TailoredGRC | Compliance Platform

Overview

Program Health

Compliance posture across all active frameworks · Last sync 4 min ago

📋

Audit Delivery

Connect auditors and track engagements

Active

🔍

Pentesting

Schedule penetration tests and track findings

Scheduled

🛡

Vuln Scanning

—

0 Open

👁

Access Reviews

AI-assisted entitlement reviews

—

Readiness Score

Loading frameworks…

Controls

0 / 0

0 pass0 at risk0 fail

Evidence Items

—

— · —

Open Risks

0

0 critical · 0 high

—

Secure Score ↗ Weighted: controls pass rate · framework readiness · risk posture

Framework Audit Status

Critical Gaps — AI Detected—

Risk Management

Pentesting

CREST-accredited penetration testing · Findings tracked · Evidence auto-linked to controls

✓ CREST Accredited All engagements by CREST-certified providers · Evidence auto-linked

Engagements

—

Open Findings

—

Remediated

—

Critical

—

Next Test

—

Engagements

ID	Engagement	Vendor	Date	Status	Findings	Max CVSS

Findings Register

ID	Finding	Engagement	Severity	CVSS	Control	Owner	Due	Status

Risk Management

Vulnerability Scanning

On-demand and scheduled scans · CVSS-scored findings · Audit-ready evidence export

Total Findings

0

—

Assets Scanned

0

—

Fixed This Month

0

—

Next Scheduled

—

Scan Targets

Target	Type	Last Scan	Findings	Status
No scan targets configured

Scheduled Scans

No scheduled scans configured

Critical & High Findings

No critical or high findings

Audit-Ready Evidence Export

SOC 2 Package

No scan data available

ISO 27001 Package

No scan data available

AI Narrative Summary

No scan data available

Governance

Access Reviews

Per-application entitlement review · AI-flagged anomalies · Approve or revoke with manager notification · Linked to SOC 2 CC6.3

TailoredGRC · Access Review Campaigns

Connect to Supabase to load access review campaigns for your organization.

Total Accounts

0

in scope

Reviewed Accounts

0

—

Incomplete

0

need progress

Revoked Accounts

0

recorded

Revocation campaigns

0

with revokes

Review Cycles

Loading cycles…

Overall progress (all campaigns): 0 / 0

Review Audit Trail

—SYSTEMAudit entries appear when you create or update access reviews.

Compliance Management

Audits

Expert auditors · Real-time monitoring · Automated evidence packages · Framework-aligned audit creation

Active Audits

0

Completed

0

Evidence Requests

0

Next Milestone

—

Active Audits

Evidence Requests

Click Request on an audit to view its evidence requests.

Completed Audits

Audit	Framework	Auditor	Period	Outcome	Report

Compliance Management

Evidence Requests

All evidence requests across active audits

Total Requests

0

Pending

0

Overdue

0

Done

0

Request	Audit	Assigned To	Due	Status

Governance

Campaigns

Proactive governance · Awareness training · Policy attestation · Evidence collection · Access reviews

TailoredGRC AI · Campaign Engine

3 active campaigns running across 128 participants. Policy Attestation FY26 is at risk — 62 participants have not signed the updated Information Security Policy with 8 days remaining. Auto-escalation to managers triggered for 14 users past the 3-day warning threshold.

Total Campaigns

0

Active

0

At Risk / Overdue

0

Completed

0

Avg Completion

0%

Campaign Name	Type	Source	Audience	Frameworks	Owner	Status	Launch	Deadline	Completion	Recurrence

Compliance Management

Audit Issues

PBC reference · Five attributes · Control mapping · Management response · CAP linkage

Total Findings

0

Material / Major

0

Awaiting Re-test

0

Closed / Cleared

0

ID	PBC Ref	Title	Disposition	Audit Cycle	Severity	Status	Issue Owner	Target Date	Linked CAP	Re-test Result	Frameworks	Identified Date

Risk Management

Vendors

Third-party vendor risk management · Risk assessments · Security ratings · Issue tracking

Total Vendors

0

across all tiers

Active

0

0 inactive

High Risk

0

require review

Assessments Due

0

this quarter

Pending Questionnaires

0

awaiting response

Vendor Register

Vendor	Category	Tier	Risk Rating	Status	Contract Initiated	Contract Expires	Assessments / Questionnaires	Upcoming Questionnaire

Vendor Details

Category

Vendor Type

Industry

Tier

Risk Rating

Status

Next Review

Contact Information

Service Level Agreements

Compliance Documents

Contracts & Document Repository

⬆ Upload

☁

Drop contracts, DPAs, NDAs, or any vendor document

PDF, DOCX, XLSX · Auto-tagged by document type on upload

Document	Type	Effective	Expires	Status

Issues & Remediation Tracking

Vendor Onboarding WorkflowComplete

Security RatingsUpdated daily

Assessment History

Sent Questionnaires

Received Questionnaires

News FeedLast refreshed 1h ago

Watchlist Alerts

Questionnaires

Response Queue

Inbound & outbound · Workflow tracking · Risk context · Evidence & outcome

TailoredGRC AI · Questionnaire Engine

Loading questionnaire summary…

Total in Queue

0

Overdue / Urgent

0

Pending Clarification

0

Completed (90d)

0

Company	Direction	Type	Priority	Status	Assignee	Progress	Sent Date	Due Date	Clarif.	Evidence	Risk

Questionnaires

Templates

Template library · Question editor · CSV & PDF export

Total Templates

0

Total Questions

0

Most Used

—

Custom Templates

0

Questionnaires

Scheduling

Trigger logic · Cadence & escalation · Smart template mapping · Recurrence settings

Active Schedules

0

Sending This Month

0

Overdue / Escalated

0

Flagged for Decommission

0

	Vendor	Trigger	Template	Frequency	Status	Next Send	Escalation	Reminders	SOC 2 Skip	Last Response

Compliance Management

Controls

Control library · Framework mapping · Evidence tracking · Health monitoring · Audit readiness

TailoredGRC AI · Control Health Engine

Monitoring 12 controls across SOC 2, HIPAA, and ISO 27001. 3 controls failing — CC6.2 (user deprovisioning), CC7.1 (vulnerability management), and AC-03 (MFA enforcement) need immediate attention. 7 controls fully effective with automated telemetry.

