Compliance Management

Compliance management: frameworks (PCI DSS, ISO 27001, SOC 2, HIPAA, GDPR, etc.) with templates and company-specific instances, local compliance (regulators and requirements), internal compliance (policies and requirements), mandatory processes with reminders and execution confirmation.

Media content

Key Benefits

Compliance Frameworks

Framework templates (PCI DSS, ISO 27001, SOC 2, HIPAA, GDPR, NIST, COBIT, CIS, or custom) with categories and controls. Applying a template to companies creates instances; the structure can be synchronized with the template. Controls have status, priority, responsible person, evidence (with approval), notes, and mapping. Scheduled reviews, Excel/PDF export, Excel import, bulk operations.

Local & Internal Compliance

Local: regulators by country and type, requirements (law, regulation, etc.) as templates and company-specific instances; categories, controls, evidence. Internal: sources (policy, standard, procedure), internal requirements (templates/instances); template library with import from Excel and via AI; controls and evidence.

Mandatory Processes

A registry of mandatory processes and procedures: description, link to the source document, frequency, next execution date, responsible persons and additional individuals. Reminders a set number of days before the deadline; attachments and execution history with confirmation (evidence files). Registry export. Access by groups and individual users.

Evidence & Access

Evidence of control execution: type (document, screenshot, log, policy, certificate, etc.), file, description; approval or rejection with a comment. Separate permissions for viewing, editing, adding, deleting, and approving evidence. Access to each subsection (frameworks, local, internal) is configured by groups and a company list.

Features & Capabilities

Compliance Frameworks

  • Framework catalog: type (PCI DSS, ISO 27001, SOC 2, HIPAA, GDPR, NIST, COBIT, CIS, custom), version, status (draft, active, archived)
  • Template and company-specific instance; apply template to companies; synchronize instance with template
  • Categories and controls: code, name, description, status, priority, responsible person, deadlines, minimum evidence count
  • Evidence, assignment of responsible persons, control notes, control mapping
  • Export framework to Excel and PDF; import from Excel; Excel template; bulk apply, duplicate, change status, delete
  • Scheduled review: frequency, next/last review date, responsible person; review marking, archiving
  • Framework content translation by country

Local Compliance

  • Regulators: name, country, regulator type, companies and company types
  • Regulator requirements: template and company-specific instance; code, name, type (law, regulation, directive, etc.), status
  • Requirement categories, controls, evidence, assignments, notes, mapping
  • Apply requirement template to companies; export and import
  • Guide with translations; access by groups and companies

Internal Compliance

  • Requirement sources: policy, standard, procedure, directive, etc.; name, description, companies
  • Internal requirements: template and company-specific instance; code, name, type, status, deadlines, link to document
  • Requirement template library: create, edit, delete; Excel export/import; AI-powered import; notes and attachments
  • Categories, controls, evidence, assignments, notes, mapping
  • Guide with translations; access by groups and companies

Mandatory Processes & Access

  • Mandatory processes: name, description, company, source document (from document registry), frequency, next execution date, last execution
  • Responsible persons and additional individuals; priority; reminders N days before deadline; attachments
  • Execution confirmation: execution history, evidence files; process registry export
  • Access by groups and individual users; guide with translations
  • Separate access permissions for frameworks, local and internal compliance: view, edit, add, delete, evidence, evidence approval, reports, export; company list

Use Cases

Compliance with Standards (PCI DSS, ISO 27001, etc.)

Create a framework template of the selected type (PCI DSS, ISO 27001, SOC 2, HIPAA, GDPR, etc.), add categories and controls with descriptions, priorities, and evidence requirements. Apply the template to companies — an instance is created for each. In the instance, assign responsible persons, change control statuses, add evidence (documents, screenshots, logs) and approve it. Schedule framework reviews and export reports to Excel or PDF.

Local Regulatory Requirements

Add regulators (e.g., NBU) with country and type. Create requirements (laws, regulations, directives) as templates and apply them to companies. Within instances, manage categories and controls, collect evidence of execution, and track statuses. Export data for reporting to the regulator.

Internal Policies and Procedures

Set up sources of internal requirements (security policy, standard, procedure). Create requirement templates and apply them to companies. Use the template library: import requirements from Excel or generate them using AI. Manage controls and evidence for internal compliance audits.

