Feature Request: Add reminders to Controls for ongoing compliance

[Jamesw151619]

For our SOC 2, we have some controls that we do that are quarterly and some that are yearly. This is determined via our business policies.

It would be nice for the owner or operator to get a reminder email when they need to upload evidence that the control is still being satisfied.

I would assume that if the evidence is not uploaded, the control would get marked as incomplete so everyone can see it in the dashboard at a glance.

[bmarsh9]

👍 This is a good use case for the background scheduler that is being added to the code. It can periodically check which controls are incomplete (e.g. missing evidence) and send a reminder.

"I would assume that if the evidence is not uploaded, the control would get marked as incomplete so everyone can see it in the dashboard at a glance." - That is correct. A control is not marked as complete until it is 100% implemented and evidence is attached.

[Jamesw151619]

Unrelated question for you, in a specific project when i associate a policy to a control, is it possible to see this association in the controls tab of the project. specifically when a control is expanded, or viewed directly it would be nice to see. makes it easier to show auditors and microsmanagers who like to go down the list.

For us its also because we may have a policy that references multiple controls, and each of those controls may have a different owner. it would be nice for the owners to be able to see the policy that states how we meet that control. (so they know what document has the instructions/expectations) gives people new to the role an easier time getting acquanted with the expectations of them.

[bmarsh9]

I don't believe you can view the association when looking at a singular control... but that would be very helpful. Would you mind creating another issue for this? @Jamesw151619

[NoChargeForAwesomeness]

We are currently seeking a solution for our vCISO practice (CIS, NIST, ISO, SOC2, CMMC). This is the most sought-after feature lacking in most GRC platforms... at least the ones SMBs can afford!

[Jamesw151619]

We are currently seeking a solution for our vCISO practice (CIS, NIST, ISO, SOC2, CMMC). This is the most sought-after feature lacking in most GRC platforms... at least the ones SMBs can afford!

1000% agree we would implement this and be willing to pay a few thousand bucks a year, starting tomorow if it had this and maybe 1 or 2 other features.

[bmarsh9]

Thanks guys - working on it @Jamesw151619 @NoChargeForAwesomeness

[bmarsh9]

This actually is a complex feature - here is what the implementation could look like:

Controls would have an new field called "frequency_window" (or something like that). So one control might be monthly/quarterly/yearly.

Within that window, the owner of the control would receive weekly notification emails (configurable) when the defined "frequency_window" requires input (e.g. evidence upload).

We would also have notifications for implementing controls (user would receive emails when the due date is upcoming).

The owner of the project would receive monthly "status" emails.

Interested in your input in the above @Jamesw151619 @NoChargeForAwesomeness

[Jamesw151619]

Accedentally posted this from my works IT account, so posting again in case your wondering. 🫠

In the controls section of a specific project, I would like to see a status indicator showing how long until the next unsatisfied documentation deadline. I suggest swapping this out with the "implementation tracker" since the "status indicator" already shows if a task is complete at a glance. All controls need this ability because most programs require a yearly review of the documents governing the controls. As a stretch goal, linking policies to controls and having the related policy update mark the control as complete would be beneficial, as some controls are met by having a governing document, self-proving.

When accessing a specific control, I need to set a documentation due date and a frequency (dropdown configured elsewhere, see last paragraph). The default due date of the control should be the project's creation date. However, there should be an option to override the "documentation due date." Additionally, there should be a permission level to ensure only admins or control owners can change the date and frequency.

Once new documentation is uploaded or another check is cleared, the current due date should extend to the next interval based on the intended due date, not the completion date. If there's a discrepancy, the admin/owner can adjust the date. Most people prefer their monthly meetings to remain consistent, regardless of whether they occur early or late.

For the visual configurations, place all the alert configs in the settings. We probably want some default options: Weekly, Bi-Weekly, Monthly, Quarterly, Bi-Annually, and Annually. While it would take more time, it wouldn't be too developmentally hard to allow for custom timeframes. Users could select the time in days for the duration, then add how many days before the end they want an email to be sent, and whether it sends alerts to the current owner/operator or a custom email address. You’ll need to place all of it in a table in the DB anyway, so letting users add rows and edit them should be straightforward.

The backend should be pretty straight forward for these changes which is nice, I think ive made suggestions that you already have all the front end assets for, so shouldnt be to bad.