Total Controls

0

Fully Effective

0

At Risk / Failing

0

Not Implemented

0

Automated

0

Control ID	Name	Type	Intent	Frameworks	Owner	Status	Health	Frequency	Last Tested	Automation

Capabilities

Programs

Active Programs

Program	Framework	Controls	Readiness	Status

Governance

Policies

Version-controlled policy library · Approval workflow · AI-assisted drafting · PDF export

Total Policies

0

Approved

0

Pending Approval

0

Draft

0

TailoredGRC AI · Policy Generator

Describe a policy and AI will draft it based on your active controls and framework requirements. The draft will be saved as v1.0 Draft and sent to the designated policy owner for approval.

Policy Library

⬆ Upload

Policy	Version	Frameworks	Owner	Last Reviewed	Last Approved	Status

Governance

Trust Center

Customer-facing compliance portal · Real-time control status · NDA-gated document sharing · SSO access

Trusted Customers

0

—

Published Documents

0

From Trust Center library

Control Coverage

0%

From Controls module

Questionnaires Reduced

—

Data available after questionnaires are sent

Customer Access

Customer	Access Level	Granted	NDA	Status

Published Documents

Control Status Overview

Mapped from your control library · Updates when you open Trust Center

Risk Management

Risk Register

AI-scored risks · Likelihood × impact matrix · Treatment tracking · Linked to controls and frameworks

Mitigate

—

Transfer

—

Accept

—

Avoid

—

Risk Register

ID	Risk Description	Category	L	I	Score	Strategy	Owner	Frameworks	Status	Identified

Governance

Standards

Version-controlled standards library · Approval workflow · AI-assisted drafting · PDF export

Total Standards

0

Approved

0

Pending Approval

0

Draft

0

TailoredGRC AI · Standards Generator

Describe a standard and AI will draft it based on your active controls and framework requirements. The draft will be saved as v1.0 Draft and sent to the designated standard owner for approval.

Standards Library

⬆ Upload

Standard	Version	Frameworks	Standard Owner	Last Reviewed	Last Approved	Status

Compliance Management

Sections

Framework sections and categories · Control groupings · Coverage by domain

Total Sections

0

Fully Covered

0

Partially Covered

0

Not Covered

0

Framework sections

Compliance Management

Workflows

Automation definitions · Triggers · Steps · Run history · Owner accountability

Total Workflows

0

Active

0

Total Runs

0

Success Rate

—

Workflow library · From Supabase

Compliance Management

Objectives

Control goals · Success criteria · Measurable outcomes · Clause mapping · Owner accountability

Total Objectives

0

On Track

0

At Risk

0

Not Met

0

Compliance Management

Clauses

Regulatory & legal clause library · Source citations · Plain-language summaries · Mandatory vs. optional · Mapped to controls

Total Clauses

0

Mandatory

0

Best Practice

0

Controls Mapped

0

Clause Register

Clause ID	Source Citation	Description	Type	Mapped Controls	Compliance

Compliance Management

Contracts

Contract templates · Version control · Upload your own · Linked to vendors and compliance frameworks

Total Contracts

0

Active

0

Expiring Soon

0

within 90 days

Pending Signature

0

📋

PRE-BUILT LEGAL TEMPLATES

All templates are attorney-reviewed starting points. Always have your legal counsel review before executing. Use the Upload button to add your own custom templates.

⬆ Upload Contract

📃

Master Service Agreement

MSA · Governs the overall relationship between service provider and customer

TEMPLATE

Covers: Scope of services · Payment terms · Intellectual property · Warranties · Indemnification · Limitation of liability · Termination · Governing law

B2B SaaS Friendly US Law

🔒

Data Processing Agreement

DPA · Required under GDPR Art. 28 & CCPA when processing personal data

TEMPLATE

Covers: Data controller/processor roles · Processing instructions · Security measures · Sub-processor list · Data subject rights · Breach notification · International transfers · Standard Contractual Clauses (SCCs)

GDPR Art. 28 CCPA SCCs Included

🤝

Non-Disclosure Agreement

NDA · Mutual or one-way confidentiality protection before sharing sensitive information

TEMPLATE

Covers: Definition of confidential information · Permitted disclosures · Obligations of recipient · Exclusions from confidentiality · Term & termination · Return/destruction of information · Remedies for breach

Mutual One-Way 2-Year Term

🏥

Business Associate Agreement

BAA · Mandatory under HIPAA when a vendor accesses, uses or stores PHI

TEMPLATE

Covers: Permitted uses of PHI · Safeguards required · Reporting of breaches & incidents · Sub-contractor BAAs · Individual rights · Termination & PHI disposal · HIPAA Security Rule obligations · Audit rights

HIPAA §164.308 HITECH Omnibus Rule

Upload Your Own

📎

Drop your contract files here or click to upload

PDF, DOCX accepted · Templates, signed agreements, amendments · Added to your Active Contracts

⬆ Upload Contract

Contract	Type	Counterparty	Effective	Expires	Sent	Received	Status

🗄

Inactive contracts include expired agreements, terminated contracts, and superseded versions. These are retained for audit and legal reference.

⬆ Upload

Contract	Type	Counterparty	Effective	Expired / Terminated	Reason

Contract	Type	Sent To	Recipient Email	Sent Date	Message	Status

📥 Contracts received from external companies. Review, action, and track inbound agreements here.

Contract	Type	From Company	Received Date	Effective	Expires	Status

Compliance Management

Exceptions

Policy exception requests · Ticketing integration · Risk acceptance · Expiry tracking · CISO sign-off

Total Exceptions

—

Active

—

Expiring in 30 days

—

Pending Approval

—

🎫

TICKETING SYSTEM CONNECTED — JIRA

Exception requests automatically create a Jira ticket in the GRC-EXCEPTIONS project · CISO approval tracked in Jira · Status syncs back to TailoredGRC in real time

Exception Register

Exception	Policy / Control	Justification	Compensating Control	Jira Ticket	Risk	Approval Authority	Expiry Date	Status

Governance

Work Instructions

Step-by-step operational instructions derived from procedures · Version controlled · Linked to framework controls

Total Work Instructions

0

Published

0

Linked to Procedures

0

Due for Review

0

TailoredGRC AI · Work Instructions Generator

Describe a work instruction and AI will draft it based on your active procedures and framework requirements. The draft will be saved as v1.0 Draft and sent to the designated owner for approval.

Work Instruction Type

Authoritative Procedure

Frameworks

Owner

Company Logo · appears on exported work instruction documents

Upload Logo PNG · JPG · SVG · drag & drop

Work Instructions Library

⬆ Upload

Work Instruction	Linked Procedure	Linked Policy	Version	Frameworks	Owner	Status	Updated

Audits

Audit Requests

PBC list management · Evidence upload · GRC review · Auditor submission

Total Requests

0

Overdue

0

Pending GRC Review

0

Submitted to Auditor

0

Request ID	Description	Control	Framework	Priority	Status	Evidence Owner	GRC Reviewer	Internal Due	Auditor Due	Evidence

Audits

Corrective Action Plans

Audit findings · Root cause analysis · Milestones · Verification & sign-off

TailoredGRC AI · CAP Engine

No insights yet. Add CAPs, import from CSV, or connect integrations to surface AI-assisted recommendations here.

Total CAPs

0

Overdue / At Risk

0

Pending Sign-off

0

Closed / Validated

0

CAP ID	Finding Ref	Summary	Root Cause	Status	Originating Audit	CAP Owner	Rem. Lead	Internal Due	Final Target	Residual Risk	Sign-off

Risk Management

Assessments

Structured assessment types · AI-assisted scoring · Linked to controls, risks and frameworks

Total SRAs

0

In Progress

0

Completed

0

High Risk Found

0

Security Risk Assessment Register

Assessment	Type	Scope	Frameworks	Risk Score	Status	Date

Risk Management

Gap Analysis

Framework gap tracking · Remediation planning

Frameworks Analyzed

0

Total Gaps

0

Critical Gaps

0

Remediated

0

Gap Analysis Register

Gap Name	Framework	Scope	Total Gaps	Critical	Completion	Gap Identified	Gap Remediation Date	Status

Assets Tiered

0

Tier 1 Critical

0

Tier 2 High

0

Tier 3 Standard

0

Asset Criticality Register

Asset	Type	Tier	Business Impact	Data Classification	RTO

Controls Assessed

0

Fully Effective

0

Partially Effective

0

Not Effective

0

Control Self-Assessment Register

Control	Framework	Owner	Effectiveness	Last Assessed	Next Due

Total PIAs

0

High Privacy Risk

0

Approved

0

Pending Review

0

Privacy Impact Assessment Register

Assessment	System / Process	Data Types	Privacy Risk	Status	Reviewed

Visual breakdown of your compliance and risk posture · Click any row, bar, or tile to drill in

Control Effectiveness by Framework

Risk Posture by Category

Assessment Coverage MapClick any tile to see assessment details

SRA

0

assessments run

Gap Analysis

0

frameworks analyzed

CSA

0

controls self-assessed

PIA

0

privacy assessments

Risk Management

Request for Proposals (RFP)

Procurement meets security vetting · Standardize bids · Score vendors · Award contracts

Active RFPs

0

Templates

0

Pending Scoring

0

Awarded

0

KB Entries

0

Project Name	Category	Business Owner	Submission Deadline	Vendors	Status	Risk

Pre-built question sets ensuring every RFP includes mandatory security deal-breakers (MFA, encryption, breach notification)

Compare vendor answers side-by-side with weighted security scoring. Higher-weight questions (encryption, MFA) impact the Security Score more.

Select an RFP above to load vendor responses for scoring

"Gold Standard" answers for common security queries — speed up reviews by comparing vendor responses against your approved language

✓ Awarded RFPs automatically flow into the Vendors section — no double entry required.

Project / Vendor	Category	Award Date	Security Score	Docs	Vendor Profile

Governance

Informational Assets

Asset register · Classification · Ownership · Lifecycle · Risk & Impact

Total Assets

0

Restricted / Confidential

0

High CIA Impact

0

Pending Review

0

	Asset	Classification	Tags	Location	Owner	Custodian	Data Retention Period ⓘ	C	I	A	RTO

Governance

Hardware Assets

Device inventory · Ownership & responsibility · Technical compliance · Risk mapping · Procurement & disposal

Total Devices

0

Active

0

Agents Not Confirmed

0

EOL Within 6 Months

0

	Asset	Type	Serial / Tag	Status	User / Custodian	Location	VPN	OS / Firmware	FDE	EDR	MDM	Tier	Retention Period ⓘ	EOL / Warranty

Governance

Facilities

Physical locations · Security controls · Infrastructure · Compliance & ownership

Total Facilities

0

Mission Critical (Tier 1)

0

Inspections Due

0

Access Reviews Current

0

Facility	Type	Tier	Location	Manager	Entry Controls	Power	Fire System	Last Inspection

Governance

Markets

Geographic regions · Regulatory jurisdictions · Market sectors · Local GRC leadership

Active Markets

0

Regulatory Jurisdictions

0

GRC Owners Assigned

0

Pending Review

0

Market coverage & regions

No market data available yet

Market segments

Sectors & verticals in scope

No market data available yet

Segments

—

Revenue (reported)

—

Competitive landscape

Benchmark positioning

No market data available yet

Tracked competitors0

Share / rank—

Market trends & mix

Display-only · integration-driven

Mix

No market data available yet

Revenue trend

No market data available yet

Charts and KPIs populate when market intelligence integrations are connected.

Governance

Products

Core API · Web App in scope. Staging environment out of scope.

🚧

Under Construction

This page is being built out. Check back soon or reach out to your GRC administrator.

