A control statement is a concise statement of a discrete portion of a regulation or framework. Since regulations and frameworks have large areas of overlap, the control statements reduce repetition by stating each portion a single time. For example, where differences exist between regulation or framework statement requirements, a single control statement exists that each of the entries is mapped to. The organizational mapping of policies to the control statement satisfies both the regulation and the framework requirements.

A control statement is mapped when it is linked to a policy. Through the policy, the control statement is indirectly linked to the regulation and framework.

A custom control statement is a control statement that you create to suit your enterprise needs. It may have none or minimal overlap with the control statements that are provided by Symantec with the Control Compliance Suite content. The primary attribute of the custom control statement is that it meets your needs.