The Diri Control Matrix

The Diri Control Matrix

What is the Diri Control Matrix?

The Diri control matrix (DCM) is an innovation unique to our software. In short, the DCM is a security control visualization tool that allows for in-depth analysis of how well the system security is managed. The DCM is populated using the data from the risk assessment and the treatment plan. The matrix is clickable and allows for drill-down. The control matrix adds significant transparency to your security evaluation. It will enable you to audit systems and organizations like never before. You can find it in your risk assessment dashboard, below the registration and assessment process.

A DCM summary illustrating number of controls per class and implementation status.

Information in the DCM

The control matrix shows how security controls are categorised and their implementation status. The security control categorisations are tightly coupled with the best practice and divide controls into three types and four classes. The DCM shows four types of information:

  1. X-axis: Control classification according to established best practice classification based on the Cyber security framework.
    1. Identify is a treatment class for developing the organisational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
    2. Protect and maintain is a class for safeguarding and supporting delivery of critical infrastructure services and asset protection (primarily probability reducing measures)
    3. Detect are treatments for identifying the occurrence of a cybersecurity event.
    4. Respond and recover are treatments for developing and implementing the appropriate activities for detecting cybersecurity incidents. And for developing and maintaining resilience plans and restoring any capabilities or services that were impaired due to a cybersecurity incident.
  2. Y-axis (expanded): Treatment types are categorised within the following three categories in Diri
    1. Physical controls are barriers in the physical domain, such as door locks, card readers, and fences.
    2. Technical controls are the technological barriers often associated with cybersecurity, such as firewalls, network monitoring, and encryption.
    3. Administrative controls are security policies, guidelines, routines, and organisational security measures.
    4. Uncategorised: Both DCM axis has an uncategorised option that groups treatments that have not been assigned a class or type. 
  3. The numbers inside each square are a binary representation of the total number of defined treatments (denominator) and how many have been implemented (numerator).
  4. The Pie chart circling the numbers in the squares details the treatment implementation status.


Analysis in the DCM

The summary is the first DCM view in the Risk Assessment Dashboard is illustrated above. Studying the figure, we can already obtain helpful information about the risk assessed object: Firstly, the Ø means that the square does not contain any data. There is defined one control to Identify, but no controls are implemented or planned in this class. Only 6/31 protection measures are in place (green in the pie chart). However, several are planned (orange) and ongoing (yellow). Only one Detection measure is in place, while one is planned and another proposed. We interpret the Handle and recover results in the same way. In summary, we see that 8/41 measures are in place for this system.

We can expand the DCM to view more information about the treatments. At first glance, the fully expanded DCM contains a lot of information. However, it is a handy tool to identify gaps in the control chain:

 A fully expanded DCM.

An interpretation and analysis of the DCM illustrated above:

All the treatments in the example have been categorised, such that the Uncategorised squares are empty. Starting with the Identify class, we can see that we have one administrative security control. However, to be fair, we know that they are already using Diri for risk assessments. Diri is categorised as an Identifying control. We can add that as a technical control and an administrative routine for use in the risk assessment. 

The Protect and maintain class has 31 defined controls, but only 6 are implemented. The need for physical controls and security is location and hosting dependent. Self-hosted systems need to be secured at the appropriate level. The service provider will often fulfil the physical security requirements for a cloud-based application. Still, they should be written down as part of the contract.

Technical security controls are typically associated with cybersecurity. However, some technical controls require Administrative control, such as a routine for appropriate use. A typical example of this association is to have plenty of technical detection controls in place, such as logging and monitoring, but no administrative control to routinely do log analysis. 

We can click on a square in the DRM to drill down:


Drill-down into a DRM square detailing status and which cause and/or consequence the control affects.

Clicking on a row in the details will open the marked treatment for viewing and editing. Multiple causes/consequences listed on one treatment means a risk-reducing effect for all the elements.

When to use the DCM

We have yet to scratch the surface of the DCM and maybe you will find even better ways of using it than we have!

A great way to use the DCM is as a compliance tool for the overall risk assessment. We in Diri AS have already created a set of generic risks and controls that every organisation should have as a baseline. If you are managing multiple organisations or units and want all of them to a assess a standard set of risk and controls: Use the copy function in Diri which allows for re-use of existing control sets in specific sub-organisations. Combine the existing control set with the control matrix and you have an excellent auditing and progress tracking tool for the overall work with information security.

A similar approach can be used for ICT systems, however, the DCM also works to audit specific systems as illustrated above. The DCM immediately highlights missing controls and missing implementation.








    • Related Articles

    • The Diri Risk Matrix

      What is the Diri Risk Matrix? The Risk Matrix in Diri is a classic visualization matrix that illustrates risks on two axes, with probability on the Y-axis and consequence on the X-axis. In Diri, a risk is a combination of a cause, an event, and a ...

    • The Diri five step process

      Why the five step process Diri is developed to support companies that need to carry out risk assessments. Diri is designed to give your company an overview of risk together with risk reducing measures. Processes and methods are developed by Diri, but ...

    • 1 - Overall Risk Assessment

      What is the Overall Risk Assessment? The Overall risk assessment (ORA) provides the easiest way to get started with risk assessments in Diri. The Diri ORA asks you to briefly describe the parts of your organization that impact cybersecurity, such as ...

    • 2 - The ICT System Risk Assessment

      What is an ICT system? ICT (information, communication, and technology) systems are the most basic type of risk assessments in Diri: An ICT system is a set-up consisting of hardware, software, data and the people who use them. It commonly includes ...

    • Register a user to read about Steps 2, 3, 4, and 5

      Register a user to access additional articles about the risk assessment process in Diri