Governance

Projects

Project lifecycle · Data classification · Stakeholders · Risk assessment status · PIA linkage

Total Projects

0

Active

0

Planning

0

Sunset / Closed

0

Project Register

Project	Lifecycle Stage	Data Classification	Stakeholders	Risk / PIA Status	Frameworks

Governance

Systems

CMDB asset inventory · System criticality tiering · Hosting environment · Technical owners · Control linkage

Total Systems

0

Mission Critical

0

Business Important

0

Support / Dev

0

System InventorySupabase · CMDB

System	CMDB ID	Criticality	Hosting	Data Classification	Technical Owner	Controls	Status

Risk Management

Threats

Threat actors · Attack vectors · MITRE ATT&CK mapping · Asset association · Impact analysis

Total Threats

0

High Likelihood

0

Active / Monitoring

0

Linked to Open Risks

0

Threat	Actor Type	Category / Vector	Likelihood	MITRE ID	Targeted Assets	Financial Impact	Reputational	Legal / Reg

Risk Management

Incidents

Security · Privacy · Physical · Supply chain · Policy violations · Audit-ready log entries

Total Incidents

0

Open / In Progress

0

Regulatory Nexus

0

Resolved (90d)

0

ID	Title	Category	Severity	Status	Source	Root Cause	Regulatory Nexus	Detected	Identified Date	Owner

Risk Management

Vulnerabilities

Vulnerability Register · CVE tracking · Date identified · Asset mapping · Risk scoring · Remediation & SLA · Audit trail

Total CVEs

0

Critical / High Open

0

SLA Breach Risk

0

Risk Accepted

0

CVE ID	Date Identified	Description	CVSS	Env Score	Severity	Impacted Asset	Asset Tier	Data at Risk	Status	SLA Deadline	Owner

Capabilities

Tasks

Compliance task queue · Linked to controls, risks & assets · Evidence tracking · Approval gates · Audit trail

Total Tasks

—

Not Started

—

In Progress

—

Pending Review

—

Blocked

—

Completed

—

Overdue

—

	Task ID	Task Name	Control Ref	Asset	Frameworks	Owner	Due Date	Priority	Status	Approval	Evidence

TailoredGRC AI Agent · 45 CFR Title 45 · HIPAA Privacy, Security & Breach

Session: — Role: — —

Context Scope

Agent Mode

Live GRC Context

Quick prompts

User: —

Started: —

All conversations are audit-logged. Data stays within your environment.

Shift+Enter for new line · Claude Sonnet 4

Explainability Log

Why the agent made each decision

No decisions logged yet.
Start a conversation to see agent reasoning.

Self-Correction

No errors encountered.
Agent will retry failed steps automatically.

Compliance Management

Comments

All tagged comments across controls, evidence, risks, and audits — internal team and external auditors

Total Comments

0

across all objects

Unread

0

tagged to you

Auditor Comments

0

from external auditors

Awaiting Response

0

open questions

JD

New Comment — attach to any control, risk, or evidence item

Governance

GRC Roadmap

Strategic phased plan · GRC maturity model · Aligning security with business objectives · Current state → desired future state

Overall Maturity

—

→

Milestones

—

→

Integrations

—

→

Completion

—

→

Status:

Complete

In Progress

Planned

At Risk

Frameworks

SOC 2 Type II

AICPA Trust Services Criteria · 5 categories · 64 controls · FY2026 audit period Jan 1 – Dec 31

Readiness

70%

↑ +8pts last month

Controls

64

48 pass · 16 fail

Auditor

KPMG

FY2026 engagement active

Audit Date

May 3

47 days remaining

Trust Services Criteria

CC1 — Control Environment88%

CC2 — Communication & Information82%

CC3 — Risk Assessment75%

CC6 — Logical Access Controls52%

CC7 — System Operations80%

CC8 — Change Management55%

CC9 — Risk Mitigation60%

Open Gaps16 Failing

Control	Issue	Owner	Status
No open gaps to display. Link controls and issues to see them here.

Evidence Collection Status

Auto-Collected

718

via AWS, Okta, GitHub, BambooHR

Manual Uploads

129

policies, pen-tests, sign-offs

Gaps / Expiring

7

need action before audit

Frameworks

ISO 27001:2022

Information Security Management System · 93 Annex A controls · BSI Group · Stage 2 target: Q3 2026

Readiness

54%

↑ +4pts last month

Controls

93

50 pass · 43 fail

Auditor

BSI Group

Stage 1 complete

Stage 2 Target

Sep 2026

~167 days away

Annex A Domains

A.5 — Organizational Controls72%

A.6 — People Controls65%

A.7 — Physical Controls80%

A.8 — Technology Controls44%

A.9 — Access Control48%

A.12 — Operations Security58%

A.16 — Incident Management62%

A.17 — Business Continuity30%

Stage 2 Readiness

BSI Stage 2 Audit — Sep 15, 2026

43 Annex A control gaps remain open. At current remediation velocity, the program is on track for Stage 2. Key risks: A.8 Technology Controls and A.17 Business Continuity require dedicated sprint efforts before July 31.

Priority Gap	Domain	Due
ISMS documentation complete	A.5	Jul 31
Asset inventory — all systems catalogd	A.8	Jul 31
BCP test exercise completed	A.17	Aug 1
Supplier security assessments (all)	A.15	Aug 15
Statement of Applicability v1.0	A.5	Jul 31

Frameworks

NIST CSF 2.0

NIST Cybersecurity Framework · 6 core functions · 108 controls · Maturity target: Level 3 by Q4 2026

Readiness

43%

Active program

Controls

108

46 pass · 62 not started

Maturity Level

Tier 2

Risk-informed · target Tier 3

Target Date

Q4 2026

Full coverage milestone

Core Functions

GV — Govern38%

Organizational context, risk management strategy, roles

ID — Identify55%

Asset management, risk assessment, improvement

PR — Protect62%

Identity mgmt, access control, awareness, data security

DE — Detect70%

Continuous monitoring, adverse event analysis

RS — Respond40%

Incident management, analysis, communication

RC — Recover22%

Incident recovery, communication, improvements

Tier Maturity Assessment

CURRENT — Tier 2: Risk Informed

Risk management practices approved by management but not consistently applied organization-wide. Awareness of cybersecurity risk at the organizational level.

TARGET — Tier 3: Repeatable

Organization-wide approach to managing cybersecurity risk. Risk-informed policies and processes formally defined, implemented, and reviewed. Personnel have knowledge and skills to perform their roles.

