Tutorial for Delegates: Reviewing a control set - AWS Audit Manager
PrerequisitesProcedureAdditional resources

Tutorial for Delegates: Reviewing a control set

This tutorial describes how to review a control set that was shared with you by an audit owner in AWS Audit Manager.

Audit owners use Audit Manager to create assessments and collect evidence for the controls in that assessment. Sometimes audit owners might have questions or need assistance when validating the evidence for a control set. In this situation, an audit owner can delegate a control set to a subject matter expert for review.

As a delegate, you help audit owners to review the collected evidence for controls that fall under your area of expertise.

Prerequisites

Before you start this tutorial, make sure that you first meet the following conditions:

Procedure

Step 1: Review your notifications

Start by signing in to Audit Manager where you can access your notifications to see the control sets that have been delegated to you for review.

To review your notifications

  1. Open the AWS Audit Manager console at https://console.aws.amazon.com/auditmanager/home.

  2. In the left navigation pane, choose Notifications.

  3. On the Notifications page, you review the list of control sets that have been delegated to you. The notifications table includes the following information:

    Name Description

    Date

    		The date when the control set was delegated.

    Assessment

    The name of the assessment that's associated with the control set. You can choose an assessment name to open the assessment detail page.
    Control set

    The name of the control set that was delegated to you for review.

    Source

    The user or role that delegated the control set to you.

    Description

    The review instructions that were provided by the audit owner.

Tip

You can also subscribe to an SNS topic to receive email alerts when a control set is assigned to you for review. For more information, see Notifications in AWS Audit Manager.

Step 2: Review the control set and related evidence

The next step is to review the control sets that the audit owner delegated to you. By examining the controls and their evidence, you can determine if any additional action is needed for a control. Additional actions can include manually uploading additional evidence to demonstrate compliance, or leaving a comment about that control.

To review a control set

  1. From the Notifications page, review the list of control sets that were delegated to you. Then identify which one you want to review and choose the name of the related assessment.

  2. Under the Controls tab of the assessment detail page, scroll down to the Control sets table.

  3. Under the Controls grouped by control set column, expand the name of a control set to show its controls. Then, choose the name of a control to open the control detail page.

  4. (Optional) Choose Update control status to change the status of the control. While your review is in progress, you can mark the status as Under review.

  5. Review information about the control in the Evidence folders, Details, Evidence sources, Comments, and Changelog tabs. To learn about each of these tabs and how to understand the data that they contain, see Reviewing an assessment control in AWS Audit Manager.

To review the evidence for a control

  1. From the control detail page, choose the Evidence folders tab.

  2. Navigate to the Evidence folders table, where a list of folders that contains evidence for that control is displayed. These folders are organized and named based on the date when the evidence within that folder was collected.

  3. Choose the name of an evidence folder to open it. From here, you can review a summary of all the evidence that was gathered on that date. To understand this information, see Reviewing an evidence folder in AWS Audit Manager.

  4. From the evidence folder summary page, navigate to the Evidence table. Under the Time column, choose a line item to open and review details of the evidence that was collected at that time. To understand this information, see Reviewing evidence in AWS Audit Manager.

Step 3. Add manual evidence (optional)

Although AWS Audit Manager automatically collects evidence for many controls, in some cases you might need to provide additional evidence. In these cases, you can manually add your own evidence that helps you to demonstrate compliance with that control.

To add manual evidence to a control

There are several ways to add manual evidence to a control. You can import a file from Amazon S3, upload a file from your browser, or enter a text response. For instructions for each method, see Adding manual evidence in AWS Audit Manager.

Step 4. Add a comment for a control (optional)

You can add comments for any controls that you review. These comments are visible to the audit owner. For example, you can leave a comment to provide a status update and confirm that you remediated any issues with that control.

To add a comment to a control

  1. From the Notifications page, review the list of control sets that were delegated to you. Find the control set that you want to leave a comment for, and choose the name of the related assessment.

  2. Choose the Controls tab, scroll down to the Control sets table, and then select the name of a control to open it.

  3. Choose the Comments tab.

  4. Under Send comments, enter your comment in the text box.

  5. Choose Submit comments to add your comment. Your comment now appears under the Previous comments section of the page, along with any other comments regarding this control.

Step 5: Mark a control as reviewed (optional)

Changing the status of a control is optional. However, we recommend that you change the status of each control to Reviewed as you complete your review for that control. Regardless of the status of each individual control, you can still submit the controls to the audit owner.

To mark a control as reviewed

  1. From the Notifications page, review the list of control sets that were delegated to you. Find the control set that contains the control that you want to mark as reviewed. Then, choose the name of the related assessment to open the assessment detail page.

  2. Under the Controls tab of the assessment detail page, scroll down to the Control sets table.

  3. Under the Controls grouped by control set column, expand the name of a control set to show its controls. Choose the name of a control to open the control detail page.

  4. Choose Update control status and change the status to Reviewed.

  5. In the pop-up window that appears, choose Update control status to confirm that you finished reviewing the control.

Step 6. Submit the reviewed control set back to the audit owner

When you're done reviewing all controls, submit the control set back to the audit owner to let them know you finished your review.

To submit a reviewed control set back to the owner

  1. In the Notifications page, review the list of control sets that were assigned to you. Find the control set that you want to submit to the audit owner, and choose the name of the related assessment.

  2. Scroll down to the Control sets table, select the control set that you want to submit back to the audit owner, and then choose Submit for review.

  3. In the pop-up window that appears, you can add any high-level comments about that control set before choosing Submit for review.

After you submit the control to the audit owner, the audit owner can view any comments that you left for them.

Additional resources

You can continue to learn more about the concepts that are introduced in this tutorial. Here are some recommended resources: