain reviewed contacts with authorities and special-interest groups.
  • Incident Response Readiness Program — Controls · 12 steps
    Operate the annual incident response readiness cycle: maintain the written incident response plan through designated-management approval and protected distribution to named responders, then deliver role-based IR training and run the scheduled capability test. Feed exercise and training gaps back into the plan and training program, with significant incidents or organizational changes triggering off-cycle runs of the same procedure.
  • Information Security Program Governance Review — Controls · 11 steps
    Operate the CISO's recurring security program governance review: each quarter maintain the senior-management-approved information security program plan and keep security roles, authorities, and reporting lines current, and each year deliver the written board report confirming the CISO mandate and run the security workforce competency review, so the program stays approved, resourced, and owned through organizational change.
  • ISMS Internal Audit & Management Review — Controls · 8 steps
    Run the ISMS clause 9.2 internal audit and clause 9.3 management review: findings, corrective actions, review inputs, decisions, and follow-up.
  • ISMS Risk Assessment & Treatment Cycle — Controls · 18 steps
    Perform ISO 27005 risk assessment and treatment planning to produce current risks and SoA inputs for ISO 27001 control applicability.
  • ISO 27001 SoA Review & Controls Assessment — Controls · 23 steps
    Review Statement of Applicability decisions, verify implementation evidence, assess controls, remediate gaps, and publish the approved SoA version.
  • IT Asset Inventory & Classification Upkeep — Controls · 11 steps
    Run the quarterly cycle that reconciles the authoritative hardware, software, systems, and services inventory against discovery scans and change records, correcting discrepancies and confirming owner, location, and security attributes for every in-scope component. In the same cycle, review and refresh the classification, priority, and labeling of information and associated assets, including on physical media, so both registers stay current for downstream audit, compliance, and security scoping.
  • IT Availability & Resilient Failure Operations — Controls · 12 steps
    Operate the monthly IT availability control across the full cycle: monitor scheduled batch jobs and system processing with documented incident and problem resolution, verify backups with periodic restore testing and track processing availability against service expectations, protect network services against denial-of-service events with fail-secure component behavior and alternate communications readiness, and work the mean-time-to-failure replacement queue with verified fail-safe procedures that place failing systems into a known, alerting safe state.
  • IT Operations & Capacity Management Cycle — Controls · 9 steps
    Operate the weekly IT operations and capacity management cycle: execute job scheduling, processing, infrastructure monitoring, and facility management per documented procedure, then reconcile outcomes and correct any exceptions. Review processing capacity and utilization against forecast demand, trigger capacity additions before thresholds are breached, and confirm priority-based allocation and quotas keep protecting shared resources, with breach alerts routed to responsible personnel.
  • Joiner-Mover-Leaver Access Lifecycle — Controls · 8 steps
    Handle joiner, mover, and leaver events end-to-end: provision role-based access, adjust with SoD checks on transfer, and evidence timely removal on exit.
  • Malware, Email & Web Content Defense Operations — Controls · 11 steps
    Operate the monthly malicious-content defense cycle: verify centrally managed anti-malware coverage, scanning, signature updates, and tamper protection across every commonly affected component, and review quarantine, alerting, and detection-log handling. Tune email and web filtering for spam and phishing at entry and exit points, and maintain mobile-code technology authorizations and website category and reputation filtering with enforcement-log review.
  • Network & Provider Service Monitoring — Controls · 11 steps
    Operate the monthly cycle that keeps network devices hardened and controlled and network-service documentation (security features, service levels, management responsibilities, including outsourced services) current, monitoring delivered services for conformance and addressing deviations. Review external providers' activity, service status, and security-relevant events against contractual obligations through their logs and reports, confirm cross-organizational audit-exchange methods and identity-context preservation, and feed every deviation into a single owned remediation log.
  • Network Segmentation & Boundary Rule Management — Controls · 10 steps
    Operate the boundary estate end to end: maintain the trust-zone model, gate and implement rule changes to managed interfaces under a deny-by-default baseline, monitor boundary traffic for external threats, and run the quarterly segmentation and rule-set review with a full rule-change record. Enforce label preservation and guard-rule policy at every cross-domain interconnection point so only authorized data types and flow directions pass between security domains.
  • NIST RMF System Authorization (ATO) Cycle — Controls · 27 steps
    Move a system through RMF prepare, categorize, select, implement, assess, authorize, and monitor activities for ATO decisions.
  • Outsourced & Critical-Component Development Oversight — Controls · 11 steps
    Each quarter, review every active outsourced and third-party development engagement for secure-development, IP-ownership, and audit-rights contract terms, verify deliverables against requirements with security-testing evidence on file, and screen developers of critical systems before granting development-environment access. Maintain the register of components critical to security or mission and the rationale and assurance evidence behind every specialized or custom development decision made because commercial items could not meet requirements.