Priority Gap	Function	Impact
Incident response plan — documented & tested	RS	High
Recovery plan & BCP exercise	RC	High
Risk management strategy — formal doc	GV	Med
Supply chain risk management	ID	Med

Frameworks

HITRUST CSF

Health Information Trust Alliance · e1 Essential 8 Assessment · Healthcare market entry · Target certification: Q1 2027

Readiness

18%

Gap assessment in progress

Assessment Type

e1 Essential

49 control categories

Inherited Controls

31

from SOC 2, HIPAA, ISO

Certification Target

Jan 2027

Via authorized assessor

Control Categories

01 — Information Protection Program40%

07 — Portable Media Security20%

09 — Access Control45%

Inherited from SOC 2 CC6 & HIPAA

10 — Password Management50%

11 — Network Protection15%

12 — Audit Logging & Monitoring55%

Inherited from SOC 2 CC7 & AWS CloudTrail

13 — Education, Training & Awareness30%

17 — Risk Management12%

Assessment Strategy

e1 Essential 8 — Validated Assessment

HITRUST e1 is the entry-level validated assessment targeting 49 control categories. Key advantage: controls inherited from existing SOC 2, HIPAA, and ISO 27001 programs significantly reduce remediation scope. Estimated 31 of 49 controls partially or fully satisfied via inheritance.

Control Inheritance Map

SOC 2→CC1, CC6, CC7, CC8 maps to 14 HITRUST categories

HIPAA→164.312 safeguards map to 9 HITRUST categories

ISO→A.9, A.12, A.16 map to 8 HITRUST categories

Next Action	Owner	Date
No milestones scheduled. Add assessment tasks to track next actions here.

Governance

Procedures

Step-by-step process documentation · Linked to standards · Version controlled · AI-assisted generation

Total Procedures

0

Approved

0

Linked to Standards

0

Due for Review

0

TailoredGRC AI · Procedures Generator

Describe a procedure and AI will draft it based on your active standards and framework requirements. The draft will be saved as v1.0 Draft and sent to the designated procedure owner for approval.

Procedure Type

Authoritative Standard

Frameworks

Owner

Company Logo · appears on exported procedure documents

Upload Logo PNG · JPG · SVG · drag & drop

Procedures Library

⬆ Upload

Procedure	Linked Standard	Linked Policy	Version	Frameworks	Owner	Status	Updated

Compliance Management

Evidence Library

Auto-collected & manual evidence · AI validation · Control mapping · Audit-ready export

Total Evidence

—

Auto-Collected

—

Manual Uploads

—

Validated

—

📎

DROP FILES TO UPLOAD EVIDENCE

PDF, XLSX, PNG, DOCX, CSV — AI will auto-map to controls and frameworks

Evidence Items

⬆ Upload

	Name	Ext	Type	Source	Controls	Audits	Uploaded By	Date	Status

Capabilities

My Tasks

Personal compliance task queue · Linked to controls, risks & assets · Evidence tracking · Approval gates

Total

—

Not Started

—

In Progress

—

Completed

—

	Task ID	Task Name	Control	Due Date	Priority	Status	Approval

Capabilities

Integrations

Connect your tech stack · Auto-collect evidence · Real-time compliance monitoring

Connected

0

Partial Setup

0

Available

—

Evidence Auto-Collected

0

items this month

TailoredGRC

Knowledge Base

Platform guides · Framework documentation · AI governance · Version-controlled · AI-ready RAG structure

Total Articles

—

Framework Docs

—

click to filter

SOPs

—

click to filter

Customer Uploads

—

click to filter

AI-Ready

—

click to filter

KB Register All articles · Version-controlled · AI citation index

ID	Article Title	Category	Frameworks	Version	Effective	AI-Ready

Capabilities

Data Export

Mass export · Selective record export · Encrypted ZIP packages · Export audit log

Select Categories

Governance & Policies— records Risk & Threats— records Compliance Controls— records Audit & Evidence— records Assets & Infrastructure— records Users & Audit Trail— records Settings & Configuration— records

Export Options

Format

Encryption

Summary

7 of 7 categories selected

Calculating…

	File Name	Module	Type	Added By	Date	Size	Linked To

0 selected

	Name	Module	Status	Date	Owner

Timestamp	User	Type	Module	Format	Records	IP Address

Compliance Management

Audit Trail

Immutable event log · All user actions · System events · Auditor activity · CSV export

Total Events

0

Critical

0

High

0

Info

0

Timestamp	Severity	User	Category	Action	Object	IP

Settings

Organization · User management · Security · Notifications · Automations · Integrations · Audit trail · Reporting

Organization Profile

Organization Name

Industry

Primary Domain

Headquarters

CISO / Compliance Lead

Fiscal Year End

Company Logo · appears on exported documents

Upload Logo

Active Frameworks

Syncing…

Subscription & Plan

YOUR PLAN

Plan details are tied to your subscription tier.

—

Active Users—

Evidence Items—

API Calls (month)—

AI Credits Used—

Danger Zone

Reset Demo Data

Restore all data to defaults and reload the application

	Name	Email	Role	Department	Status	Date Added	Last Login	Risk	Reporting

Authentication & MFA

Enforce MFA for all users

Require multi-factor authentication on every login

SSO via Okta

Configure IdP metadata when your tenant enables SSO

Not configured

Session Timeout

Auto-logout after inactivity

IP Allowlist

Restrict logins to approved IP ranges

API Keys

No API keys yet. Generate a key to integrate with external systems.

NIST SP 800-63B

Compliant

HITRUST CSF r2

Compliant

HIPAA §164.308(a)(5)

Compliant

Length & Composition

NIST · HITRUST · HIPAA

NIST SP 800-63B prioritizes length over complexity. Minimum 8 chars required; 15+ strongly recommended. Mandatory complexity rules (uppercase, symbols) are explicitly discouraged by NIST as they lead to weaker, predictable passwords.

