Implement is where requirements become real. Design controls, attach evidence, assign ownership, and track implementation progress across your entire program.
Get AccessInteractive demo
What Implement does
Start from template-based measure libraries aligned with catalogues such as ISO 27001 and NIST CSF. The control library is searchable with Control ID, description, type (preventive, detective, corrective), owner, and status, plus links to requirements, assets, processes, and risks. Colour-coded control health badges summarise posture; click through for the score breakdown. When you create a control with New Control, you can add a recurring validation task at creation time.
Maintain processes in a tree view with nested sub-processes; delete from the tree on hover. Process names are shown without reference codes in the tree. Each process links to assets, controls, requirements, risks, and third parties. When the Business Continuity module is enabled, you can record BCI, RTO, and RPO. Attach SOPs and other files as evidence.
The third-party register lives under Implement with types such as vendor, service provider, contractor, and partner. Assign risk tiers from critical down to low, maintain contacts, and link records to assets, processes, controls, and requirements. It is designed to complement Supplier Shield for deeper vendor-risk workflows.
Bulk actions include set status, set maturity, change owner, link to related objects, assign scopes, and delete. Evidence ties back through tasks, assessments, findings, and documents so implementation work is not orphaned from the control record.
Who uses it
For teams that need to turn Comply requirements into named controls, correct control types, and links to the assets and processes they actually protect.
For managers who must show which controls are live, who owns them, and what artefacts back each assertion.
For leads who reassign work, normalise maturity, and link many controls to the same scope or object sets after reorganisations or tool consolidation.
FAQ
Measures are organised in template-driven libraries (including curated sets aligned with ISO 27001 and NIST CSF) that give you a starting pattern for what to do. A control is the operational record you manage in the control library: typed, owned, statused, and linked to requirements, assets, processes, and risks. You implement and attest at the control level; measures help standardise the underlying practice.
Each control shows a colour-coded health badge (red, orange, or green). Selecting the badge opens the breakdown of how the score is calculated so you can see why a control is healthy or not instead of guessing from a single label.
Yes. When you create a control with New Control, you can optionally add a recurring validation task at the same time so periodic checks are scheduled from day one.
Implement includes a process register with a tree view for nested sub-processes. You can remove items directly from the tree, link each process to assets, controls, requirements, risks, and third parties, and attach SOPs or files as evidence. If Business Continuity is enabled, you can also capture BCI, RTO, and RPO on the process.
The Implement register holds third-party types (vendor, service provider, contractor, partner), risk tier, contacts, and links into your GRC graph. Supplier Shield is the dedicated vendor-risk product; the register in Acuna is complementary so third parties are visible next to controls and processes while deeper due diligence can run in Shield.
You can bulk-set status and maturity, reassign owner, link controls to other objects, assign scopes, and delete in batch. That is meant for clean-up after reorganisations or when many controls need the same relationship change.
Related answers
Cross-framework control mapping identifies where requirements from different frameworks overlap — for example, ISO 27001 A.8.5 (access control) and NIS2 Article 21(2)(i) (access management) describe essentially the same practice. By mapping these overlaps, organisations implement and evidence a control once instead of duplicating effort per framework. In Acuna, mappings can be direct (manual), derived via 58 curated reference measures across 11 domains, or suggested by AI with confidence scores. Batch mapping lets you align entire domains in one operation.
In Acuna, a measure is a template-level practice drawn from curated libraries aligned with frameworks like ISO 27001 and NIST CSF. It describes what should be done. A control is the operational record you create from a measure — typed (preventive, detective, or corrective), owned, statused, and linked to specific requirements, assets, processes, and risks. You implement and attest at the control level; measures standardise the underlying practice across your programme. One measure can spawn multiple controls in different scopes.
Each control in Acuna displays a colour-coded health badge — green (healthy), orange (at risk), or red (unhealthy). Health is driven primarily by recurring task completion: a task completed on time scores as healthy (100), completed late scores as at risk (75), in progress but not past due as at risk (75), and not started past due as unhealthy (0). These scores cascade upward through measures and requirements so operational slippage surfaces in the control and programme views, not only in a task list. Click any health badge for a breakdown explaining which tasks contributed to the current score.
In Acuna, evidence records follow four states: Draft (being compiled), Submitted (sent for approval), Approved (locked and timestamped), and Expired (no longer current). Each record captures collection, review, and expiry dates, supports versioned file attachments, and can be linked to multiple controls with per-link notes. Approvers receive notifications and can request changes before accepting. Approved evidence contributes to control effectiveness and audit readiness metrics. Expired evidence is flagged visually and cannot be deleted without administrator approval, preserving the audit trail.
Implement is where you build the operational backbone of your compliance programme. You create measures from curated libraries or custom definitions, instantiate controls from those measures, assign owners, set statuses, and link controls to the requirements they satisfy. The pane also manages your asset inventory (IT systems, data stores, physical locations), process register, and risk catalogue. Everything connects: a control is linked to one or more requirements, one or more assets, and optionally to risks — so you can trace from a framework clause all the way down to the specific system and team responsible.
In Implement, each measure represents a security or compliance practice (e.g. 'Access reviews are performed quarterly'). Measures are linked upward to one or more requirements across frameworks — one measure can satisfy clauses in ISO 27001, NIS2, and SOC 2 simultaneously. Controls are the operational instances of measures: they carry an owner, implementation status, control type (preventive, detective, corrective), and linked evidence. This three-tier hierarchy (requirement → measure → control) is how Acuna avoids duplicate work across multi-framework programmes.
Each control can have one or more recurring tasks — for example, 'Review access rights quarterly' or 'Test backup restoration monthly.' Tasks are assigned an owner, frequency (daily, weekly, monthly, quarterly, annually, or custom), and a due date. When a task is completed on time, it scores 100 (healthy). Completed late scores 75 (at risk). In progress but not overdue scores 75. Not started past due scores 0 (unhealthy). These scores roll up to the parent control, then to the measure, then to the requirement — so a missed task surfaces as a visible gap at every level of the programme.
Vanta is purpose-built for companies getting their first SOC 2. For organizations running multiple frameworks simultaneously (ISO 27001, SOC 2, NIS2, DORA, GDPR), Vanta's single-framework origins show. The best Vanta alternatives for multi-framework programs include platforms built for continuous compliance across mature, overlapping obligations. Acuna is designed from the ground up for multi-framework control mapping, shared evidence, and audit defensibility at enterprise scale. Drata and OneTrust each address adjacent problems. Choose based on whether your program is scaling compliance depth or adding your first certification.
Get access and our team will walk you through Implement and the full Acuna platform.
Get Access