title: Implementing and testing controls description: Learn how to complete manual tasks, interpret test results and perform assessments for effective control monitoring sidebar_position: 2

Implementing and testing controls

Understanding Tasks vs Tests

Tidal distinguishes two fundamental ways to validate controls:

Manual Tasks

Manual activities performed by people
Require human assessment and evidence
For example: creating network diagrams, verifying that incidents are resolved
Status: Open → Closed

Automated Tests

Monitoring progress in Tidal
For example: Periodic policy reviews, completeness of risk information
Monitoring external systems
For example: Azure security settings, firewall rules, encryption status
Status: Not executed yet → Passed/Failed

Info

Test dependencies: Automated tests require that the relevant integration is correctly configured. Without a working connection, tests remain in "Error" status.

Read more about integration setup in Integrations

Working on manual tasks

Viewing manual tasks

Go to the control with pending tasks
Click on the control name to see the tasks and tests for this control
Click on a manual task in the expanded list
The task sidepanel opens with all necessary information
The Details tab contains additional information about the task
The Linked Assessments tab contains an overview of linked assessments
The Feed tab contains a complete audit trail of this task

Collaborating via conversations

Conversation tab functionality:

Add comments - Document progress and ask questions
Use @mentions - Notify specific people (e.g. @john)
Real-time notifications - Stakeholders receive immediate messages

Example of an @mention:

@jane Can you review the network diagram I uploaded?

Uploading evidence

File upload:

You can upload documents directly in the Conversation tab:

Scroll to the "Add your comment" section in the task interface
Click "Drop, or click to add files" or drag files directly to the comment field
A new comment automatically appears containing a link to the just uploaded file

Evidence best practices:

Screenshots with timestamps for configuration evidence
Signed documents for policy approvals and training records
Log files for incident response and monitoring activities
Reports for security scans and audit results

Completing / closing tasks

Select 'Close task' at the top of the screen, or
Write a comment and select 'Submit and Close' to close the task with a final comment.

Assessment tasks

Assessment tasks are a special type of task that ask the user to indicate whether the Control should be assessed as "Effective" or "Ineffective". This conclusion affects the Control Status indicator on the overview page. See Completing assessments for more information.

Working on tests

Viewing tests

Go to the control with linked tests
Click on the control name to see the tasks and tests for this control
Click on a test in the expanded list
The test sidepanel opens with all necessary information

Refreshing test results

Click "Refresh" top right in the overview
The test now starts running and will add a new result

Tip

In the Tests menu you can refresh multiple tests at once.

Read more about this in Refreshing tests

Interpreting test results

Not executed (Gray)

The test has never been executed
Refresh the test to get a result
Control is automatically marked red

Passed (Green)

Test executed successfully
Configuration meets required security standards
Contributes to green control compliance status

Failed (Red)

Test detects non-compliance or security issue
Requires immediate attention and remediation
Control is automatically marked red

Error (Orange)

Technical error in test execution
Test must be executed again
Control is automatically marked red

Azure Cloud tests example

Azure integration tests check:

Data encryption at rest - Verification that Azure Data Disks are encrypted
Network security groups - Firewall rules and access controls
Identity management - Multi-factor authentication configurations
Resource compliance - Tagging and naming conventions
Backup configurations - Automated backup schedules and retention

Info

Integration dependencies: Azure tests require a working Azure connector with proper permissions. Without access to Azure subscriptions, tests remain in "Error" status.

Setup instructions can be found in Azure Integration

Completing assessments

Assessments vs regular tasks

Assessments are specialized manual tasks with additional functionality:

Assessors - Automatically assigned to control assessors (not owners)
Linked tasks tab - Overview of all related tasks
Effectiveness conclusion - Mandatory choice: Effective vs Ineffective
Periodic assessment per control - assessments typically occur periodically, with one assessment covering the entire control
One assessment for multiple controls - it's quite normal to assess multiple controls in one assessment. The Assessment task is then visible under each linked control in the overview

Executing assessments

Assessments are otherwise executed in the same way as regular manual tasks.

Drawing a conclusion

There is no unambiguous instruction to determine whether a control is Effective or Ineffective, or these instructions are organization-specific.

But in general terms, we recommend the following strategy:

A control is effective when:

All linked tasks have been successfully completed (closed)
The associated evidence demonstrates adequate implementation of the relevant control
All automated tests have been successfully completed (passed)
No tasks, tests or other requirements are missing
Any Issues linked to the control have been handled timely and adequately

A control is ineffective when:

Tasks have not been executed according to deadline
The associated evidence is insufficient
Automated tests show security issues
Tasks or tests needed for the control are missing
Any Issues linked to the control have not been handled timely or adequately