Minimum Password Length

NIST min: 8 · HITRUST min: 8 · HIPAA min: 8 · Recommended: 15+

characters

Maximum Password Length

NIST requires accepting passwords up to at least 64 characters

characters

Allow All Printable ASCII & Unicode

NIST requires accepting spaces, emoji, and all Unicode characters — blocking these weakens passphrases

Complexity Requirements

NIST explicitly discourages mandatory complexity rules. If enabled for HITRUST/HIPAA environments, HITRUST requires at least 1 uppercase + 1 number + 1 special character for privileged accounts.

Uppercase letter (A–Z) Lowercase letter (a–z) Number (0–9) Special character (!@#$…)

Breach Detection & Reuse Prevention NIST SP 800-63B §5.1.1

NIST requires checking new passwords against lists of compromised credentials. This is the single highest-impact password control — more effective than mandatory rotation.

Breached Password Check

Block passwords found in known breach databases (HaveIBeenPwned API · NIST required)

Context-Specific Password Block

Block passwords containing the username, organization name, service name, or common dictionary words (NIST required)

Password History (Reuse Prevention)

HITRUST: remember last 24 passwords · HIPAA: prevent reuse of last 6 passwords

passwords

Sequential & Repetitive Character Block

Block passwords like "aaaaaa", "123456", "abcdef" (NIST, HITRUST)

Expiry & Rotation NIST · HIPAA · HITRUST

NIST SP 800-63B explicitly recommends against arbitrary periodic rotation — it leads to predictable patterns like "Password1!" → "Password2!". Rotation should only be triggered by evidence of compromise. HIPAA and HITRUST still permit time-based rotation for privileged accounts.

Mandatory Rotation (Standard Users)

NIST: disable this. HITRUST/HIPAA: 90-day maximum for standard accounts

Mandatory Rotation (Privileged Accounts)

HITRUST Control 01.d: privileged accounts must rotate every 90 days maximum

Force Reset on Suspected Compromise

Immediately invalidate credentials if a breach signal is detected (NIST required)

Temporary Password Expiry

HITRUST: initial / reset passwords must be changed within 24 hours

Account Lockout & Throttling

NIST · HITRUST · HIPAA

NIST recommends rate limiting and throttling over hard lockouts where possible. HITRUST and HIPAA both require lockout after a defined number of failed attempts.

Failed Attempt Threshold

HITRUST: max 6 attempts · HIPAA: 3–10 attempts typical · NIST: rate-limit preferred over hard cutoff

attempts

Lockout Duration

HITRUST: minimum 30 minutes · HIPAA: automatic unlock after a defined period

Progressive Delay (Rate Limiting)

Increase wait time between failed attempts before full lockout triggers (NIST preferred approach)

Notify Admin on Lockout

Send alert to Administrator when any account is locked out

Password Storage & HashingRead-Only — Managed by Platform

NIST SP 800-63B, HITRUST, and HIPAA all prohibit storing passwords in plaintext, reversibly encrypted, or as unsalted hashes. These settings are platform-enforced and cannot be changed.

Hashing Algorithm

bcrypt

Cost factor 12 · NIST SP 800-63B approved

Salt

Per-user random

128-bit · CSPRNG-generated

Plaintext Storage

Never

Passwords are never logged or stored in recoverable form

Upgrade on Login

Enabled

Old hashes rehashed to current cost factor on next login

Define what each role can view and do across all modules. Changes apply to all users with that role.

Administrator Full access to all modules and settings. Cannot be restricted.

Unrestricted

Module / Feature

View

Create

Edit

Delete

Grant Additional Permissions

Extend specific capabilities to the selected role beyond its defaults. These additions are logged in the Audit Trail.

Role-Based Access Control (RBAC)

Maps users to platform roles. Each role defines a boundary of what the user can view, create, edit, or delete.

9

Active Roles

20

Users Assigned

3

Unassigned Users

Attribute-Based Access Control (ABAC)

Restrict data visibility by department or tag, independent of role. An HR Risk Owner will only see HR-tagged risks, not IT risks.

Enable Department Scoping

Risk Owners and Control Owners only see records tagged to their department

Enable Tag-Based Filtering

Users only access records matching their assigned tags (e.g. HIPAA, PCI, HR-Confidential)

Cross-Department Escalation Allowed

When scoping is active, Compliance Leads and above can still view all departments

Tag Assignment Rules

Risk Owner · Engineering dept → tag: IT-Systems

Risk Owner · Finance dept → tag: Finance-Data

Just-In-Time (JIT) Provisioning

Automatically create user accounts from SAML/SSO assertions on first login. No manual provisioning required.

Enable JIT Provisioning

Create accounts automatically via SAML assertions on first SSO login

Default Role for JIT Users

SAML Attribute → Role Mapping

SAML Attribute → Department

Auto-Deactivate on SAML Removal

Encryption at RestAES-256 Active

All database records, evidence files, and audit logs are encrypted at rest. Manage your encryption key strategy below.

Key Management Mode

Platform-managed (default) or Bring Your Own Key (BYOK)

Active Key ARN Valid · Rotated Jan 1, 2026

arn:aws:kms:us-east-1:123456789:key/mrk-••••••••••••••••••••••••••

Automatic Key Rotation

Rotate the master key on a schedule

Data Masking (PII)

Hide or redact PII fields for users below a certain permission level. Admins and Compliance Leads always see full data.

Field

Mask for roles below

Mask style

User email addresses

Vendor contact names

Risk owner personal details

Attachment Security

Control which file types can be uploaded as evidence, and enable automated scanning.

Antivirus Scanning

All uploaded files scanned via ClamAV before storage

Max File Size

Per evidence attachment

Blocked File Extensions

.exe .bat .cmd .sh .ps1 .vbs .jar .msi

Data Retention Policies

Automatically purge old records to comply with GDPR Article 5(1)(e), CCPA, and internal data minimization policies. Purges run nightly at 02:00 UTC.

Record Type

Retain for

After closure / expiry

Enabled

Closed audit evidence

Closed / mitigated risks

Resolved incidents

Deactivated user accounts

Vendor questionnaire responses

Next scheduled purge run: Mar 29, 2026 · 02:00 UTC · Last run: Mar 28, 2026 — 0 records deleted (no eligible records)

Privacy Notices & Consent

Manage the Terms of Service and Privacy Policy click-throughs users must accept before accessing the platform.

