ControlMap API – Risk Management Write Operations & Relationship Cleanup
Summary
This release expands the ControlMap API with full write-lifecycle support for Risks — building on the existing read/search endpoints, you can now create, update, delete, and map risks, plus look up risk categories and the departments available for risk assignment. It also adds bulk-delete unmapping endpoints for Action Items and Evidence, a hard-delete for Action Items, and section deletion for Policies.
All changes are additive and backward compatible — no existing endpoints, fields, or schemas were changed or removed, and the regional server list is unchanged.
Changes
Risks
-
POST
/controlmap/v1/clients/{client_id}/risks- N/A → Available
- Type: addition
- Notes: Create a risk for a client. Supported status values:
Not Assessed,Assessment in progress,Assessed,Remediation in progress,Remediated,Closed. The authenticated user becomes the creator.
-
PATCH
/controlmap/v1/clients/{client_id}/risks/{risk_id}- N/A → Available
- Type: addition
- Notes: Partially update a client risk. Only the fields provided in the request body are changed.
-
DELETE
/controlmap/v1/clients/{client_id}/risks/{risk_id}- N/A → Available
- Type: addition
- Notes: Delete a client risk. The risk and all associated data are permanently removed.
-
POST
/controlmap/v1/clients/{client_id}/risks/{risk_id}/mappings- N/A → Available
- Type: addition
- Notes: Map a risk to assets, asset types, threats, vulnerabilities, vendors, objectives, controls, and/or action items. Include only the entity codes to be mapped; empty or omitted arrays are ignored.
-
POST
/controlmap/v1/clients/{client_id}/risks/{risk_id}/mappings/bulk-delete- N/A → Available
- Type: addition
- Notes: Remove risk mappings (assets, asset types, threats, vulnerabilities, vendors, objectives, controls, action items) in a single bulk request. Send only the codes to unmap.
-
GET
/controlmap/v1/clients/{client_id}/risk-categories/{risk_category_id}- N/A → Available
- Type: addition
- Notes: Retrieve detailed information for a single risk category by ID.
-
GET
/controlmap/v1/clients/{client_id}/risks/departments- N/A → Available
- Type: addition
- Notes: List the departments available for risk assignment for a client.
Policies
- DELETE
/controlmap/v1/clients/{client_id}/policies/{policy_id}/sections/{section_id}- N/A → Available
- Type: addition
- Notes: Delete a section from a client policy. The section is permanently removed from the policy.
Evidence
- POST
/controlmap/v1/clients/{client_id}/evidences/{evidence_id}/mappings/bulk-delete- N/A → Available
- Type: addition
- Notes: Remove links between an evidence record and the given objectives (requirements) and/or controls in a single bulk request. Send only the codes to unmap; empty or omitted arrays are ignored.
Action Items
-
DELETE
/controlmap/v1/clients/{client_id}/action-items/{action_item_id}- N/A → Available
- Type: addition
- Notes: Delete an action item. The action item and all associated data are permanently removed.
-
POST
/controlmap/v1/clients/{client_id}/action-items/{action_item_id}/mappings/bulk-delete- N/A → Available
- Type: addition
- Notes: Remove links between an action item and the given objectives (requirements), assessment questions, risks, controls, assets, and/or asset types in a single bulk request. Send only the codes to unmap; empty or omitted arrays are ignored.
Dates
- Effective: [2026-07-02]
