Understanding Critical Gates
What critical gates are, how they affect scoring, when to use them
3 min read•Article 6 of 9 in Templates
Understanding Critical Gates
Critical gates are special questions that must pass for the entire assessment to be considered compliant, regardless of the overall score.
What Are Critical Gates?
A critical gate is a question marked as "must pass." If a respondent fails a critical gate question, the assessment is automatically marked as non-compliant even if the overall score exceeds the compliance threshold.
How Critical Gates Work
1.During template creation, mark a question as a Critical Gate
2.When the assessment is scored, any failed critical gate triggers a flag
3.The overall compliance status becomes "Non-Compliant" regardless of the numerical score
4.The scoring report clearly identifies which critical gates failed
When to Use Critical Gates
Use critical gates for absolute requirements that cannot be compromised:
- •Encryption at rest — Data must be encrypted, no exceptions
- •Multi-factor authentication — Required for all administrative access
- •Backup procedures — Critical data must have backup processes
- •Incident response plan — Organization must have a documented plan
- •Legal compliance — Regulatory requirements with no flexibility
Best Practices
- •Use critical gates sparingly — only for truly non-negotiable requirements
- •Clearly communicate to respondents that these questions are critical
- •Add guidance text explaining why the control is mandatory
- •Review critical gate selections periodically to ensure they remain relevant
Impact on Reports
When a critical gate fails:
- •The report shows a prominent warning
- •The compliance certificate is withheld
- •Specific remediation guidance is provided for the failed gate