Self-Assessment
The Self-Assessment section is where your team evaluates each compliance requirement against how your organisation works today. For every requirement, you can record a result, a score, observations, supporting evidence, linked remediation actions and the people responsible.
The requirement list
Requirements are shown as rows or cards. Each one displays its reference, name, current result, score (where the framework uses scoring), workflow status, the people assigned and how much evidence is attached. Some frameworks — such as CyFun — group requirements by maturity level, with a switcher to move between groups. For ISO 27001, the management clauses (4–10) sit here and the Annex A controls live on the Statement of Applicability.
Select any requirement to open its full detail view.
Working on a requirement
The requirement detail view is where the real work happens:
- Result — Compliant, Partially Compliant, Not Compliant, Not Applicable or Not Assessed
- Score — a number on the framework’s scale
- Observations — free-text notes and findings
Evidence
Attach proof directly to a requirement:
- Upload a new file
- Link a document already in the workspace library
- Add a written justification
- Unlink evidence (without deleting the underlying document) or remove it entirely
Remediation actions
Link an existing action, create a new one, or adopt a ready-made control from the Suggested Measures library.
Responsibilities
Assign one or more colleagues to a requirement. A matching task automatically appears on the planning board.
Review workflow
There’s no manual “submit” step. As soon as a requirement has both a self-assessment score and supporting evidence, it’s automatically sent for approval and appears in the Approval Center for the audit’s approvers.
Draft → Awaiting approval → Approved (score + evidence added) ↓ Rejected → back for rework- An analyst records the result and score and attaches the evidence.
- Once both are in place, the requirement is automatically queued for the audit’s approvers — nothing else to click.
- An approver approves it, or rejects it with a comment.
- Rejected items go back for rework; when their score or evidence is updated, they’re queued for approval again automatically.
- Once approved, the assessment is locked from further editing unless it’s reopened.
Quick edits
From the requirement list you can change a result, adjust a score, open evidence in a side panel, assign people or adopt a suggested measure — all without leaving the page.
Scoring by framework
Each framework brings its own scale, and the form adapts automatically:
| Framework | Scale | Results |
|---|---|---|
| ISO 27001 | 0–100 | Standard five-level scale |
| CyFun | Maturity levels | Initial → Optimising |
| NIS2 / DORA / GDPR | 0–100 | Standard scale |
| Custom | As defined | As defined |
Who can do what
| Action | Admin | Domain Manager | Analyst | Approver | Auditee | Reader |
|---|---|---|---|---|---|---|
| View assessments | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Edit result / score / notes | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
| Add evidence | ✓ | ✓ | ✓ | ✗ | ✓ | ✗ |
| Approve / reject | ✓ | ✓ | ✗ | ✓ | ✗ | ✗ |
| Assign people | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
A requirement moves into the approval queue on its own once it has a score and evidence — there’s no separate “submit” permission.