Control Applicability Reassessment

Run a reassessment whenever the organisation profile changes in a way that can affect proportionality or framework scope. Common examples are moving from microenterprise to non-micro, becoming significant, updating employee count or total assets, or changing the active framework selection.

• Applicable flag: controls can move between applicable and not applicable.
• Justification: profile-generated changes receive a clear reassessment reason.
• Audit trail: the applied reassessment records actor, timestamp, profile snapshot, active frameworks, and affected control codes.

• Controls are not deleted.
• Evidence links, aliases, owners, due dates, and statuses are preserved.
• Manual exclusions are not overwritten unless they were previously generated by this reassessment engine.
• Custom tenant controls and controls outside active frameworks are ignored.
• The canonical framework library is not mutated.

1. Open Dashboard > Settings > Organization Profile.
2. Update the legal entity profile, entity size, significance, and framework inputs.
3. Save the profile.
4. Use Control Applicability Impact to check the proposed changes.
5. Review controls becoming applicable and controls becoming not applicable.
6. Click Apply applicability update only if the impact is expected.
7. Review the Controls page and dashboards to confirm the new baseline.

The reassessment record gives auditors a defensible trail for why the control baseline changed after the organisation profile changed. It records which controls were toggled, which manual exclusions were preserved, and the profile state used for the decision.