Require ToS Acceptance on Login

Users must click-through the Terms of Service before accessing any data

Re-acceptance on Policy Update

Force all users to re-accept whenever the Privacy Policy version changes

Terms of Service URL

Privacy Policy URL

Current Policy Version

Next Review Due

Acceptance rate: 19 / 20 users · 1 user pending ([email protected])

Theme

Color Mode

Switch between dark and light interface

☀

🌙

Sidebar Density

Compact or comfortable spacing

Date & Region

Date Format

Timezone

API keys grant full programmatic access to your TailoredGRC instance. Store them securely and never share them. Rotate keys immediately if compromised.

API Keys

Key Name	Prefix	Created	Last Used
No API keys created yet. Use Generate Key when you are ready to connect automation.

Webhook Endpoints

No webhook endpoints configured.

Current Plan

—

Plan details are determined by your subscription profile.

—

Contact billing for pricing

—

Usage This Month

—

Active Users

—

Evidence Items

—

Integrations

—

API Calls

Payment Method

💳

No payment method on file

Add a card in the billing portal when available

Auto-create issue on critical CVEActive

When · Vuln scan detects CVSS ≥ 9.0 → Create issue · Assign remediation owner · Set priority Critical · Link to CC7.1

Triggered 4 times this month

Offboarding access revocationActive

When · BambooHR termination webhook → Revoke Okta access · Log to audit trail · Create access review task

Triggered 3 times this month

Weekly compliance digest emailActive

Every Monday 08:00 → Send digest to configured recipients with open issues, overdue tasks, and readiness scores

Last sent Mon Mar 14, 2026

Exception expiry reminderActive

When · Exception expiry within 30 days → Notify exception owner · Create renewal task · Tag CISO

Triggered 2 times this month

Auto-evidence collection on PR mergeDisabled

When · GitHub PR merged to main → Capture code review evidence · Link to CC8.1 · Store in Evidence Library

🔌

No integrations connected

Connect tools below to auto-collect evidence in real time

☁

AWS

○ Not Connected

—

🔐

Okta

○ Not Connected

—

🐙

GitHub

○ Not Connected

—

👥

BambooHR

○ Not Connected

—

📋

Immutable audit trail

User and system actions are retained per your policy. Open the full audit trail for searchable history.

Retention Policy

Log retention period

Export format

SIEM forwardingNot configured

Recent Activity Summary

Events today—

Critical events (30d)—

Auditor logins (30d)—

Policy changes (30d)—

Total events (30d)—

1 · Model & Data Governance

2 · Access & Security Guardrails

RBAC Inheritance

Treat the AI as a high-privileged user acting on behalf of the requester — it can only surface data the requester is authorized to see. No privilege escalation via prompt.

Identity Inheritance

AI respects each user's data access scope — no escalation via prompt

Session Isolation

AI forgets all context between sessions — prevents cross-session data leaks

Blocked Roles (hardcoded)

Cannot be overridden — AI access is permanently denied for these roles

External AuditorRead Only

PII / PHI Masking & Data Scrubbing

Pre-processing filters that redact sensitive values from prompts before they reach the external LLM provider — preventing data leakage at the source.

Social Security Numbers (SSN)

Pattern XXX-XX-XXXX scrubbed to [REDACTED-SSN]

Credit Card Numbers (PCI)

Luhn-validated card numbers scrubbed to [REDACTED-CC]

Protected Health Information (PHI)

Medical record identifiers, DOB, diagnosis codes scrubbed

Financial Figures & Salaries

Large monetary values in restricted context scrubbed to [REDACTED-FIN]

Custom Regex Patterns

Define organization-specific sensitive data patterns

Prompt Injection Protection

System-level guardrails preventing users from using prompt engineering to bypass company rules, extract restricted data, or jailbreak the AI.

Jailbreak Detection

"Ignore all previous instructions" and role-play attack patterns blocked

System Prompt Hardening

System instructions cannot be revealed or overridden by user messages

Injection Attempt Logging

All detected attempts flagged in the audit log with severity rating

Injection Attempts Blocked (30d)

0

Temperature Control

Adjusts how "creative" vs "literal" the AI is. Lower = more precise, citation-grounded answers. GRC best practice: 0.1–0.3.

Literal / Precise0.2Creative / Generative

0.0← GRC Zone (0.1–0.3) →1.0

3 · Verification & Trust Settings

Confidence Scoring & Thresholds

Set the minimum confidence level required before the AI presents an answer as authoritative. Below this threshold, responses are flagged "Low Confidence — Human Review Required."

Minimum Confidence Threshold80%

50% (Permissive)99% (Strict)

Low-Confidence Warning Badge

Display warning banner on responses below the confidence threshold

Hallucination Check Mode

AI must say "I don't know" rather than fabricating answers for unverifiable claims

Human-in-the-Loop (HITL) Requirements

Mandatory approval gates before AI-generated content becomes an official record. The AI cannot "Save" or "Finalize" without an authorized reviewer clicking Approve.

Draft-Only Status for AI Output

All AI-generated content marked "DRAFT" until human-approved

Mandatory Peer Review

AI risk assessments require Compliance Lead or Audit Manager sign-off

Auto-Save Prevention

Disable "Save to Audit Trail" for all unreviewed AI content

Approver Roles for AI Content

AdministratorCompliance LeadAudit Manager

Citation Enforcement

Every AI-generated claim must include a direct, clickable link to the source document. If it can't cite it, it can't say it.

Mandatory Source Citation

AI refuses to generate factual claims without a source reference

Clickable Source Links

Citations navigate directly to the source module or document

Unsupported Claim Suppression

Block AI from answering when no source can be verified in the knowledge base

Admin Configuration Table

Category	Setting	Purpose	Status
Privacy	Sensitive Data Redaction	Prevents PII leak to AI providers	ON
Trust	Mandatory Peer Review	AI drafts must be checked by a human	ON
Sovereignty	Geo-Fencing	Keeps data processing in specific regions	US-E1
Logic	Temperature Control	Adjusts creative vs. literal AI responses	0.2
Access	RBAC Inheritance	AI respects each user's permission scope	ON
Trust	Citation Enforcement	Every AI claim must have a clickable source	ON

4 · Audit & Logging

Conversation Retention

In GRC, if it isn't logged, it didn't happen. Set how long AI conversation logs are retained to meet compliance obligations (SOX: 7yr, HIPAA: 6yr, GDPR: minimum necessary).

Retention Period

Full Prompt Logging

Log exact user question + AI response + system prompt used at time of query

Immutable Log Storage

Write-once, tamper-evident WORM-compliant storage

SIEM Integration & Export

Push AI interaction logs to your Security Operations Center for real-time anomaly detection (Splunk, Datadog, Microsoft Sentinel, SentinelOne).

SIEM Forwarding

Stream AI conversation events to your SOC in real time via webhook

Export Format

5 · AI Configuration Audit Checklist

GRC Reporting Centre

Reports & Exports

Governance · Risk · Compliance · Audit readiness · Settings · Scheduled delivery · Export any report as CSV or PDF

Roadmap Status Report

Milestones · Owners · Completion % · Overdue items

Total Milestones

—

On Track

—

Overdue

—

Policy Library Report

Version status · Approval state · Expiry dates · Owner

Approved

0

Draft / Review

0

Expiring <60d

0

Access Review Report

Cycle completion · Approved · Revoked · Pending manager

Total in cycle0

Reviewed0 (0%)

Revoked this cycle0

Pending manager0

Standards & Procedures Report

Standards · Procedures · Work instructions · Attestation

Standards0 · 0 approved

Procedures0 · 0 approved

Work Instructions0 · 0 published

Attestation rate0%

Asset Inventory Reports

Informational assets · Hardware · Facilities · Markets · Systems · Products

Informational

0

Hardware

0

Systems

0

To-Do List & Task Report

Open items · Priority breakdown · Owner accountability · Overdue

Total tasks0

Critical / High0 ↗

In Progress0

Completed (30d)0

Trust Center Report

Customer access · Published docs · NDA-gated views · Control status

Authorized customers14

Published documents8

NDA-gated docs viewed23 this month

Campaigns & Workflow Report

Active campaigns · Completion rates · Overdue · Awareness training

Active campaigns4

Avg completion rate76%

At-risk (below 50%)1 ↗

Evidence Collection Status

Real-time view of all requests by status · SOC 2, ISO, HIPAA

Open

0

↑ click to drill down

Pending Review

0

↑ click to drill down

Completed

0

↑ click to drill down

Completion %

0%

Recent Activity

Aging Request Report

Requests stalled >7 days · Identifies bottleneck departments

Overdue tasks by owner

Rejection Rate Report

Items returned by Internal Manager or External Auditor · Indicates training gaps

Total Submissions

0

Fail / rejected (files)

0

0% fail rate

Pending review (warn)

0

0% need review

Industry benchmark: <5% manager rejections · <2% auditor rejections · Click any tile to see specific items

Risk Heat Map

5×5 Likelihood × Impact · Click any cell to drill in

Likelihood →

Negligible

Minor

Moderate

Major

Critical

Impact →

High (16–25)

Medium (8–15)

Low (1–7)

Risk Treatment Status

Accepted · Mitigated · Transferred · Avoided · Click to drill

Mitigated0 risks

Accepted0 risks

Transferred0 risks

Avoided0 risks

Top 10 Risks — Board Summary

C-Suite & Board of Directors · Ranked by composite risk score

#	Risk	Category	Score	Treatment	Owner

Control Effectiveness (Pass / Fail)

Internal testing results · Click failed count to drill in

Passed

0

0%

Failed

0

0 failed

Not Tested

0

All tested

Gap Analysis Report

Framework criteria with no controls or evidence assigned

Framework Cross-Mapping — "Test Once, Comply Many"

How a single piece of evidence satisfies requirements across SOC 2, ISO 27001 & HIPAA simultaneously

Evidence / Control	SOC 2	ISO	HIPAA	NIST	Clauses Satisfied

Organization Profile Report

Org details · Active frameworks · Plan · Subscription usage

Organization—

Active frameworks—

Plan—

AI credits used—

Subsidiaries—

User Management Report

All users · Roles · MFA status · Last login · Department

Admins

0

Leads

0

No MFA ⚠

0

Dormant

0

Reports by Department

Security Settings Report

MFA enforcement · SSO · Password policy · Session policy · RBAC · ABAC

MFA Enforcement—

SSO Provider—

Session timeout—

Password policy—

RBAC roles active—

Notifications Config Report

Alert rules · Recipients · Channels · Delivery status

Active alert rules0

Email channels0 recipients

Slack channels—

Failed deliveries (7d)0

AI Agent Rules & Health Report

Governance settings · Model · Usage · Guardrails · Kill-switch status

Global AI status✓ Enabled

Active model—

Credits used this month—

PII scrubbing✓ Active

Audit checklist items passed—

Failed checklist items0

Automations Report

Active automations · Trigger counts · Last run · Error rate

Active

0

Errors (7d)

0

Runs (7d)

0

No workflows loaded.

Integrations Health Report

Cloud providers · Identity · HR · DevOps · Connection status · Last sync

Integration	Category	Status	Last Sync	Evidence Pulled

User Access Review

Who has Admin vs. Read-Only access · Often requested by external auditors

Administrators

0

Compliance Leads

0

Read Only / Other

0

User	Role	MFA	Last Login

Invoice	Date	Amount	Status
INV-2026-04	Apr 1, 2026	$2,400	Paid
INV-2026-03	Mar 1, 2026	$2,400	Paid
INV-2026-02	Feb 1, 2026	$2,400	Paid
INV-2026-01	Jan 1, 2026	$2,400	Paid

Date	Type	Initiated By	Status
Jan 1, 2026	Scheduled (180d)	AWS KMS (auto)	Active
Jul 1, 2025	Scheduled (180d)	AWS KMS (auto)	Retired
Apr 2, 2025	Manual (CISO request)	a.smith	Retired
Jan 1, 2025	Scheduled (180d)	AWS KMS (auto)	Retired
Jul 1, 2024	Scheduled (180d)	AWS KMS (auto)	Retired
Jan 1, 2024	Initial key creation	j.doe (CTO)	Retired