  • Physical Environment Monitoring Review — Controls · 10 steps
    Operate the monthly physical-environment monitoring review across facilities hosting systems and data: sweep badge and entry logs, camera surveillance coverage and flagged footage, and environmental sensor alerts, and feed every confirmed anomaly into security-event analysis.
  • Platform Isolation & Separation Enforcement — Controls · 11 steps
    Operate the semiannual platform isolation cycle: verify user, system-management, and security functions remain separated across sensitivity domains via partitioning or virtualization, confirm shared resources are cleared or sanitized between users and processes while covert-channel bandwidth stays under threshold, and verify hardware- and software-enforced separation mechanisms keep critical code protected from runtime alteration.
  • Privileged Access & Authorization Model Management — Controls · 10 steps
    Operate the quarterly privileged-access control cycle: recertify every privileged account against its business justification and time bound, enforce separate accounts for administrators, review logged utility-program use, and process application-allowlist changes so unauthorized software stays blocked. In the same cycle, maintain the role and security-attribute authorization model against organizational change and spot-test that enforcement points across applications, databases, and infrastructure apply approved authorizations to sensitive data, source code, and administrative functions.
  • Public Content & External Sharing Authorization — Controls · 12 steps
    Operate the standing publication-authorization capability: verify only trained, designated individuals post to public-facing systems, confirm external information shares carry information-owner authorization consistent with classification and sharing agreements, and run the quarterly sweep that re-verifies the documented no-authentication actions and inspects public content for nonpublic exposure.
  • Resilience & Failover Readiness Verification — Controls · 11 steps
    Each quarter, verify that the alternate storage site, alternate processing capability, and diverse telecommunications the organization's recovery objectives depend on remain current, separated from primary-site hazards, and able to assume operations within RTO, and that safe-mode, alternate-communications, and alternate-security-mechanism designs on critical systems are configured and ready. Findings convert into owned corrective actions, with any recovery-time-impacting gap escalated immediately rather than held for end-of-cycle closure.
  • Resilient Architecture & Non-Persistence Operations — Controls · 11 steps
    Operate the quarterly non-persistence and resilient-architecture program: refresh designated non-persistent components and services from known-good trusted sources, purge stale information, verify diverse sourcing and fragmentation of high-value data, and review thin-node, technology-heterogeneity, and distributed processing and storage posture against current threats.
  • Secure Baseline & Integrity Drift Management — Controls · 11 steps
    Operate the monthly secure-baseline cycle: maintain and approve hardening baselines and least-functionality settings against accepted industry standards, run configuration-compliance scans and remediate drift as findings, triage file-integrity, hash/signature, and secure-boot alerts while verifying security functions operate correctly, and keep the configuration management plan and procedures current annually or after significant environment change.
  • Secure Connectivity & Network Trust Services Operation — Controls · 11 steps
    Operate the quarterly cycle that re-authorizes remote, wireless, and organization-controlled mobile access, sweeps for rogue connections, and verifies session-trust and out-of-band credential-delivery protections. The same cycle confirms DNSSEC-authenticated, fault-tolerant name resolution and clock synchronization to authoritative time sources.
  • Secure Development & Release Security Gate — Controls · 12 steps
    Operate the secure-development lifecycle at every release: engineer security and privacy-by-design requirements into the build, execute the documented security test plan with retained evidence against defined acceptance criteria, and verify hardened runtime behavior before production. Between releases, track vulnerability remediation and patching within risk-based timeframes and queue unsupported software for replacement at the quarterly portfolio review.
  • Secure SDLC Phase-Gate Program — Controls · 10 steps
    Operate the secure SDLC phase-gate program that every development initiative passes through: chair the intake, requirements, design, and build/release gates against the documented secure development lifecycle, verifying governed scope and security resourcing, approved application-security requirements, secure-architecture review, and secure-coding and trust-boundary input-validation evidence at each stage. Monitor adherence to and performance of the process itself and track every exception to closure.
  • Security & Privacy Architecture Review Board — Controls · 12 steps
    Operate the standing Security & Privacy Architecture Review Board: maintain the enterprise, security, and privacy architecture views that describe how systems, information flows, and protections align with mission and strategy, review solution designs and acquisition decisions for architectural alignment, and push approved updates into system security plans and acquisition requirements.
  • Security Awareness Training Campaign — Controls · 8 steps
    Run a security awareness campaign end-to-end: curriculum, launch, completion tracking, phishing simulation, escalation, and effectiveness reporting.
