> For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/sync-to-actions.md). # Sync to actions **Sync to actions** lets an assessment pull the current state of its linked applied controls back into the assessment itself — closing the gap between "we said we'd do X" and "X is done". It exists in two flavours: a one-shot button you trigger from a detail page, and a daily background job for assessments you've flagged for automatic sync. ## What it does The exact behaviour depends on the assessment type — the verb is the same ("sync to actions") but the mechanics differ: ### Audit (compliance assessment) For every requirement assessment that has at least one applied control attached: * **Single control attached**: requirement becomes *Compliant* if the control is **Active**, *Non-compliant* otherwise. * **Two or more controls attached**: * All controls active → *Compliant*. * At least one active → *Partially compliant*. * None active → *Non-compliant*. Side-effect: if the audit has *extended results* enabled and a requirement was sitting on a **Major** or **Minor non-conformity**, but the new result is no longer in the non-compliant range, the extended result is reset to undefined. ### Risk assessment For every risk scenario in the assessment, runs the scenario-level sync below. The assessment itself is a thin wrapper that iterates. ### Risk scenario If all "planned" applied controls (`applied_controls`) attached to the scenario are **Active**: * Promote those controls to **existing applied controls** — they're no longer planned, they're in place. * Set **current risk** to the previous **residual risk** — the residual state is now the current state. * *Optionally* reset residual probability/impact to "not rated" so you can plan a new round of treatment. If any planned control is not Active, the scenario is left alone — sync is all-or-nothing per scenario. ## Triggering manually On the detail page of an audit, a risk assessment, or a risk scenario, the **Sync to actions** action opens a confirmation modal showing a **dry-run preview** of what would change — which requirement assessments would move to which result, or which scenarios would be promoted. Confirm to apply. The dry-run is the default for the preview; only confirming sends `dry_run=false` to the backend. Nothing is changed without that explicit step. ## Triggering automatically Both audits and risk assessments expose an **Automatic daily sync to actions** checkbox in their **More** dropdown. When on, a Huey periodic task at **02:45 every day** sweeps all eligible assessments and runs sync. Eligibility: * `auto_sync = true`. * `is_locked = false` — locked assessments are skipped. * `status` not in (*Done*, *Deprecated*) — terminal-state assessments are skipped. If an assessment crosses none of those guards but produces no changes, it's a silent no-op. If it produces changes, they're logged with the assessment ID, name, and the count of changes. Errors don't halt the sweep — a failure on one assessment is logged and the next is processed. ## Mental model ```mermaid graph LR AC[Applied control] -->|status| S[Sync to actions] S -->|infers| RA[Requirement assessment result] S -->|promotes| EC[Existing controls on scenario] S -->|shifts| CR[Current risk = residual] ``` The applied control's **status field** is the input signal; the assessment's result fields are the output. Nothing else feeds sync — it doesn't read evidences, due dates, or owners. ## When to use it * **You manage controls in CISO Assistant as the source of truth.** Their status (Active / In progress / Degraded / Deprecated) reflects reality, so propagating it to the assessment side keeps the audit and the risk register honest with one click. * **End-of-cycle reconciliation.** Run sync before an external review so the audit and risk states match the ground truth in the action plan. * **Continuous compliance.** Turn on auto-sync on the audits and risk assessments you want to keep "always fresh". ## When *not* to use it * **When manual judgement matters more than mechanical inference.** Sync infers compliance from control status — it can't see that a control is "active but inadequate". For nuanced audits, treat sync as a starting point, not a verdict. * **On locked assessments.** Sync is blocked anyway, but the point stands: locked = frozen. * **When the action-plan side of the data is incomplete.** Garbage-in, garbage-out: if half your applied controls are stuck on *Undefined*, sync will trivially mark requirements non-compliant. ## See also * [Customize your audit](/ciso-assistant/product-docs/guides/assessments/customize-audit.md) — for the `auto_sync` toggle in context. * [Applied controls](/ciso-assistant/product-docs/concepts/operations/applied-controls.md) — what gets read by sync. * [Risk assessments](/ciso-assistant/product-docs/concepts/risk/risk-assessments.md) — the three-tier risk model (inherent / current / residual) that scenario sync collapses. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://intuitem.gitbook.io/ciso-assistant/product-docs/features/sync-to-actions.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.