A control statement is a concise statement of a discrete portion of a regulation or framework. Since regulations and frameworks have large areas of overlap, the control statements reduce repetition by stating each portion a single time. The organizational mapping of policies to the control statement satisfies both the regulation and the framework requirements.
A control statement is considered mapped when it is linked to a mandate, policy, check, question, SCAP rules, or external data assesments.
Policies and mandates are mapped to control statements. In turn, control statements are mapped to checks, questions, SCAP rules, and external data assessments.
A custom control statement is a control statement that you create to suit your enterprise needs. It may have none or minimal overlap with the control statements that Symantec provides with the Control Compliance Suite (CCS) content. The primary objective of the custom control statement is that it meets your needs.