Added

ControlMap API – Risk Management Write Operations & Relationship Cleanup


Summary

This release expands the ControlMap API with full write-lifecycle support for Risks — building on the existing read/search endpoints, you can now create, update, delete, and map risks, plus look up risk categories and the departments available for risk assignment. It also adds bulk-delete unmapping endpoints for Action Items and Evidence, a hard-delete for Action Items, and section deletion for Policies.

All changes are additive and backward compatible — no existing endpoints, fields, or schemas were changed or removed, and the regional server list is unchanged.


Changes

Risks

  • POST /controlmap/v1/clients/{client_id}/risks

    • N/A → Available
    • Type: addition
    • Notes: Create a risk for a client. Supported status values: Not Assessed, Assessment in progress, Assessed, Remediation in progress, Remediated, Closed. The authenticated user becomes the creator.
  • PATCH /controlmap/v1/clients/{client_id}/risks/{risk_id}

    • N/A → Available
    • Type: addition
    • Notes: Partially update a client risk. Only the fields provided in the request body are changed.
  • DELETE /controlmap/v1/clients/{client_id}/risks/{risk_id}

    • N/A → Available
    • Type: addition
    • Notes: Delete a client risk. The risk and all associated data are permanently removed.
  • POST /controlmap/v1/clients/{client_id}/risks/{risk_id}/mappings

    • N/A → Available
    • Type: addition
    • Notes: Map a risk to assets, asset types, threats, vulnerabilities, vendors, objectives, controls, and/or action items. Include only the entity codes to be mapped; empty or omitted arrays are ignored.
  • POST /controlmap/v1/clients/{client_id}/risks/{risk_id}/mappings/bulk-delete

    • N/A → Available
    • Type: addition
    • Notes: Remove risk mappings (assets, asset types, threats, vulnerabilities, vendors, objectives, controls, action items) in a single bulk request. Send only the codes to unmap.
  • GET /controlmap/v1/clients/{client_id}/risk-categories/{risk_category_id}

    • N/A → Available
    • Type: addition
    • Notes: Retrieve detailed information for a single risk category by ID.
  • GET /controlmap/v1/clients/{client_id}/risks/departments

    • N/A → Available
    • Type: addition
    • Notes: List the departments available for risk assignment for a client.

Policies

  • DELETE /controlmap/v1/clients/{client_id}/policies/{policy_id}/sections/{section_id}
    • N/A → Available
    • Type: addition
    • Notes: Delete a section from a client policy. The section is permanently removed from the policy.

Evidence

  • POST /controlmap/v1/clients/{client_id}/evidences/{evidence_id}/mappings/bulk-delete
    • N/A → Available
    • Type: addition
    • Notes: Remove links between an evidence record and the given objectives (requirements) and/or controls in a single bulk request. Send only the codes to unmap; empty or omitted arrays are ignored.

Action Items

  • DELETE /controlmap/v1/clients/{client_id}/action-items/{action_item_id}

    • N/A → Available
    • Type: addition
    • Notes: Delete an action item. The action item and all associated data are permanently removed.
  • POST /controlmap/v1/clients/{client_id}/action-items/{action_item_id}/mappings/bulk-delete

    • N/A → Available
    • Type: addition
    • Notes: Remove links between an action item and the given objectives (requirements), assessment questions, risks, controls, assets, and/or asset types in a single bulk request. Send only the codes to unmap; empty or omitted arrays are ignored.

Dates

  • Effective: [2026-07-02]