Question - calculation of "no controls" in Compliance Analysis Overview (fixed r34)


I can’t trace the number of failed controls according to the compliance analysis overview to the single items.
It shows 24 items of the compliance package without controls (according to the tooltip: = no control OR no policy). I can’t trace this number down to the items:

  • I have 4 items without any control or policy,
  • 8 items without control and with a policy with missing review,
  • 1 item with a control with missing audit and no policy,
  • 3 items where audit/review is mssing for both control and policy.
    So I would expect maximum of 16 items without controls. I also have 7 items with a valid control and a policy where the review is missing so I would get to 23 (maybe I have overlooked one…). Is this all included in the calculation of the dashboard? Even though for 7 items there is a working and valid control or policy?


Let me use this example, i was now working with PCI-DSS…i only completed the first 5 items, the rest i have not touched it.

The stats eramba shows are:

So how this is calculated?

A= 4 since only 4 are “Compliant” (only one is non compliant)
B= 254 since the total number of pci requirements is 300 (254-4-1)
C= 0 since non is “non applicable” under the “strategy” column
D= 1 since only 1 is “not compliant” under the “strategy” column
E= 3 since out of the 4 items (from A), 3 have only “policies” (not “controls”) … the math is 3/4=75%
F= 1 since out of 4 items, only 1 has “controls” … the math is 1/4 = 25%
G= the average effectiveness from the 4 items…

The numbers explanation is the one above, i think a better explanation can be included on the (i) icon next to the table headers.
Also please tell me what numbers you would like to see? I think we could also add a link to each number so when clicked a filter is immediately listed.

Thanks Fabian again!!!

The direct link would be highly appreciated.

Now it’s clear to me, but the informational text in the (i) icon for “no controls” is wrong in this case. There it states “From all the items that have been reviewed (addressed) how many do not have at least one policy or security control mapped”.

In the end these columns are ok, maybe you should think about which number should be put in there? Only those items without controls AND without policies, or like now all items without controls. I would say, if there is a link to these items it’s better to list all items without controls and it can be easily checked which have at least a policy assigned.


The helper has an issue for next week release:

Filters (no due date for now):