Fulfilling Requirements and Controls

This article guides you through the process of fulfilling Requirements and Controls end-to-end.

What are Requirements and Controls?

Requirements are the highest and most important governance objects on the platform. They break down Frameworks into logical sections. For example, the EU AI Act consists of a series of Articles covering different areas. The Requirements of the EU AI Act Framework correspond to these Articles. The same apply to ISO standard chapters.

Each Requirement consist of one to many out-of-the-box mapped Controls.

A Control, in the context of compliance, is a specific measure or procedure implemented by an organization to mitigate risks, ensure adherence to regulations, and achieve compliance objectives. Controls are designed to prevent, detect, or correct non-compliant activities or errors within business processes.

requirements_and_controls

Learn more about Requirements, Controls and other concepts. .

Fulfillment Steps

To help you get started on your compliance activity on Modulos, the example included in this article walks through the process of fulfilling a Requirement.

Review the Requirement
Assign ownership to the Requirement
Review mapped Controls
Assign ownership to the mapped Controls
Write a Report and attach Evidence
Associate Risks, Tests and Tags
Review the Control and change its Status
Review the Requirement

Prerequisites

You’re logged into the Modulos platform
You have access to a project and you're assigned the editor role. You’ll need the reviewer or owner role to complete the review step

Example: MRF-2 Data and Data Governance

The Requirement "MRF-2 Data and Data Governance" is concerned of whether High-risk AI systems which make use of techniques involving the training of models with data shall be developed on the basis of training, validation and testing data sets which meet certain criteria.

This Requirement therefore has a wide scope, as privacy and data protection concerns can arise in many aspects of an AI project. Thats why we can see thirteen mapped Controls to make sure all these aspects are covered.

Step 1: Review the Requirement

Inside your project, navigate to the Requirement page by clicking on Requirements in the top bar
You can find the MRF-2 Requirement by searching for its name in the Search requirements field.
Click on the MRF-2 rectangle.
You can then review the Description and Details for exact EU AI Act reference.

Each Requirement is in Not Fulfilled status by default.

mrf2_details

Step 2: Assign ownership to the Requirement

Every Requirement should be assigned to a person that’s responsible for its fulfillment. You can assign the Requirement Owner by selecting a User from the field in the sidebar. This user will get a notification that they’ve been assigned as Owner and see this Requirement as part of their user dashboard.

requirement_ownership

Step 3: Review mapped Controls

Requirement Owner is responsible for fullfilment of the Requirement and assignation of all the mapped Controls to the appropriate Control Owners.

NOTE: By default Requirement Owner becomes a Control Owner for all the mapped Controls!

Scroll down the Requirement to Mapped Controls section and click on the one you want to review.

requirement_mapped_controls

The Control MCF-26 “Data Privacy” is concerned with the question of whether sufficient measures are in place to ensure privacy and data protection. This Control therefore has a wide scope, as privacy and data protection concerns can arise in many aspects of an AI project.

Each Control is in Not Executed status by default.

Step 4: Assign a Control Assignee

Every Control should be assigned to a person that’s responsible for its execution. You can assign the Control Owner by selecting a user from the field in the sidebar. This user will get a notification that they’ve been assigned as Control Owner and see this Control as part of their user dashboard.

Step 5: Write a Report and Attach Evidence

If you navigate to the Report tab, you will find an editor with a template report. Depending on your organization approach, you can use this template, or follow your own report style. In this report, you should assemble a detailed explanation of how this Control is met.

In order to support the report, you can attach one or more Evidence to the Control. You can do so either on the Control tab, where you can either attach an already-uploaded Evidence file, or upload a new one and directly attach it to the Control.

NOTE: If you attach an Evidence file to a Control and change its status to Executed, then you can no longer edit or delete the Evidence.

Step 6: Associate Risks, Tests and Tags

You can associate the Control to other concepts in the sidebar.

Associating Risks to Controls is an important part of AI risk management.

If the Control is relevant to an already existing Risk, you can associate the two by clicking Associate to a Risk and selecting the Risk.
If as part of the Control fulfillment process, you realize that a new Risk should be created, you can do so by clicking Associate to a Risk and clicking Create New Risk. This will forward you to the Risk creation process.

Associating Tests to Controls can be helpful in the AI governance process. Testing is a highly flexible feature which allows you to automatically check whether your AI system infrastructure is operating in the way that’s expected.

If the Control is relevant to an already existing Test, you can associate the two by clicking Associate to a Test and selecting the Test.
If as part of the Control fulfillment process, you realize that a new Test should be created, you can do so by clicking Associate to a Test and clicking Create New Test. This will forward you to the Test creation process.

Controls that are part of Frameworks maintained by Modulos are already tagged with Tags related to the AI System Lifecycle, Goals, Areas and Scopes. By clicking Update Tags in the sidebar, you can add or update the Tags associated with the Control to make your Controls easier to filter and group.

Step 7: Review the Control and change its Status

Control Owner should change the Control status to Executed or Out of Scope in order to infrom Requirement Owner that their job is done.

When all the Controls mapped to the Requirement are finished, Requirement Owner will be notified about the start of Review process.

Step 8: Review the Requirement

After notification Requirement Owner will Review the completeness of all mapped Controls and either change the status of Requirement to Fulfilled or will challenge certain Controls by changing their Status back to Not Executed.

Bravo! You just finished your first end-to-end fulfillment workflow.

Fulfilling Requirements and Controls ​

What are Requirements and Controls? ​

Fulfillment Steps ​

Prerequisites ​

Example: MRF-2 Data and Data Governance ​

Step 1: Review the Requirement ​

Step 2: Assign ownership to the Requirement ​

Step 3: Review mapped Controls ​

Step 4: Assign a Control Assignee ​

Step 5: Write a Report and Attach Evidence ​

Step 6: Associate Risks, Tests and Tags ​

Step 7: Review the Control and change its Status ​

Step 8: Review the Requirement ​