Workspace Frameworks & controls Risk Tasks Evidence & audits Governance Policies Training Support

brightGRC is a multi-framework GRC workspace: each customer enables one or more standards (for example ISO 27001, SOC 2, NCA ECC, PCI‑DSS, regional programmes in the sidebar). You maintain framework instances, map library controls, track implementation, risks, evidence, and operational tasks—without mixing that work into a single “generic checklist.” What you see in the sidebar depends on your subscription and module access. New? Start with Getting started.

BASICS · WORKSPACE

Company, seats & dashboards

Every user belongs to a company (tenant) and a seat (login identity with roles/permissions). Your home view is a tier dashboard (e.g. starter / advanced) that summarises work in progress. The left navigation is built from module access—if a framework group is missing, your plan or administrator has not enabled it yet.

Suggested first steps
  1. Open Compliance dashboard for the cross-cutting overview and shortcuts.
  2. Confirm who can administer seats and integrations (Seat admin when available to your role).
  3. Select your programme in the sidebar (ISO 27001, SOC 2, etc.) and open the programme’s admin or employee console.
Framework routes
Each standard has its own dashboards, SOA/mapping, and tasks—keep work scoped per programme.
Roles & seats
Assign owners for controls, risks, and remediation; auditors often receive read-focused access.
Tier & visibility
Features unlock by subscription; operators can override visibility for support.
CORE · FRAMEWORKS

Framework instances, control libraries & SOA

brightGRC separates global control definitions (library rows keyed by framework code, e.g. ISO Annex A control IDs) from your adopted framework instance compliance_frameworks, which belongs to your company and carries scope, status, and ownership.

Framework controls link your instance to library controls and store implementation state (e.g. not started, in progress, implemented, tested). The Statement of Applicability (SOA) records which controls apply and how you implement them—per programme.

Typical rollout
  1. Create or select the framework instance for your programme (admin or framework tools).
  2. Open Statement of Applicability (common pattern) and mark applicability and implementation evidence.
  3. Use programme dashboards (e.g. ISO 27001 ISMS console, SOC 2 admin) for coverage and maturity signals.
  4. Platform operators maintain the master framework catalogue in Framework admin where deployed.
Control text and mappings come from your seeded control library; your instance only stores applicability, status, notes, and evidence links.
RISK

Risk register & treatment

Risks are tracked in the central register: inherent/residual levels, owners, treatment plans, and status. Many programmes require explicit linkage between risks and controls—use the same owners and task routes you already assign for remediation.

Risk owner
Named seat accountable for treatment and review cadence.
Treatment ↔ tasks
Convert mitigations into assignable work tracked on the Tasks page.
Residual tracking
Update after control changes or incidents.

Open Risks from the sidebar where your module set includes it.

OPERATIONS · TASKS

Compliance tasks

Tasks are the operational spine: control testing, policy acknowledgments, access reviews, corrective actions, and programme-specific follow-ups. Each task has a module label, assignee seat, status, priority, and optional link to a related entity (risk, audit, control).

Working the queue
  1. Use Tasks to list, filter, and update status (permissions permitting).
  2. Assign work to the responsible seat; use due dates and reminders for recurring control work.
  3. Employee-oriented consoles (e.g. ISO employee dashboard) surface items assigned to the current user.
ASSURANCE · EVIDENCE

Evidence & audits

Assurance activities attach artefacts to controls and audit cycles: screenshots, policies, tickets, scan outputs, or meeting notes. Structures vary by deployment; use the evidence and audit areas linked from your programme or the dashboard when enabled.

Prepare auditor packages by exporting or bundling from the module that stores evidence for the target framework and period.
GOVERNANCE

Management review, continuity & improvement

Governance modules capture leadership review cadence (inputs, decisions, actions) and continuity planning where the standard requires it—for example ISO 27001 management review and BC/DR planning aligned to your scope.

  • Management review — agenda, minutes, follow-up tasks.
  • BC / DR planning — when included for your programme.
  • Nonconformities / corrective actions may appear under programme-specific routes when configured.
DOCUMENTS

Policies & generated documents

The policy workspace merges structured data you provide with approved templates to produce organisation-specific documents (policies, procedures, registers—depending on template library). This is not legal advice; ownership stays with your organisation.

  1. Pick template type and version in Policies / document generator.
  2. Complete merge fields (entity names, scope, dates).
  3. Generate, review internally, then publish through your own change control.
TRAINING

Awareness & training assignments

Use the training area to assign security and compliance courses, track completion, and support workforce evidence for standards that expect training records.

Open Training to manage courses and assignments for your tenant.

HELP · SUPPORT

Support tickets

Logged-in users can raise issues from Support. Include steps, environment, and the framework or screen involved so the team can reproduce quickly.

  1. Sign in → Support (or linked entry points in the product).
  2. Describe urgency, product area (e.g. ISO tasks, SOC automation), and expected behaviour.
  3. Delivery goes to the configured support mailbox (e.g. support@brightgrc.com unless your operator routes differently). Tickets are stored with reference and delivery state.

Frequently asked questions

Why don’t I see every framework in the sidebar?

Navigation reflects your company’s subscription tier and module visibility. Admins may also restrict programmes. If something should appear, check plan settings or ask your administrator; platform operators can adjust access for approved support cases.

Where is control implementation recorded?

Implementation status lives on framework control rows linked to your framework instance—typically edited via SOA/mapping screens and programme dashboards, not as a single global spreadsheet.

How do I prepare for an external audit?

Keep SOA/rationale current, attach evidence to controls, complete open tasks, and export or assemble bundles from the audit/evidence tools your deployment exposes. Your auditor’s required format may still require offline packaging.

brightGRC help · Framework compliance · Last updated May 2026 · Suggest an improvement · Contact support