# Map Security Controls to Policies

Sprinto allows you to map each policy, procedure, or document to one or more security controls. Control mapping is essential for frameworks such as ISO 27001, SOC 2, and GDPR, where written documentation must directly support control implementation.

You can map controls manually or use Sprinto’s AI-assisted suggestions.

***

### **Before you begin**

* Ensure the policy or document is in **Draft** or **Active** status.
* Make sure you have the required role (Administrator or InfoSec Owner) to modify control mappings.
* Note that pre-mapped policies generated from Sprinto templates cannot be edited.

***

### **Ways to map controls**

<table><thead><tr><th width="187.859375">Method</th><th>Description</th></tr></thead><tbody><tr><td><strong>Manual mapping</strong></td><td>Select controls directly from the available control categories.</td></tr><tr><td><strong>AI-assisted mapping</strong></td><td>Use Sprinto AI to generate control suggestions based on policy content.</td></tr></tbody></table>

***

### **Manually map controls to a Policy**

Here's a short video on how to map controls to a policy.

{% embed url="<https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2F9OYm2x3YHd3WILmPL7Cg%2FMapping%20Sprinto's%20Controls%20to%20Custom%20Policies.mp4?alt=media&token=a21097b7-795d-4b7a-ba93-006b06d53680>" %}

1. Navigate to the **All policies & docs** tab.
2. Click on the policy or document you want to map.
3. In the **Controls mapped to policy** section, click **Map controls.**

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2Fys5UhYKfdsMy5NuzRmTU%2FScreenshot%202025-06-23%20at%2014.53.32.png?alt=media&#x26;token=134afd53-6584-44cb-ae44-6c51e68d7134" alt="" width="563"><figcaption></figcaption></figure>

4. Use the search bar or browse categories to select relevant controls. You can also click **Generate** **suggestions** to get AI assistance in mapping controls.
5. Click **Save mapping** after you select the controls you wish to map to your polic&#x79;**.**

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2FolnkdIAPQYUJtHVKC4OQ%2FScreenshot%202025-06-23%20at%2014.56.24.png?alt=media&#x26;token=a06421c7-5edc-49bf-9999-6cde5a6507c2" alt="" width="563"><figcaption></figcaption></figure>

{% hint style="info" %}
Mapped controls are listed in the policy details view. These mappings are also visible during audits and evidence exports.
{% endhint %}

***

### **Use AI-assisted control mapping**

1. Open the desired policy.
2. In the **Controls mapped to policy** section, click **Map controls**.
3. From the left-hand panel, select **Sprinto AI**.
4. Click **Generate suggestions**.

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2F0tN6fU9IC3RNxiO29CYV%2FScreenshot%202025-06-23%20at%2014.57.51.png?alt=media&#x26;token=35ec14c1-bdd9-45b7-9894-a4651c7b9211" alt="" width="563"><figcaption></figcaption></figure>

5. Review the AI-suggested controls (identified by a Sprinto-AI icon).
6. Select the controls you want to map.
7. Click **Save mapping**.

{% hint style="info" %}
If needed, you can override AI suggestions by adding additional controls manually.
{% endhint %}

***

### **View mapped controls**

Once saved:

* All mapped controls are visible in the **Controls mapped to policy** section.
* Mapped policies serve as evidence for those controls during audits.
* Reviewers and approvers can see the mappings during the policy approval workflow.

***

### **Limitations**

* **Template-generated policies** come with predefined control mappings that cannot be modified.
* **Uploaded PDFs or synced documents** must first be approved before controls can be mapped.
* Controls can only be mapped if they exist in the active framework enabled for your organisation.

***

### **Next steps**

Once controls are mapped:

* The policy contributes to the “Document should be mapped” check.
* The policy is available as evidence in control drawers during audit preparation.
* You can monitor the mapping status from the **Monitoring** tab.