Manage Controls

Controls are the building blocks of the policies used to measure and report compliance for a set of hosts. We provide many controls for you to choose from and you can create your own. Your compliance reports will show you the host compliance status (pass or fail) with the policy controls.

By default all available frameworks are displayed with controls in compliance policies and reports. Managers have the option to choose which frameworks to display.

Go to Policies > Setup > Frameworks, choose "Customize the list of frameworks", select the frameworks you want to display from the Available frameworks list and click Add. Learn more

By default all available technologies are displayed with controls while creating compliance policies. Managers have the option to choose which technologies to display.

Go to Policies > Setup > Technologies, choose "Display my preferred technologies", select the technologies you want to display from the list and click Add.

System Defined Control (SDC) - These are controls provided by Qualys. Add system defined controls to your policies to report on them.

User Defined Control (UDC) - These are custom controls that you create. In order to report on policies with user defined controls, be sure to add these controls to your account before you scan. To add a new UDC, go to PC > Policies > Controls and select New > Control. Learn more

Qualys Custom Control (QCC) - These are predefined controls provided by Qualys when you import policies from the library. These are similar to user defined controls. Once added to your account you can copy any QCC to make your own UDC that you can customize to meet your needs. Learn more

Go to PC > Policies > Controls > New > Control. Select Windows Control Types, Unix Control Types or Database Control Types. Then click the control type you want to create.

Tip - Click the launch help link for help with control settings.

See What control types can I choose?

Manager and Auditor users can import and export user-defined controls in XML format. Other users can export user-defined controls if they have the "Manage Compliance" permission; these users do not have permission to import controls. Learn more

Managers and Auditors can edit controls. Unit Managers may be granted permission to edit user-defined controls. Go to PC > Policies > Controls, select a control and choose Edit from the Quick Actions menu.

What values can I edit?What values can I edit?

For system-defined controls, you can edit control references and comments.

For user-defined controls, you can edit the control statement, category, sub-category, comments, reporting options, scan parameters and their description, control values used to calculate the expected values, control technologies, and references.

When Control Criticality is enabled for your subscription, you can change or remove the criticality level assigned to the control. Learn more

After you edit a UDC, to use the modified values in data collection and evaluation, you must run a fresh scan and generate a new report.

Controls provided by our service cannot be deleted. Managers and Auditors can delete user-defined controls. Unit Managers may be granted this permission.

Go to PC > Policies > Controls. Select the user-defined control(s) you want to delete and then select Actions > Delete. Any scan data collected on hosts for those controls will also be deleted. After removing a control, it is recommended to click Evaluate Now while saving the policy.

Go to PC > Policies > Controls > Search, and then, in the Search dialog box, search for the controls by using the various search filters. You can search controls by their CIDs, control text, the Deprecated status, OS-dependent database controls (only SDCs), technologies and frameworks, framework ID, category, criticality, and control type, among others.


It is recommended to click Evaluate Now while saving a policy after making any changes that impact the posture, such as:

- Adding or removing controls
- Adding or removing a technology at the policy or the control level
- Adding or removing an asset group
- Updating an expected value

Failing to click Evaluate Now might result in inconsistent posture data. This is because the posture data for assets associated with removed controls, technologies, or asset groups may not be deleted immediately. The data is deleted when the policy evaluation takes place during the next scan or policy processing triggered by a change in the asset group or UDC.


Check out these videos:

Still have questions?

How do we calculate expected values?How do we calculate expected values?

We calculate the expected value for each control for each technology depending on parameters provided for the control. The calculation logic is determined by the control data type. Learn more

What are deprecated controls?What are deprecated controls?

A deprecated control is a control that has been retired for all technologies. You'll see the deprecated control icon Deprecated Control Icon when viewing deprecated controls in policies and in policy compliance reports. Learn more

Quick Links

Set Up Policies

Policy Editor

User-Defined Controls

Qualys Custom Controls

Control Criticality