Mandatory Periodic Processes

Register mandatory processes and procedures (e.g., quarterly access rights review). Specify frequency, next execution date, responsible persons, and additional individuals. Set reminders a few days before the deadline. Upon completion, record the fact and attach evidence files. Review execution history and export the registry.

Access Segregation

Access to the "Frameworks," "Local Compliance," and "Internal Compliance" sections is configured separately by user groups. For each group, a list of companies and detailed permissions are specified: view/edit frameworks and controls, work with evidence, approve evidence, view reports, export. Mandatory processes are managed by groups and a list of users with access.

Technical Details

Architecture

Compliance module: four subsections — frameworks, local compliance, internal compliance, mandatory processes. Frameworks: template/company instance, categories, controls with status and priority, evidence (type, file, approval), assignments, notes, mapping; scheduled reviews, Excel/PDF export, Excel import, country-specific translation. Local: regulators, requirements (template/instance), categories, controls, evidence. Internal: sources, requirements (template/instance), template library, Excel and AI import. Mandatory processes: registry with frequency, reminders, attachments, and execution history. Guides with country-specific translations. Data in the project database; files in project storage.

Security

Access to frameworks, local and internal compliance is managed by groups and a company list; permission checks for viewing, editing, evidence approval, and export. Mandatory processes: access by groups and individual users. CSRF protection and input validation. Evidence files and attachments are stored with access restrictions.

Scalability

Lists of frameworks, requirements, and processes with pagination and filtering; queries with eager loading of related data. Export and import are handled within a typical request. Content translation and AI import depend on external APIs. Suitable for standard project deployment.

Customization

Framework types, statuses, evidence types, regulator and requirement types, internal requirement source types. Separate access settings for each subsection by groups and companies. Mandatory process frequency and reminder parameters. Guides with basic content and country-specific translations.

Frequently Asked Questions

What is a framework template and instance?

A template is a master framework not linked to any company: it defines the categories and controls. An instance is created when the template is applied to a selected company — it contains the same categories and controls but allows managing statuses, assignments, and evidence specifically for that company. The instance's structure can be synchronized with the template (updating names and descriptions) while preserving local data (statuses, responsible persons, evidence).

What framework types are supported?

Predefined types: PCI DSS, ISO 27001, SOC 2, HIPAA, GDPR, NIST, COBIT, CIS Controls. A "Custom" type is also available for other standards. Each framework has a version and status (draft, active, archived).

How does control evidence work?

One or more pieces of evidence can be added to a control. Each evidence item has a type (document, screenshot, log, policy, procedure, certificate, report, etc.), a description, and a file. Evidence can be submitted for approval; the responsible person approves or rejects it with a comment. A control may have a minimum required number of evidence items to be considered completed.

What is the difference between local and internal compliance?

Local compliance deals with requirements from external regulators (laws, regulations, directives) linked to a country and regulator. Internal compliance deals with requirements from internal sources (company policies, standards, procedures). Both use a "requirement template — company instance" model with categories, controls, and evidence. Internal compliance additionally includes a requirement template library with import from Excel and via AI.

What are mandatory processes?

This is a registry of mandatory processes and procedures that need to be performed periodically (e.g., access rights review, policy updates). Each process has a name, description, company, source document (from the document registry), frequency, next execution date, responsible persons, and additional individuals. The system can send reminders a set number of days before the deadline. Upon execution, the fact is recorded, and evidence files can be attached; an execution history is maintained.

How is access by company configured?

For frameworks, local, and internal compliance, access is configured by user groups. Each group is assigned a list of companies — users only see and can work with data from those companies (framework instances, requirements, controls). Separate permissions are set for viewing, editing, adding, deleting, working with evidence, approving evidence, viewing reports, and exporting.

Are there guides and translations?

Yes. Each subsection (frameworks, local compliance, internal compliance, mandatory processes) has a guide with basic content and country-specific translations. Framework content (category and control names) can also be translated by country using the module's functionality.

Related Modules

Standards

Risk Assessment & Management

Incident Management

Ready to Get Started?

Explore this module and enhance your organization's security posture