  • Security Control Assessment & POA&M Remediation — Controls · 20 steps
    Assess security controls using 800-53A methods, record determinations, open POA&M items, validate remediation, and update the authorization package.
  • Security Monitoring & Detection Operations — Controls · 10 steps
    Operate the SOC's weekly monitoring cycle: verify continuous monitoring is deployed and functioning under the documented strategy across hosts, networks, and applications, and report security status to defined roles. Work the central SIEM analysis queue to correlate and enrich events with threat intelligence, triage flagged anomalies to genuine security events, and verify the health, coverage, and tuning of the continuous protection services.
  • Security Policy Suite Review — Controls · 16 steps
    Operate the annual (and change-triggered) review cycle for the full security policy suite across eight policy families: secure acquisition, development, configuration-management, and maintenance; asset, media, and physical protection; access control, identification, and personnel security; communications protection and cryptography; security awareness and cyber-hygiene; audit-logging, monitoring, and system integrity; contingency planning and disruption mitigation; and incident response. Each policy is reviewed against current risk and threat inputs, updated, reapproved, and disseminated with communication and acknowledgment tracking captured as one evidence set.
  • SOC 2 Readiness & Evidence Collection — Controls · 8 steps
    Get audit-ready for SOC 2/SOC 1: map controls to criteria, close gaps, run the evidence request list, QA evidence, and coordinate the auditor.
  • Supply-Chain Integrity & OPSEC Operations — Controls · 11 steps
    Operate the standing supply-chain integrity program: inspect each period's critical system and component receipts for tamper-evidence and authenticity, keep provenance and chain-of-custody records current, and disposition suspected counterfeits with inspector-training refresh where lapses appear. In the same monthly cycle, review the register of sensitive supply-chain information to confirm disclosure remains limited to parties with a validated need to know and remediate any overexposure found.
  • System Categorization, Security Planning & Authorization — Controls · 12 steps
    Operate the per-system control that categorizes each system and its information by confidentiality, integrity, and availability impact with criticality analysis and accountable-official approval, develops and maintains the approved system security and privacy plan, and secures formal authorization to operate before production use. Internal system connections are authorized and documented, and reauthorization is tracked on frequency and significant change.
  • Technical Security Testing & Pentest Engagement — Controls · 17 steps
    Plan, execute, report, and retest technical security findings while mapping results to controls and secure-design defects.
  • Technology Lifecycle & Capacity Review — Controls · 12 steps
    Quarterly cycle that reconciles the solution asset record for components, ownership, and licensing, acts on use and cost optimization, and drives components approaching end of support to a replacement or upgrade plan or a documented, risk-accepted compensating control before support lapses. The same cycle monitors solution availability and capacity against current and forecast demand, raises corrective plans for projected shortfalls, and validates that agreed targets were met in the prior period.
  • Threat Intelligence & Insider Threat Program — Controls · 9 steps
    Operate the threat program each cycle: ingest and share threat intelligence, run intel-driven hunts, and review insider-threat indicators with a governed response.
  • User Access Review & Recertification — Controls · 8 steps
    Quarterly user access review: extract entitlements, certify with managers, revoke and evidence removals across in-scope systems.
  • User Activity & External Exposure Monitoring — Controls · 10 steps
    Operate the monthly insider-risk monitoring cycle: review captured privileged and remote session activity and personnel technology usage against acceptable-use expectations, restricting access to authorized reviewers and routing findings to HR and legal counsel per the disclosed monitoring terms. In the same cycle, sweep external open-source and dark-web channels for improperly disclosed organizational information, alerting designated personnel and initiating takedown on discovery, with confirmed findings from both halves logged into one restricted case feeding security-event evaluation.
  • Vendor SOC 1/SOC 2 Report Review & CUEC Mapping — Controls · 16 steps
    Review vendor SOC reports, exceptions, CUECs, bridge letters, and reliance conclusions for controls assurance and service-organization dependencies.
  • Vulnerability & Patch Management Cycle — Controls · 8 steps
    Recurring vulnerability management cycle: scan, triage by severity, patch on SLA, verify by rescan, and risk-accept residuals with expiry.
  • Workplace & Remote Work Security Cycle — Controls · 10 steps
    Operate the quarterly workplace and remote-work security cycle: walk offices for clear-desk, clear-screen, and output-device compliance, and verify and enforce remote-working device, privacy, environment, and connectivity attestations before granting access. Review the approved alternate-work-site list, assess control effectiveness, and confirm workers there have a functioning incident-reporting channel.
© 2026 CoworkCanvas. All rights reserved. CoworkCanvas Privacy Terms