# Table of Contents - [Welcome | Product Docs | CISO Assistant](#welcome-product-docs-ciso-assistant) - [Philosophy | Product Docs | CISO Assistant](#philosophy-product-docs-ciso-assistant) - [Unknown](#unknown) - [Domains | Product Docs | CISO Assistant](#domains-product-docs-ciso-assistant) - [Perimeters | Product Docs | CISO Assistant](#perimeters-product-docs-ciso-assistant) - [Community vs PRO | Product Docs | CISO Assistant](#community-vs-pro-product-docs-ciso-assistant) - [Foundations | Product Docs | CISO Assistant](#foundations-product-docs-ciso-assistant) - [Vocabulary | Product Docs | CISO Assistant](#vocabulary-product-docs-ciso-assistant) - [Assets and resilience | Product Docs | CISO Assistant](#assets-and-resilience-product-docs-ciso-assistant) - [Business impact analyses | Product Docs | CISO Assistant](#business-impact-analyses-product-docs-ciso-assistant) - [IAM and scoping | Product Docs | CISO Assistant](#iam-and-scoping-product-docs-ciso-assistant) - [Operations | Product Docs | CISO Assistant](#operations-product-docs-ciso-assistant) - [Catalog | Product Docs | CISO Assistant](#catalog-product-docs-ciso-assistant) - [Governance | Product Docs | CISO Assistant](#governance-product-docs-ciso-assistant) - [Actors and teams | Product Docs | CISO Assistant](#actors-and-teams-product-docs-ciso-assistant) - [Assets | Product Docs | CISO Assistant](#assets-product-docs-ciso-assistant) - [Tasks | Product Docs | CISO Assistant](#tasks-product-docs-ciso-assistant) - [Threats | Product Docs | CISO Assistant](#threats-product-docs-ciso-assistant) - [Libraries | Product Docs | CISO Assistant](#libraries-product-docs-ciso-assistant) - [Frameworks | Product Docs | CISO Assistant](#frameworks-product-docs-ciso-assistant) - [Mappings | Product Docs | CISO Assistant](#mappings-product-docs-ciso-assistant) - [Policies | Product Docs | CISO Assistant](#policies-product-docs-ciso-assistant) - [Compliance | Product Docs | CISO Assistant](#compliance-product-docs-ciso-assistant) - [Risk matrices | Product Docs | CISO Assistant](#risk-matrices-product-docs-ciso-assistant) - [Validation flows | Product Docs | CISO Assistant](#validation-flows-product-docs-ciso-assistant) - [Journeys | Product Docs | CISO Assistant](#journeys-product-docs-ciso-assistant) - [Applied controls | Product Docs | CISO Assistant](#applied-controls-product-docs-ciso-assistant) - [Findings assessments | Product Docs | CISO Assistant](#findings-assessments-product-docs-ciso-assistant) - [Incidents | Product Docs | CISO Assistant](#incidents-product-docs-ciso-assistant) - [Unknown](#unknown) - [Documents | Product Docs | CISO Assistant](#documents-product-docs-ciso-assistant) - [Threat intelligence | Product Docs | CISO Assistant](#threat-intelligence-product-docs-ciso-assistant) - [EBIOS RM | Product Docs | CISO Assistant](#ebios-rm-product-docs-ciso-assistant) - [Quantitative risk studies | Product Docs | CISO Assistant](#quantitative-risk-studies-product-docs-ciso-assistant) - [Risk | Product Docs | CISO Assistant](#risk-product-docs-ciso-assistant) - [Metrics | Product Docs | CISO Assistant](#metrics-product-docs-ciso-assistant) - [Risk assessments | Product Docs | CISO Assistant](#risk-assessments-product-docs-ciso-assistant) - [Vulnerabilities | Product Docs | CISO Assistant](#vulnerabilities-product-docs-ciso-assistant) - [Manage extended result | Product Docs | CISO Assistant](#manage-extended-result-product-docs-ciso-assistant) - [Prerequisites | Product Docs | CISO Assistant](#prerequisites-product-docs-ciso-assistant) - [Audits | Product Docs | CISO Assistant](#audits-product-docs-ciso-assistant) - [Specialised modules | Product Docs | CISO Assistant](#specialised-modules-product-docs-ciso-assistant) - [Overview | Product Docs | CISO Assistant](#overview-product-docs-ciso-assistant) - [Evidences from clipboard | Product Docs | CISO Assistant](#evidences-from-clipboard-product-docs-ciso-assistant) - [Evidence | Product Docs | CISO Assistant](#evidence-product-docs-ciso-assistant) - [Frequent questions | Product Docs | CISO Assistant](#frequent-questions-product-docs-ciso-assistant) - [Setting up S3 | Product Docs | CISO Assistant](#setting-up-s3-product-docs-ciso-assistant) - [Add and manage users | Product Docs | CISO Assistant](#add-and-manage-users-product-docs-ciso-assistant) - [Migrate between different databases | Product Docs | CISO Assistant](#migrate-between-different-databases-product-docs-ciso-assistant) - [Multi-level support | Product Docs | CISO Assistant](#multi-level-support-product-docs-ciso-assistant) - [Remote/Virtualization | Product Docs | CISO Assistant](#remote-virtualization-product-docs-ciso-assistant) - [Library clean-up | Product Docs | CISO Assistant](#library-clean-up-product-docs-ciso-assistant) - [Library upgrade | Product Docs | CISO Assistant](#library-upgrade-product-docs-ciso-assistant) - [Deployment methods | Product Docs | CISO Assistant](#deployment-methods-product-docs-ciso-assistant) - [Prometheus metrics | Product Docs | CISO Assistant](#prometheus-metrics-product-docs-ciso-assistant) - [Controls autosuggestion | Product Docs | CISO Assistant](#controls-autosuggestion-product-docs-ciso-assistant) - [Domain export/import | Product Docs | CISO Assistant](#domain-export-import-product-docs-ciso-assistant) - [Quick start | Product Docs | CISO Assistant](#quick-start-product-docs-ciso-assistant) - [Maintenance | Product Docs | CISO Assistant](#maintenance-product-docs-ciso-assistant) - [Terminology | Product Docs | CISO Assistant](#terminology-product-docs-ciso-assistant) - [Upgrading a library | Product Docs | CISO Assistant](#upgrading-a-library-product-docs-ciso-assistant) - [User groups | Product Docs | CISO Assistant](#user-groups-product-docs-ciso-assistant) - [SAML | Product Docs | CISO Assistant](#saml-product-docs-ciso-assistant) - [Google Workspace | Product Docs | CISO Assistant](#google-workspace-product-docs-ciso-assistant) - [Analytics | Product Docs | CISO Assistant](#analytics-product-docs-ciso-assistant) - [Mappings | Product Docs | CISO Assistant](#mappings-product-docs-ciso-assistant) - [Catalogue overview | Product Docs | CISO Assistant](#catalogue-overview-product-docs-ciso-assistant) - [Settings | Product Docs | CISO Assistant](#settings-product-docs-ciso-assistant) - [Helm Chart | Product Docs | CISO Assistant](#helm-chart-product-docs-ciso-assistant) - [Scoring Assistant | Product Docs | CISO Assistant](#scoring-assistant-product-docs-ciso-assistant) - [Multi-Factor Authentication (MFA) | Product Docs | CISO Assistant](#multi-factor-authentication-mfa-product-docs-ciso-assistant) - [Documents | Product Docs | CISO Assistant](#documents-product-docs-ciso-assistant) - [Setting up mailer | Product Docs | CISO Assistant](#setting-up-mailer-product-docs-ciso-assistant) - [Vulnerability SLA policy | Product Docs | CISO Assistant](#vulnerability-sla-policy-product-docs-ciso-assistant) - [Getting started | Product Docs | CISO Assistant](#getting-started-product-docs-ciso-assistant) - [Kanban mode | Product Docs | CISO Assistant](#kanban-mode-product-docs-ciso-assistant) - [Branding | Product Docs | CISO Assistant](#branding-product-docs-ciso-assistant) - [Structured logging | Product Docs | CISO Assistant](#structured-logging-product-docs-ciso-assistant) - [Local | Product Docs | CISO Assistant](#local-product-docs-ciso-assistant) - [Security intelligence feeds | Product Docs | CISO Assistant](#security-intelligence-feeds-product-docs-ciso-assistant) - [Managing secrets | Product Docs | CISO Assistant](#managing-secrets-product-docs-ciso-assistant) - [Assignments / respondent mode | Product Docs | CISO Assistant](#assignments-respondent-mode-product-docs-ciso-assistant) - [Custom templates | Product Docs | CISO Assistant](#custom-templates-product-docs-ciso-assistant) - [OpenID Connect (OIDC) | Product Docs | CISO Assistant](#openid-connect-oidc-product-docs-ciso-assistant) - [Creating your first perimeter | Product Docs | CISO Assistant](#creating-your-first-perimeter-product-docs-ciso-assistant) - [Creating your first audit | Product Docs | CISO Assistant](#creating-your-first-audit-product-docs-ciso-assistant) - [Third-party | Product Docs | CISO Assistant](#third-party-product-docs-ciso-assistant) - [General settings | Product Docs | CISO Assistant](#general-settings-product-docs-ciso-assistant) - [CIS Controls / Cloud Controls Matrix (CCM) | Product Docs | CISO Assistant](#cis-controls-cloud-controls-matrix-ccm-product-docs-ciso-assistant) - [Okta | Product Docs | CISO Assistant](#okta-product-docs-ciso-assistant) - [Object classifications | Product Docs | CISO Assistant](#object-classifications-product-docs-ciso-assistant) - [Privacy register | Product Docs | CISO Assistant](#privacy-register-product-docs-ciso-assistant) - [Allowed IP whitelist | Product Docs | CISO Assistant](#allowed-ip-whitelist-product-docs-ciso-assistant) - [Programme management | Product Docs | CISO Assistant](#programme-management-product-docs-ciso-assistant) - [Creating your first risk assessment | Product Docs | CISO Assistant](#creating-your-first-risk-assessment-product-docs-ciso-assistant) - [Authoring | Product Docs | CISO Assistant](#authoring-product-docs-ciso-assistant) - [Getting your custom framework | Product Docs | CISO Assistant](#getting-your-custom-framework-product-docs-ciso-assistant) - [Audit log | Product Docs | CISO Assistant](#audit-log-product-docs-ciso-assistant) - [Keycloak | Product Docs | CISO Assistant](#keycloak-product-docs-ciso-assistant) - [Applied controls analytics | Product Docs | CISO Assistant](#applied-controls-analytics-product-docs-ciso-assistant) - [Libraries | Product Docs | CISO Assistant](#libraries-product-docs-ciso-assistant) - [Assessments | Product Docs | CISO Assistant](#assessments-product-docs-ciso-assistant) - [SCIM provisioning and IdP groups | Product Docs | CISO Assistant](#scim-provisioning-and-idp-groups-product-docs-ciso-assistant) - [Understanding the IAM model | Product Docs | CISO Assistant](#understanding-the-iam-model-product-docs-ciso-assistant) - [Command palette | Product Docs | CISO Assistant](#command-palette-product-docs-ciso-assistant) - [Windows | Product Docs | CISO Assistant](#windows-product-docs-ciso-assistant) - [Overview | Product Docs | CISO Assistant](#overview-product-docs-ciso-assistant) - [Updating your local instance | Product Docs | CISO Assistant](#updating-your-local-instance-product-docs-ciso-assistant) - [Feature flags | Product Docs | CISO Assistant](#feature-flags-product-docs-ciso-assistant) - [Excel-driven authoring | Product Docs | CISO Assistant](#excel-driven-authoring-product-docs-ciso-assistant) - [Focus mode | Product Docs | CISO Assistant](#focus-mode-product-docs-ciso-assistant) - [Insights | Product Docs | CISO Assistant](#insights-product-docs-ciso-assistant) - [API reference | Product Docs | CISO Assistant](#api-reference-product-docs-ciso-assistant) - [Post-install setup | Product Docs | CISO Assistant](#post-install-setup-product-docs-ciso-assistant) - [Project management | Product Docs | CISO Assistant](#project-management-product-docs-ciso-assistant) - [Third-party risk | Product Docs | CISO Assistant](#third-party-risk-product-docs-ciso-assistant) - [Framework-specific features | Product Docs | CISO Assistant](#framework-specific-features-product-docs-ciso-assistant) - [Third-party integrations | Product Docs | CISO Assistant](#third-party-integrations-product-docs-ciso-assistant) - [Dashboards | Product Docs | CISO Assistant](#dashboards-product-docs-ciso-assistant) - [Overview | Product Docs | CISO Assistant](#overview-product-docs-ciso-assistant) - [My assignments | Product Docs | CISO Assistant](#my-assignments-product-docs-ciso-assistant) - [Audit advanced analytics | Product Docs | CISO Assistant](#audit-advanced-analytics-product-docs-ciso-assistant) - [Document templates | Product Docs | CISO Assistant](#document-templates-product-docs-ciso-assistant) - [Custom fields | Product Docs | CISO Assistant](#custom-fields-product-docs-ciso-assistant) - [Changing the language | Product Docs | CISO Assistant](#changing-the-language-product-docs-ciso-assistant) - [Microsoft Entra ID | Product Docs | CISO Assistant](#microsoft-entra-id-product-docs-ciso-assistant) - [Control Plan | Product Docs | CISO Assistant](#control-plan-product-docs-ciso-assistant) - [Universal search | Product Docs | CISO Assistant](#universal-search-product-docs-ciso-assistant) - [Overview | Product Docs | CISO Assistant](#overview-product-docs-ciso-assistant) - [Third-Party Risk Management | Product Docs | CISO Assistant](#third-party-risk-management-product-docs-ciso-assistant) - [Authoring documents | Product Docs | CISO Assistant](#authoring-documents-product-docs-ciso-assistant) - [Managing a collection | Product Docs | CISO Assistant](#managing-a-collection-product-docs-ciso-assistant) - [Sync to actions | Product Docs | CISO Assistant](#sync-to-actions-product-docs-ciso-assistant) - [ISO 27001 | Product Docs | CISO Assistant](#iso-27001-product-docs-ciso-assistant) - [Comments | Product Docs | CISO Assistant](#comments-product-docs-ciso-assistant) - [Identity providers | Product Docs | CISO Assistant](#identity-providers-product-docs-ciso-assistant) - [General tips | Product Docs | CISO Assistant](#general-tips-product-docs-ciso-assistant) --- # Welcome | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/readme.md) . ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Fintuitem%2Fciso-assistant-community%2Fraw%2Fmain%2Fgh_banner.png&width=768&dpr=3&quality=100&sign=6f753169&sv=2) CISO Assistant [](https://intuitem.gitbook.io/ciso-assistant/product-docs#ciso-assistant-product-documentation) CISO Assistant — Product Documentation -------------------------------------------------------------------------------------------------------------------------------------------- CISO Assistant is an open-source GRC (Governance, Risk and Compliance) platform — a different take on cybersecurity posture management, built on a few load-bearing ideas: * Explicitly decoupling compliance from security-operations implementation. * Providing simplified tools for decision-making. * Assessing a program, product, or whole organisation against standard frameworks. * Letting you bring your own framework via a simplified DSL. * Acting as a one-stop shop for the Governance, Risk, and Compliance layers. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Fintuitem%2Fciso-assistant-community%2Fraw%2Fmain%2Fsingle_hub.png&width=768&dpr=3&quality=100&sign=f39f1afb&sv=2) One hub for governance, risk, and compliance ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs#whats-inside) What's inside * **Introduction** — design philosophy and vocabulary. * **Concepts** — the central objects you work with: domains, perimeters, applied controls, assets, assessments, risks. * **Installation** — getting CISO Assistant running. * **Configuration** — organisation setup, IAM, SSO, and customisation. * **Features** — a catalogue of shipped capabilities. * **Guides** — task-oriented walkthroughs, both onboarding and ongoing operations. * **AI and Integrations** — the REST API, the MCP server, and third-party integrations. * **Contributing** — how to extend CISO Assistant and improve this documentation. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs#more-from-intuitem) More from intuitem * [Replays](https://intuitem.com/replays) — recorded demos and walkthroughs. * [Pricing](https://intuitem.com/pricing) — subscription tiers and what's included. * [Community vs PRO](https://intuitem.com/compare) — feature-by-feature comparison. * [Partnership](https://intuitem.com/partnership) — partner programme for integrators and resellers. * [Blog](https://intuitem.com/blog) — release notes and product news. [NextPhilosophy](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/philosophy) Last updated 1 month ago Was this helpful? * [CISO Assistant — Product Documentation](https://intuitem.gitbook.io/ciso-assistant/product-docs#ciso-assistant-product-documentation) * [What's inside](https://intuitem.gitbook.io/ciso-assistant/product-docs#whats-inside) * [More from intuitem](https://intuitem.gitbook.io/ciso-assistant/product-docs#more-from-intuitem) Was this helpful? --- # Philosophy | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/philosophy.md) . CISO Assistant is built around a small set of design principles. A lot of object boundaries, naming choices, and workflow shapes only make sense once you have these in mind. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/philosophy#applied-controls-at-the-centre) Applied controls at the centre ------------------------------------------------------------------------------------------------------------------------------------------------------ The **applied control** is the unifying object in CISO Assistant. Everything the organisation _does_ to manage risk and prove compliance is captured as an applied control — a technical safeguard, an organisational process, a documented policy, a tested recovery plan. Once that's in place, the rest of the platform connects to it: * An **audit** assesses requirements; each requirement assessment links to the applied controls that satisfy it. * A **risk scenario** lowers its current and residual levels by attaching the applied controls in place and planned. * A **task** records that an applied control was actually exercised on a given date and produces the evidence to prove it. * **Evidence** lives on an applied control — and through it, substantiates every requirement and scenario the control supports. * An **incident** response invokes applied controls; a **vulnerability** is mitigated by them; a **policy** _is_ one. Authoring an applied control once and reusing it across all the places it applies — instead of redoing the same work per audit, per risk study, per framework — is the productivity gain that justifies the whole architecture. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/philosophy#decoupling-principle) Decoupling principle ---------------------------------------------------------------------------------------------------------------------------------- The corollary of putting applied controls at the centre is that everything around them must be decoupled, so that one applied control can serve many consumers without being rewritten for each: * **Security controls** are decoupled from **compliance requirements** — a single applied control can satisfy many requirements across many frameworks. * **Risk assessments** are decoupled from **frameworks** — the same risk scenario can inform multiple compliance audits. * **Assets** are decoupled from **threat scenarios** — assets exist independently of any specific risk study and can be reused across them. The payoff is reuse, end-to-end. One applied control answers many requirements. One assessment covers many frameworks. One asset participates in many scenarios. One evidence file substantiates everything the underlying control supports. Decoupling concept — full screen is recommended for a better experience. [PreviousWelcome](https://intuitem.gitbook.io/ciso-assistant/product-docs) [NextVocabulary](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary) Last updated 1 month ago Was this helpful? * [Applied controls at the centre](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/philosophy#applied-controls-at-the-centre) * [Decoupling principle](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/philosophy#decoupling-principle) Was this helpful? --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://intuitem.gitbook.io/ciso-assistant/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://intuitem.gitbook.io/ciso-assistant/product-docs/readme.md). # Welcome !\[CISO Assistant\](https://github.com/intuitem/ciso-assistant-community/raw/main/gh\_banner.png) ## CISO Assistant — Product Documentation CISO Assistant is an open-source GRC (Governance, Risk and Compliance) platform — a different take on cybersecurity posture management, built on a few load-bearing ideas: \* Explicitly decoupling compliance from security-operations implementation. \* Providing simplified tools for decision-making. \* Assessing a program, product, or whole organisation against standard frameworks. \* Letting you bring your own framework via a simplified DSL. \* Acting as a one-stop shop for the Governance, Risk, and Compliance layers. !\[One hub for governance, risk, and compliance\](https://github.com/intuitem/ciso-assistant-community/raw/main/single\_hub.png) ### What's inside \* \*\*Introduction\*\* — design philosophy and vocabulary. \* \*\*Concepts\*\* — the central objects you work with: domains, perimeters, applied controls, assets, assessments, risks. \* \*\*Installation\*\* — getting CISO Assistant running. \* \*\*Configuration\*\* — organisation setup, IAM, SSO, and customisation. \* \*\*Features\*\* — a catalogue of shipped capabilities. \* \*\*Guides\*\* — task-oriented walkthroughs, both onboarding and ongoing operations. \* \*\*AI and Integrations\*\* — the REST API, the MCP server, and third-party integrations. \* \*\*Contributing\*\* — how to extend CISO Assistant and improve this documentation. ### More from intuitem \* \[Replays\](https://intuitem.com/replays) — recorded demos and walkthroughs. \* \[Pricing\](https://intuitem.com/pricing) — subscription tiers and what's included. \* \[Community vs PRO\](https://intuitem.com/compare) — feature-by-feature comparison. \* \[Partnership\](https://intuitem.com/partnership) — partner programme for integrators and resellers. \* \[Blog\](https://intuitem.com/blog) — release notes and product news. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://intuitem.gitbook.io/ciso-assistant/product-docs/readme.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Domains | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/domains.md) . A **domain** is a top-level container in CISO Assistant. It represents an organisational scope — a business unit, a subsidiary, or any boundary you want to manage access and reporting around. Domains are the platform's primary mechanism for **access control** and **reporting boundaries**: a user's roles are granted _on a domain_, and most reports, dashboards, and audit roll-ups can be filtered by domain. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/domains#building-a-hierarchy) Building a hierarchy --------------------------------------------------------------------------------------------------------------------------------------- A domain can have a **parent domain** (`parent_folder` internally) — that's how you build a tree of sub-domains beneath a top-level one. The hierarchy lets you mirror the shape of your organisation in the platform: a "Group" domain on top, "Region" or "Subsidiary" domains beneath, "Business unit" or "Programme" domains beneath those, and so on. When a parent-child relationship is in place, two things follow: * **Permissions can flow downward.** A user with a role on a parent domain can be configured to see and act on objects in its sub-domains, without re-assigning them at every level. * **Reporting can roll up.** Dashboards and analytics aggregate across a domain _and_ its descendants, so leadership-level views work the same way the org chart does. **Sub-domains are an Enterprise (PRO) feature.** The community edition ships with a flat structure — every domain you create sits directly at the root. The **Parent domain** field on the domain form is only exposed in the Enterprise edition, where you can nest domains to whatever depth you need to mirror your organisation. The root is reserved for global, cross-organisation objects (built-in catalogues, the global library) — your own domains always live one level under it, even when no other hierarchy is in place. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/domains#organisational-only-domains-the-create-iam-groups-flag) Organisational-only domains — the "Create IAM groups" flag --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Not every domain needs to be an IAM boundary. Sometimes you want a domain purely as an **organisational container** — a folder in the tree to group related work — without the platform spinning up the per-role user groups that come with a "real" scoping domain. The **Create IAM groups** checkbox on the domain form controls this: * **On** _(default for new domains)_ — the platform auto-provisions one user group per role for the domain. Anyone who needs access to objects in this domain gets placed into one of those groups; the domain is a true IAM scope. * **Off** — no user groups are created. The domain exists in the tree, can be picked from selectors, and can host objects, but it carries **no scoping machinery of its own**. Access flows from whatever parent domain it sits under. Turn the flag off when you want sub-domains that are just structure — for example, breaking a "Subsidiary" domain into a "2025 audits" / "2026 audits" tree purely for organisation, without giving each year its own IAM surface. The setting is shown by the on-form help text: _"IAM groups are used to assign roles to users."_ The flag is **not a one-way choice**. You can flip it on a domain at any time — turning it on later provisions the per-role user groups, turning it off later removes them. So a domain you initially created as a pure folder can later become a real IAM scope (or vice versa) without recreating it or moving its content. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/domains#restructuring-the-tree) Restructuring the tree ------------------------------------------------------------------------------------------------------------------------------------------- The hierarchy is **not frozen at creation**. Editing a domain lets you change its **Parent domain** (PRO), which moves the whole sub-tree — the domain itself and every domain beneath it — under the new parent. Use this to: * Reorganise as your business changes (a programme becomes a subsidiary, two business units merge). * Promote a sub-domain to top-level by setting its parent back to the root. * Re-parent for IAM reasons (giving a parent role-holder access to a sub-tree that wasn't previously under them). The platform prevents cycles — you can't move a domain under one of its own descendants — but everything else is reachable. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/domains#objects-move-between-domains) Objects move between domains ------------------------------------------------------------------------------------------------------------------------------------------------------- Almost every operational object in CISO Assistant is bound to a domain: assessments and audits, applied controls, evidences, risk scenarios, assets, tasks, policies, findings, incidents, exceptions, contracts, entities, and so on. The domain a record lives in is what drives who can see it and how it rolls up in reports. Because reorganisations happen, the domain assignment is **not permanent**: * **One at a time** — edit any object and pick a different **Domain** in the form. The platform re-evaluates IAM scoping on save, so the object disappears from one domain's views and appears in the other's. * **In bulk** — for models that opt in to bulk operations, the [batch actions](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/working-with-tables#batch-actions-many-rows) toolbar exposes a **Change folder** action: select multiple rows in the table, choose the destination domain, and the move is applied across the selection in one go. Useful when reorganising a subsidiary into its own sub-tree, or pulling a programme's controls into a dedicated domain. A handful of objects whose domain is forced by a parent (e.g. risk scenarios always inherit their risk assessment's domain) intentionally don't expose the batch **Change folder** action — moving the parent moves the children. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/domains#related) Related ------------------------------------------------------------------------------------------------------------- * [Perimeters](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/perimeters) * [Actors and teams](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/actors-and-teams) — how users, teams, and entities get scoped to a domain [PreviousFoundations](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations) [NextPerimeters](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/perimeters) Last updated 1 month ago Was this helpful? * [Building a hierarchy](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/domains#building-a-hierarchy) * [Organisational-only domains — the "Create IAM groups" flag](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/domains#organisational-only-domains-the-create-iam-groups-flag) * [Restructuring the tree](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/domains#restructuring-the-tree) * [Objects move between domains](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/domains#objects-move-between-domains) * [Related](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/domains#related) Was this helpful? --- # Perimeters | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/perimeters.md) . A **perimeter** is an _optional_ scope refinement an assessment or risk study can be attached to, inside a domain. Where a domain defines _who_ owns the work and _what_ they can see, a perimeter narrows the assessment to _exactly what is being assessed_ — a product, a system, a process, a contract. Perimeters are optional everywhere they appear: an assessment without a perimeter is scoped to its domain only. Use them when you need to track several distinct scopes inside the same domain, or to roll up assessments by scope rather than by domain. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/perimeters#when-to-use-a-domain-vs-a-perimeter) When to use a domain vs a perimeter ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ The two concepts solve different problems — and the choice matters because it shapes both _who can see what_ and _how reports roll up_. * **Use a domain (or a sub-domain)** when the boundary needs to enforce **IAM scoping** or anchor **reporting**. Domains are where roles are granted, where permissions stop, and where dashboards aggregate. Pick a domain when different teams must have different levels of access, or when leadership wants to see one number per business unit / subsidiary / regulated entity. * **Use a perimeter** when the boundary is purely **logical**, inside an already-scoped domain. Perimeters split the work into distinct named scopes — a product, a system, a process, a contract — so you can run separate audits or risk studies against each without spinning up extra IAM machinery. Everyone with access to the domain sees every perimeter inside it; there's no per-perimeter access control. A useful mental check: _"Do these two scopes need different people seeing them?"_ — if yes, they're domains (or sub-domains). _"Do these two scopes need separate assessments but the same audience?"_ — they're perimeters. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/perimeters#related) Related ---------------------------------------------------------------------------------------------------------------- * [Domains](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/domains) * [Audits](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits) * [Risk assessments](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/risk-assessments) [PreviousDomains](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/domains) [NextActors and teams](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/actors-and-teams) Last updated 1 month ago Was this helpful? * [When to use a domain vs a perimeter](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/perimeters#when-to-use-a-domain-vs-a-perimeter) * [Related](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/perimeters#related) Was this helpful? --- # Community vs PRO | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/editions.md) . CISO Assistant ships in two editions: * **Community** — the open-source edition, free to use, with the platform's core GRC capabilities. Self-hosted only. * **PRO** — the commercial edition, built on top of Community, adding enterprise features (sub-domains, focus mode, advanced insights, custom roles, validation flows, and more) plus official support. A full feature-by-feature comparison lives on the [Community vs PRO page on the intuitem website](https://intuitem.com/compare) — we keep the matrix there so it stays in sync with pricing and release cycles. This page is here to explain the **commercial concepts** that intersect with the platform itself: contributor seats and where PRO runs. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/editions#contributor-seats) Contributor seats -------------------------------------------------------------------------------------------------------------------------- PRO is licensed by **contributor seats** — the number of users in your instance who can actually _make changes_. A user counts as a contributor as soon as they have **any** create / edit / delete permission anywhere in the platform — that is, any role that grants `add_…`, `change_…`, or `delete_…` rights. Concretely, the typical contributor is someone with the **Analyst**, **Domain Manager**, or **Administrator** role (or a custom role that confers similar write rights). Read-only users — anyone whose role only grants `view_…` permissions — do **not** consume a seat. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/editions#exceptions-who-doesnt-count) Exceptions — who doesn't count Two narrow categories of users are explicitly **excluded** from the seat count, even though they may perform meaningful work in the platform: * **Pure approvers** — a user whose _only_ write capability is signing off on a [validation flow](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/validation-flows) . In practice this is the built-in **Approver** role: its single write permission, `change_validationflow`, is registered as a non-seat permission. If the same user also holds any other write right (e.g. they're an Analyst who happens to be an approver too), the seat is still counted — being an approver doesn't subtract from the count, it just doesn't add one on its own. * **External third-party representatives** — vendor-side users who log into the [third-party auditee surface](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/specialised-modules/third-party-risk) to fill in entity assessments. They are flagged as external (`is_third_party`) and are systematically excluded from the count regardless of which write permissions their role grants. **Internal users helping fill in an audit** _**do**_ **consume a seat.** This includes anyone in your own organisation who is assigned to answer requirements via the [Assignment/Respondent mode](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/assignments) feature — most typically users carrying the built-in **Respondent** role, but also any internal teammate whose role grants write access to requirement assessments and evidences. The third-party exception above applies _only_ to vendor representatives reaching the platform through the external auditee surface. The intent behind the two exceptions is narrow: the seat count tracks **internal contributors authoring and maintaining your GRC content**, while sparing two patterns where counting would feel punitive — pure sign-off workflows, and external vendors who don't belong to your organisation in the first place. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/editions#how-the-count-is-enforced) How the count is enforced The instance compares the number of contributors against the seat allowance carried by your license. The current count is visible from **About CISO Assistant**, opened via the three-dot menu next to your name in the sidebar footer — so you can see at any time how many seats are used and how many are available. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/editions#where-pro-runs) Where PRO runs -------------------------------------------------------------------------------------------------------------------- PRO is **available on both deployment models**, and the feature set is identical between them: * **On-premises** — you host the platform on your own infrastructure (Linux VM, Kubernetes via the [Helm chart](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/helm-chart) , or any of the deployment methods documented under [Installation](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/installation) ). Your data stays in your network. This is the right model when sovereignty, air-gapping, or strict residency requirements rule out a managed service. * **SaaS** — intuitem hosts and operates a managed instance for you. No infrastructure to run, automatic upgrades, backups handled. The right model when you'd rather focus on the GRC programme than on running a Django application. You can move between the two models — there's no architectural difference, and the data formats (domain exports, library YAML, audit exports) are stable across deployments. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/editions#unlimited-plans) Unlimited plans For organisations that don't want to track individual seats — typically large enterprises, MSSPs, public-sector deployments, or any environment where contributor headcount fluctuates often — both the on-premises and SaaS editions are available with an **unlimited plan**. Under an unlimited plan, the platform doesn't enforce a seat count and you don't need to manage role assignments around license limits. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/editions#secnumcloud) SecNumCloud A **SecNumCloud** version is also available, with dedicated hosting under the highest available cloud-security qualification. It is offered in unlimited mode. See the [pricing page](https://intuitem.com/pricing) for details. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/editions#related) Related ------------------------------------------------------------------------------------------------------ * [Pricing](https://intuitem.com/pricing) — current plan tiers and what each includes. * [Community vs PRO](https://intuitem.com/compare) — the full feature comparison. * [Validation flows](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/validation-flows) — the governance object whose approvers don't consume a seat. * [Third-party risk](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/specialised-modules/third-party-risk) — the auditee surface used by external representatives, who also don't consume a seat. [PreviousVocabulary](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary) [NextFoundations](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations) Last updated 1 month ago Was this helpful? * [Contributor seats](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/editions#contributor-seats) * [Exceptions — who doesn't count](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/editions#exceptions-who-doesnt-count) * [How the count is enforced](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/editions#how-the-count-is-enforced) * [Where PRO runs](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/editions#where-pro-runs) * [Unlimited plans](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/editions#unlimited-plans) * [SecNumCloud](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/editions#secnumcloud) * [Related](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/editions#related) Was this helpful? --- # Foundations | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations.md) . [Domains](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/domains) [Perimeters](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/perimeters) [Actors and teams](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/actors-and-teams) [IAM and scoping](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/iam-and-scoping) [PreviousCommunity vs PRO](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/editions) [NextDomains](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/domains) Last updated 1 month ago Was this helpful? Was this helpful? --- # Vocabulary | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary.md) . A glossary of the terms used in CISO Assistant. Where a user-facing term differs from the internal model name, both are given. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#a) A -------------------------------------------------------------------------------------------- * **Accreditation** — Formal authorisation that a system, environment, or product has met security and compliance requirements. Captured as an object in project-management workflows, often required for go-live. * **Actor** — The unifying handle for anyone who can own or be assigned work in CISO Assistant. An actor wraps exactly one of three underlying objects: a [User](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#u) , a [Team](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#t) , or an [Entity](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#e) . Auto-created when its underlying object is created — not managed directly. See [Actors and teams](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/actors-and-teams) . * **Applied control** — The main building block of the action plan: a concrete action your team has implemented or will implement. It can be technical, organisational, a process, a policy, a piece of documentation — anything that materially changes risk or compliance posture. Applied controls are always defined by the organisation and can be attached to the global domain or to a specific domain. They may derive from a reference control for consistency, or be created independently. * **Asset** — Anything of value worth protecting. **Primary assets** are core resources directly contributing to the organisation's main objectives (business processes, data, intellectual property). **Supporting assets** indirectly aid primary functions (IT systems, services, locations, people). * **Asset assessment** — A per-asset row inside a business impact analysis, capturing recovery posture (documented, tested, targets met), associated controls, evidence, and the escalation thresholds that describe how impact grows over time. * **Assessment** — Umbrella term covering **audits** (compliance work), **risk assessments**, **business impact analyses**, and **entity assessments**. * **Attack path** — In EBIOS RM, the route an attacker may take from a starting point — through stakeholders or supporting assets — to reach a target objective. * **Audit** — The evaluation of a perimeter against a framework, producing a per-requirement view of status, score, and evidence. Internally a `ComplianceAssessment`. * **Audit log** — Append-only record of significant actions taken in the platform (creations, edits, permission changes, logins). PRO feature. * **Auditee mode** — A read-only UX mode aimed at external assessors who need to inspect an audit without being granted full access to the platform. Gated by the `auditee_mode` feature flag. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#b) B -------------------------------------------------------------------------------------------- * **Business impact analysis** (BIA) — A structured assessment of the operational, financial, and reputational impact of disruption to specific assets or business processes. Outputs feed into resilience planning. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#c) C -------------------------------------------------------------------------------------------- * **Campaign** — An orchestration object for running many audits in parallel — for example, one audit per perimeter against the same framework. PRO feature. * **Catalog object** — A reusable building block of CISO Assistant: framework, threat, risk matrix, reference control, mapping, security advisory, CWE. Catalog objects are packaged into libraries. * **Compliance assessment** — Internal model name for an **audit**. See **Audit**. * **Contract** — A third-party agreement attached to a supplier entity or solution, with terms, dates, and renewal information. * **Control** — Generic term. Disambiguate against **applied control** (concrete instance) and **reference control** (template). * **Current risk** — The risk level given the **applied controls already in place** — the state of risk today. The middle tier of CISO Assistant's three-tier model: inherent (no controls) → current (existing controls) → residual (existing + planned controls). * **Custom field** (also _custom attribute_) — An organisation-defined attribute that can be attached to platform objects (projects, risks, assets, suppliers, contracts, and more) to capture typed, filterable, searchable metadata beyond the built-in fields. * **CWE** — Common Weakness Enumeration. A catalogued category of software weakness, used to tag vulnerabilities and security advisories. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#d) D -------------------------------------------------------------------------------------------- * **Dashboard** — A configurable view of metrics and progress indicators, scoped to a perimeter or a domain. * **Data breach** — In a privacy register, an incident affecting personal data, with notification status and response actions. * **Data contractor** — A third party involved in a processing as data processor, sub-processor, or joint controller. Distinct from a generic supplier entity — captures the privacy-specific role. * **Data recipient** — A party (internal team, external service, public body) that personal data is disclosed to as part of a processing. * **Data subject** — The category of individuals whose personal data is processed (customers, employees, prospects, etc.). Surfaces in the privacy register and right-request workflows. * **Data transfer** — A record of cross-border or cross-entity movement of personal data, with destination, legal basis, and safeguards. * **Document revision** — A single revision of a [Managed document](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#m) . Carries a version number and a lifecycle status (draft → in review → change requested → validated → published → deprecated). * **Domain** — The top-level container in CISO Assistant: a business unit, subsidiary, project, or any boundary used for organising work and isolating permissions via role-based access control. Sub-domains nest underneath. Internally a `Folder`. _Demo_ and _Starter_ are reserved for internal features. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#e) E -------------------------------------------------------------------------------------------- * **EBIOS RM** — The French ANSSI risk-management method, supported natively in the platform as its own object graph (studies, feared events, stakeholders, strategic and operational scenarios, kill chains). * **Elementary action** — In EBIOS RM, an atomic step an attacker can perform. Composed into operating modes. * **Entity** — Scope of an external review — typically a vendor or third party. * **Entity assessment** — The actual review of an entity. Can trigger or be linked to an audit. * **Escalation threshold** — A point-in-time / impact pair attached to an asset assessment inside a BIA: "after 4 hours of outage, impact is _high_". Lets a BIA model how disruption escalates rather than recording a single worst-case impact. * **Evidence** — A document, screenshot, configuration sample, or any other artifact attached to an applied control or requirement assessment to substantiate compliance. * **Evidence revision** — A single versioned iteration of an evidence object. Replacing an attachment creates a new revision rather than overwriting the previous one; revisions carry a version number, an SHA-256 integrity hash, optional observation, and a link to the task occurrence that produced them when applicable. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#f) F -------------------------------------------------------------------------------------------- * **Feared event** — In EBIOS RM, the undesirable outcome to be avoided on a primary asset — for example, a confidentiality breach of customer data. * **Filtering label** — A free-form tag that can be attached to most objects for categorisation, filtering, and reporting. * **Findings assessment** — A formal record tracking issues raised by an audit, a security review, or an external assessor, used to drive remediation through to closure. * **Focus mode** — A workspace mode that filters the entire UI to a single domain, hiding objects belonging to other domains. PRO feature. * **Folder** — Internal model name for a **domain**. See **Domain**. * **Framework** — A set of requirements covering patterns and expectations needed to comply with a regulation, prepare a certification, or establish a foundation. Shipped as a YAML library. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#g) G -------------------------------------------------------------------------------------------- * **Generic collection** — A flexible grouping object in project-management workflows: a "bag" of related items that doesn't fit a more specific schema. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#i) I -------------------------------------------------------------------------------------------- * **Incident** — A security or operational event being investigated or tracked. Distinct from a **risk** (potential) or a **vulnerability** (weakness). * **Inherent risk** — The natural risk level of a scenario _without any applied controls_. The top tier of CISO Assistant's three-tier model — useful for ranking scenarios by their underlying severity, independently of the mitigation already in place. Surfaced in the UI when the `inherent_risk` feature flag is on. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#j) J -------------------------------------------------------------------------------------------- * **Journey** — An instance of a [Preset](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#p) applied to a domain. Carries the scaffolded objects created at apply time and a step list with per-step statuses, notes, and completion timestamps. See [Journeys](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/journeys) . * **Journey step** — One row of work inside a journey: a title, description, optional pointer to a target object or internal route, and a status (not started, in progress, done, skipped). [](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#k) K -------------------------------------------------------------------------------------------- * **Kill chain** — In EBIOS RM, an ordered sequence of attacker steps culminating in the target objective. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#l) L -------------------------------------------------------------------------------------------- * **Library** — Container object bundling one or more catalog objects (frameworks, matrices, threats, reference controls, mappings, security advisories). [](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#m) M -------------------------------------------------------------------------------------------- * **Managed document** — A document tracked through a controlled lifecycle (draft, in-review, validated, published, deprecated) and pinned to a parent object such as a policy. Each iteration is a [Document revision](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#d) . * **Mapping** — Based on the [OLIR initiative](https://csrc.nist.gov/projects/olir) . Allows moving an assessment from framework A to framework B while reusing existing requirement assessments. * **Metric definition** — A reusable specification for a measurable indicator (formula, target, unit, scope). Defined once, instantiated per perimeter. * **Metric instance** — A concrete sample of a metric definition for a given scope at a given point in time. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#o) O -------------------------------------------------------------------------------------------- * **Operating mode** — In EBIOS RM, a specific way an attacker can carry out an operational scenario, composed of elementary actions. * **Operational scenario** — In EBIOS RM, the detailed "how" of a strategic scenario — the assets touched, the steps taken, and the techniques used. * **Organisational issue** — A documented context element describing an internal or external problem affecting the organisation. * **Organisational objective** — A documented strategic or operational goal of the organisation. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#p) P -------------------------------------------------------------------------------------------- * **Perimeter** — A scoped subset of a domain that an audit or risk assessment applies to. Unlike a domain, a perimeter does **not** enforce role-based access control. Perimeters were previously called "Projects". * **Personal access token** (PAT) — A long-lived authentication token a user can issue from their profile to authenticate API calls. Alternative to session-based login; used by scripts, integrations, the CLI, and the MCP server. * **Personal data** — In a privacy register, any data referring to an identified or identifiable individual. * **Policy** — A specific type of applied control: a document describing what is expected from some part of your stakeholders. Lives in CISO Assistant so its lifecycle can be managed alongside the rest of your controls. * **Preset** — A reusable template describing a guided workflow: a set of starter objects to scaffold (audit, risk assessment, etc.) plus an ordered list of steps to follow. Library-backed or authored locally; applied to a domain to produce a [Journey](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#j) . * **Processing** — In a privacy register, an activity that operates on personal data (collection, storage, transfer, deletion). Captures purpose, lawful basis, recipients, and retention. * **Processing nature** — A catalogued type of processing operation (collection, storage, transfer, disclosure, deletion, …) used to characterise a processing. * **Project** — In the project-management module, a planned initiative with deliverables and milestones. Distinct from the legacy meaning of "project" in older CISO Assistant documentation — see **Perimeter**. * **Purpose** — In a privacy register, the lawful reason for which personal data is processed. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#q) Q -------------------------------------------------------------------------------------------- * **Quantitative risk hypothesis** — A parameter set (loss-event frequency, magnitude distribution) feeding a quantitative risk scenario. * **Quantitative risk scenario** — A scenario inside a quantitative risk study, evaluated via Monte-Carlo simulation over loss distributions. * **Quantitative risk study** — A risk study using quantitative methods rather than a risk matrix. Sibling to qualitative risk assessment and EBIOS RM. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#r) R -------------------------------------------------------------------------------------------- * **Recap** — The roll-up view of a business impact analysis, aggregating asset assessments and their escalation thresholds into a single readout. * **Recovery target** — A documented commitment for restoring an asset after disruption, typically a Recovery Time Objective (RTO) or Recovery Point Objective (RPO). Tracked on an asset assessment as "documented", "tested", and "targets met" flags. * **Reference control** — A template for an applied control. Provided by frameworks via libraries, or defined locally. Optional but recommended for keeping applied controls consistent across the organisation. * **Representative** — The person responsible for answering the questionnaire or requirements of an entity assessment. * **Requirement** — A single normative statement inside a framework. * **Requirement assessment** — The evaluation of one requirement inside an audit (status, score, evidence, applied controls). * **Requirement mapping set** — Internal model name for the catalog object backing a **mapping** library. See **Mapping**. * **Residual risk** — The risk level expected once all _planned_ applied controls have been implemented — the target state of the action plan. The bottom tier of CISO Assistant's three-tier model (inherent → current → residual), and the figure used as input to risk-acceptance decisions. * **Responsibility matrix** — An assignment of actors to activities, used in project workflows and accreditation processes. Supports RACI, RASCI, and RAPID conventions. * **Responsibility role** — The role attached to an actor on an activity inside a responsibility matrix (e.g. R/A/C/I in RACI, or R/A/S/C/I in RASCI). Defined per matrix. * **Right request** — In a privacy register, a data-subject request under GDPR or equivalent (access, rectification, deletion, portability). * **Risk acceptance** — Formal record of an organisation's decision to tolerate a residual risk without further treatment. Carries an approval workflow; approval requires the **Approver** role. * **Risk assessment** (also _risk study_) — A scenario-based evaluation of risk over a perimeter. * **Risk matrix** — A configurable lookup table that derives risk level from probability and impact. Imported from a library. The matrix is fixed per risk assessment once the assessment is created. * **Risk scenario** — A building block of a risk assessment: combines threats, assets, and existing controls into a story whose probability and impact can be evaluated. * **Role** — A bundle of permissions. Four built-in roles ship with the platform; PRO editions also support custom roles. * **Domain Manager** — can set up and access everything on a domain. * **Analyst** — can input and read data, but cannot change a domain's settings. * **Reader** — read-only on the domain's items. * **Approver** — can validate workflows on objects for a domain (e.g. risk acceptance). * **Role assignment** — The attachment of a user (or user group) to a role within a domain. The unit of access control. * **RO/TO couple** — In EBIOS RM, the pairing of a **Risk Origin** (who attacks) with a **Target Objective** (what they want). The seed for strategic and operational scenarios. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#s) S -------------------------------------------------------------------------------------------- * **Security advisory** — A catalogued security warning published by a vendor or CERT (e.g. CVE entries). Linked to vulnerabilities and affected assets. * **Security exception** — A documented, time-bound deviation from a control or policy, approved through a workflow and tracked for review. * **Severity** — The shared ordinal scale used to qualify vulnerabilities, incidents, and findings: undefined / info / low / medium / high / critical. Drives SLA escalation and visual emphasis in dashboards. * **Solution** — A product or service provided by an entity. * **Stakeholder** — In EBIOS RM, an internal or external party with a relationship to the studied system. Evaluated for trust level and dependency. * **Strategic scenario** — In EBIOS RM, the high-level "what" of an attack: a Risk Origin, a Target Objective, a path through stakeholders, and an outcome. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#t) T -------------------------------------------------------------------------------------------- * **Task definition** — A reusable specification of a task: default assignee, owner, recurrence rule, expected evidence. Defining a task creates one or more **task occurrences** over time. Internally a `TaskTemplate`. * **Task node** — Internal model name for a **task occurrence**. See **Task occurrence**. * **Task occurrence** — A scheduled instance of a task definition, with a due date, a status (pending → in progress → completed/cancelled), and the evidence collected when the task ran. Internally a `TaskNode`. * **Task template** — Internal model name for a **task definition**. See **Task definition**. * **Team** — A named grouping of users used for collaborative ownership of objects, with a leader, optional deputies, members, and an optional team email for notification routing. Distinct from a [User group](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#u) (which is role-scoped to a domain — see the disambiguation in [Actors and teams](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/actors-and-teams) ). * **Terminology** — An organisation's overrides to the platform's default labels, used to align the UI with internal vocabulary. * **Threat** — A catalogued source of harm — reusable across scenarios. Optional: assessments can be performed without referencing threats explicitly. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#u) U -------------------------------------------------------------------------------------------- * **URN** — Uniform Resource Name. A unique identifier used to link to catalog objects across libraries. * **User** — A person with an account on the platform. * **User group** — A combination of a role and a domain, on which you place users. Auto-created when a domain is created. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#v) V -------------------------------------------------------------------------------------------- * **Validation flow** — A configurable approval workflow that mirrors an organisation's internal review or management-approval process — peer-review, sign-off by a security lead, formal acceptance by a steering committee. Attached to objects whose state changes warrant such review (e.g. risk acceptance, audit close-out), it captures the human approval step inside the platform rather than enforcing it as a hard technical gate. * **Vulnerability** — A weakness in a system or process that could be exploited by a threat. Tracked with severity, status, and linked applied controls. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#w) W -------------------------------------------------------------------------------------------- * **Webhook endpoint** — A registered URL CISO Assistant calls when configured events happen (e.g. an audit closed, an applied control updated). Used to notify external systems and trigger downstream automation. [PreviousPhilosophy](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/philosophy) [NextCommunity vs PRO](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/editions) Last updated 1 month ago Was this helpful? * [A](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#a) * [B](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#b) * [C](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#c) * [D](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#d) * [E](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#e) * [F](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#f) * [G](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#g) * [I](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#i) * [J](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#j) * [K](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#k) * [L](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#l) * [M](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#m) * [O](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#o) * [P](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#p) * [Q](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#q) * [R](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#r) * [S](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#s) * [T](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#t) * [U](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#u) * [V](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#v) * [W](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary#w) Was this helpful? --- # Assets and resilience | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/assets-and-resilience.md) . [Assets](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/assets-and-resilience/assets) [Business impact analyses](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/assets-and-resilience/business-impact-analyses) [PreviousJourneys](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/journeys) [NextAssets](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/assets-and-resilience/assets) Last updated 1 month ago Was this helpful? Was this helpful? --- # Business impact analyses | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/assets-and-resilience/business-impact-analyses.md) . A **business impact analysis** (BIA) measures the operational, financial, and reputational consequences of disrupting specific assets or business processes — the input to any serious resilience plan. Where a risk assessment asks "what could go wrong?", a BIA asks "if it does, how bad is it, and how quickly does it become unacceptable?". [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/assets-and-resilience/business-impact-analyses#mental-model) Mental model -------------------------------------------------------------------------------------------------------------------------------------------------- A BIA is an assessment scoped to a perimeter. For each asset in scope, the platform captures: * **Asset assessment** — the impact of disruption along one or more dimensions (financial, operational, regulatory, reputational). * **Escalation thresholds** — the durations after which disruption becomes severe, critical, or unacceptable — often expressed as RTO (Recovery Time Objective) levels. The output is a prioritised view of which assets your continuity plan must protect first. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/assets-and-resilience/business-impact-analyses#how-it-ties-into-the-rest-of-the-platform) How it ties into the rest of the platform ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ * BIAs read from the **asset inventory** — assets are first-class objects, not BIA-private records. * The criticality output can drive **risk scenario prioritisation** for the same assets. * For organisations subject to DORA, BIA results feed into incident-reporting workflows. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/assets-and-resilience/business-impact-analyses#related) Related ---------------------------------------------------------------------------------------------------------------------------------------- * [Assets](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/assets-and-resilience/assets) * [Risk assessments](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/risk-assessments) * [Vocabulary → Business impact analysis](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary) [PreviousAssets](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/assets-and-resilience/assets) [NextOperations](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations) Last updated 1 month ago Was this helpful? * [Mental model](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/assets-and-resilience/business-impact-analyses#mental-model) * [How it ties into the rest of the platform](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/assets-and-resilience/business-impact-analyses#how-it-ties-into-the-rest-of-the-platform) * [Related](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/assets-and-resilience/business-impact-analyses#related) Was this helpful? --- # IAM and scoping | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/iam-and-scoping.md) . This page is the **mental model** for how access and visibility work in CISO Assistant. The full configuration-side deep-dive (SAML / OIDC / MFA / PATs / accounting) lives in [Understanding the IAM model](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/organization/iam-model) ; this page focuses on the three things every user needs internalised before they can predict what they will and won't see on screen: 1. Almost everything is bound to a **domain**. 2. Permissions are inherited **down the domain tree**. 3. Some objects are **published** — visible across the tree — and assessments are not. The combination of these three is what produces the most common "why am I seeing items from another domain here?" moment, which the last two sections explain and resolve. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/iam-and-scoping#everything-is-bound-to-a-domain) Everything is bound to a domain --------------------------------------------------------------------------------------------------------------------------------------------------------------------- The platform's primary scoping unit is the **domain** (see [Domains](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/domains) ). Almost every operational object you create carries a domain — that's what drives _who can see it_ and _how it rolls up in reports_. The list is long on purpose — to make the model concrete: * **Compliance**: audits / compliance assessments, requirement assessments, evidences. * **Risk**: risk assessments, risk scenarios, quantitative risk studies, EBIOS RM studies, business impact analyses, security exceptions. * **Operations**: applied controls, policies, tasks, incidents, findings, findings assessments. * **Assets**: assets, contracts, entities, solutions, representatives. * **Privacy**: processings, personal-data inventories, right requests, data breaches. * **Project management**: projects, accreditations, responsibility matrices. A small number of objects don't carry a domain because they're either system-wide (the user catalogue, the role catalogue, instance settings) or imported from a library catalogue. Everything else lives _inside_ a domain. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/iam-and-scoping#inheritance-roles-flow-down-the-tree) Inheritance — roles flow down the tree --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The domain hierarchy is not just for organising the UI — it actively shapes access. **A role granted on a domain applies to every domain beneath it.** Give a user the _Analyst_ role on a parent domain, and they get analyst-level access to every sub-domain underneath, without re-assigning them at each level. This is why the tree shape matters as much as the names: putting "France" and "Germany" under a "EMEA" parent isn't decorative — it's the lever that lets EMEA-level managers see across both without granting them individual roles per country. Permissions only flow **downward**: a role on a sub-domain does _not_ grant any access to the parent. If you need a role-holder to see across siblings, the role goes on the shared ancestor. The same inheritance also drives reporting: most dashboards and analytics roll up across a domain _and_ its descendants, so a leadership-level view on the parent domain is automatically the consolidated view across its sub-tree. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/iam-and-scoping#publication-why-catalogues-appear-across-all-domains) Publication — why catalogues appear across all domains ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Some objects exist to be **shared**. Frameworks, threats, risk matrices, reference controls, and other catalogue-style items wouldn't be useful if they were trapped in a single domain — every team needs to be able to pull from the same shared library. CISO Assistant models this through a built-in flag — `**is_published**` — that any object can carry. An object marked as published is visible inside every sub-domain of its own domain, _as if it had been attached to each one_. Publication is a **visibility** mechanism only; it does not let users in other domains create, update, or delete the object. By default: * **Catalogue-style objects** (frameworks, threats, matrices, reference controls, libraries, terminologies, …) are published — they live "above" individual domains and are intended to be reused. * **Assessments** (audits, risk assessments, BIAs, entity assessments) are **not published** — they belong to a specific domain and stay there. The most common surprise this creates is when a user opens the platform and sees a library of frameworks or threats they "shouldn't" have access to. They aren't seeing them through a permissions hole — they're seeing them because the catalogue is published from a domain that sits above theirs. If you want to keep a specific object _out_ of the published view, the simplest trick is to attach it to a leaf sub-domain (a domain with no children) — nothing inherits from a leaf. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/iam-and-scoping#why-you-sometimes-see-items-from-other-domains) Why you sometimes see items from other domains --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Assessments routinely _compose_ objects across the tree. Risk assessments reference applied controls, threats, and assets; audits reference applied controls and evidences; findings assessments reference applied controls and the requirement assessments they remediate. When you're working inside one assessment, the platform's selectors and pickers don't just show you what's in the assessment's own domain — they show you **everything you have access to**. So a risk scenario authored inside the _France_ domain can pull in: * A shared applied control attached to the _EMEA_ parent domain (you can see it because of inheritance). * A threat from the global library (you can see it because it's published). * An asset attached to a sibling _Germany_ domain (if your role gives you access there). This is by design — composing across the organisation is the whole point of a centralised GRC platform — but it can be disorienting on day one. The rule is consistent: you see what you have access to, regardless of which domain you started on. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/iam-and-scoping#managing-the-noise-focus-mode-pro) Managing the noise — focus mode (PRO) ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- When you have access to many domains and you only want to think about one at a time, the platform exposes [**Focus mode**](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/focus-mode) (PRO, default off). Focus mode scopes the entire application — every list, dashboard, count, and search — to a single domain and its sub-tree, hiding everything else for the rest of your session. It does not grant or revoke permissions; it just filters the view. Use it when: * You operate across many client domains and want to work on one at a time. * Your organisation is large enough that the "all domains" view is overwhelming for day-to-day work. * You're running a demo or an onboarding and want the rest of the workspace out of the way. When focus is engaged, all the cross-domain composition described above is suppressed — you'll only see assets, controls, and assessments from the focused sub-tree. Clearing the focus restores the full cross-domain view. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/iam-and-scoping#related) Related --------------------------------------------------------------------------------------------------------------------- * [Domains](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/domains) — domain hierarchy, IAM groups, restructuring, moving objects. * [Actors and teams](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/actors-and-teams) — who gets assigned what. * [Understanding the IAM model](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/organization/iam-model) — full configuration-side deep dive (SSO, MFA, PATs, accounting). * [Focus mode](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/focus-mode) — the PRO tool for scoping back the view. * [User groups](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/organization/user-groups) — how role assignments are actually stored and managed. [PreviousActors and teams](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/actors-and-teams) [NextCatalog](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog) Last updated 1 month ago Was this helpful? * [Everything is bound to a domain](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/iam-and-scoping#everything-is-bound-to-a-domain) * [Inheritance — roles flow down the tree](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/iam-and-scoping#inheritance-roles-flow-down-the-tree) * [Publication — why catalogues appear across all domains](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/iam-and-scoping#publication-why-catalogues-appear-across-all-domains) * [Why you sometimes see items from other domains](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/iam-and-scoping#why-you-sometimes-see-items-from-other-domains) * [Managing the noise — focus mode (PRO)](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/iam-and-scoping#managing-the-noise-focus-mode-pro) * [Related](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/iam-and-scoping#related) Was this helpful? --- # Operations | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations.md) . [Applied controls](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/applied-controls) [Tasks](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/tasks) [Incidents](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/incidents) [PreviousBusiness impact analyses](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/assets-and-resilience/business-impact-analyses) [NextApplied controls](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/applied-controls) Last updated 1 month ago Was this helpful? Was this helpful? --- # Catalog | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog.md) . [Libraries](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/libraries) [Frameworks](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/frameworks) [Mappings](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/mappings) [Risk matrices](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/risk-matrices) [Threats](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/threats) [Threat intelligence](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/threat-intel) [Metrics](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/metrics) [Journeys](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/journeys) [PreviousIAM and scoping](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/iam-and-scoping) [NextLibraries](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/libraries) Last updated 1 month ago Was this helpful? Was this helpful? --- # Governance | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance.md) . [Policies](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/policies) [Documents](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/documents) [Findings assessments](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/findings-assessments) [Validation flows](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/validation-flows) [PreviousIncidents](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/incidents) [NextPolicies](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/policies) Last updated 1 month ago Was this helpful? Was this helpful? --- # Actors and teams | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/actors-and-teams.md) . Almost every object in CISO Assistant has an **assignee** — the applied control someone is responsible for, the audit a team is running, the contract a supplier signs. The platform represents all these counterparties through a single abstraction: the **actor**. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/actors-and-teams#mental-model) Mental model -------------------------------------------------------------------------------------------------------------------------------- The actor is a one-to-one wrapper that always points at exactly one of three concrete records — a user, a team, or an entity (the three dashed edges are exclusive: a database check constraint enforces XOR). Every _Assigned to_ / authorship / approver field on the platform (applied control assignee, audit author, task assignee, contract counterparty…) holds an actor, so a single code path resolves notifications and access regardless of the underlying type. Teams aggregate users via leader, deputies, and members — assigning to a team fans out to every user in it. User-facing Internal Notes Actor `Actor` XOR(User / Team / Entity); auto-created with its target User `iam.User` Platform account Team `Team` Leader + deputies + members Entity `tprm.Entity` Third-party party [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/actors-and-teams#actors) Actors -------------------------------------------------------------------------------------------------------------------- An actor is the unifying handle for anyone who can be assigned to work in CISO Assistant. Every actor wraps exactly one of three concrete underlying objects: * A **user** — a person with a platform account. * A **team** — a named grouping of users for collaborative responsibility. * An **entity** — an external party from the third-party register (typical for contracts and entity assessments). The actor abstraction means the same _Assigned to_ field on an applied control can hold a user, a team, or a supplier without the consuming code caring which it is. Notifications, emails, assignments, and reporting all go through the actor — they fan out to the right addresses regardless of the underlying type. Actors are created automatically when their underlying object is created. You don't manage actors directly; you manage users, teams, and entities, and the actor records follow. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/actors-and-teams#teams) Teams ------------------------------------------------------------------------------------------------------------------ A team is a named grouping of users used for **collaborative assignment** — when the responsibility for something belongs to a working group rather than an individual. A team has: * A **leader** — a single user accountable for the team. * **Deputies** — users who can act in the leader's place. * **Members** — the broader group. * An optional **team email** — used as the default notification address; if not set, emails fan out to the leader, deputies, and members individually. Teams are first-class targets for assignments and notification routing. When work is assigned to a team, anyone with the appropriate role in the team's domain can act on it. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/actors-and-teams#teams-vs-user-groups) Teams vs user groups ------------------------------------------------------------------------------------------------------------------------------------------------ These two are easy to confuse: * A **team** is a collaborative group with members, a leader, and deputies. It's about _who works together_. Teams are voluntary, organisational, and can span any domain. * A **user group** is a `(role, domain)` pair on which users get placed. It's about _what permissions someone has where_. User groups are auto-created when a domain is created — one per role per domain. You join a team for collaboration. You're placed in a user group for access. Both can carry users; they answer different questions. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/actors-and-teams#how-actors-are-used-across-the-platform) How actors are used across the platform -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * **Applied controls** are assigned to one or more actors. * **Requirement assessments** can be assigned to an actor for completion. * **Tasks** are assigned to actors and notify them when due. * **Risk scenarios** are assigned to one or more actors. * **Entity assessments** have a representative (an actor of type user, tied to an entity). * **Validation flows** route approvals through actors. Because all of these use the same actor handle, an audit log that says "assignee changed from team A to user B" is unambiguous, and the platform can resolve notifications the same way everywhere. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/actors-and-teams#related) Related ---------------------------------------------------------------------------------------------------------------------- * [Domains](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/domains) — where role-based access control happens * [Vocabulary → Actor, Team, User, User group](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary) * [Add and manage users](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/organization/users) * [User groups](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/organization/user-groups) * [Teams](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/organization/teams) [PreviousPerimeters](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/perimeters) [NextIAM and scoping](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/iam-and-scoping) Last updated 1 month ago Was this helpful? * [Mental model](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/actors-and-teams#mental-model) * [Actors](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/actors-and-teams#actors) * [Teams](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/actors-and-teams#teams) * [Teams vs user groups](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/actors-and-teams#teams-vs-user-groups) * [How actors are used across the platform](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/actors-and-teams#how-actors-are-used-across-the-platform) * [Related](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/actors-and-teams#related) Was this helpful? --- # Assets | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/assets-and-resilience/assets.md) . An **asset** is anything of value worth protecting. Assets are first-class objects in CISO Assistant, decoupled from any specific risk study or audit, so the same asset can participate in many analyses without being duplicated. Assets are always defined by the organisation and can be attached to the global domain or to a specific domain. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/assets-and-resilience/assets#mental-model) Mental model -------------------------------------------------------------------------------------------------------------------------------- The asset is a hub other surfaces point at: risk scenarios impact it, vulnerabilities affect it, incidents affect it, and a Business Impact Analysis assesses it (through an intermediate `AssetAssessment` row, one per asset in the BIA). The `supports` self-loop captures the primary/support hierarchy — a support asset is recorded as a child of its primary parent through `parent_assets`. User-facing Internal Notes Asset `Asset` First-class; primary vs support via `type` Domain `Folder` Required; drives IAM scoping Risk scenario `RiskScenario` Lives inside a `RiskAssessment` Vulnerability `Vulnerability` First-class Incident `Incident` First-class BIA `BusinessImpactAnalysis` Bridges to assets via `AssetAssessment` [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/assets-and-resilience/assets#primary-vs-supporting-assets) Primary vs supporting assets ---------------------------------------------------------------------------------------------------------------------------------------------------------------- * **Primary assets** are core resources directly contributing to the organisation's main objectives — business processes, data, intellectual property. * **Supporting assets** indirectly aid primary functions — IT systems, services, locations, people. The distinction matters for risk work: scenarios typically express _what can happen to a primary asset_ via _which supporting assets are involved_. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/assets-and-resilience/assets#related) Related ---------------------------------------------------------------------------------------------------------------------- * [Risk assessments](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/risk-assessments) * [Vocabulary → Asset](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary) [PreviousAssets and resilience](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/assets-and-resilience) [NextBusiness impact analyses](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/assets-and-resilience/business-impact-analyses) Last updated 1 month ago Was this helpful? * [Mental model](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/assets-and-resilience/assets#mental-model) * [Primary vs supporting assets](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/assets-and-resilience/assets#primary-vs-supporting-assets) * [Related](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/assets-and-resilience/assets#related) Was this helpful? --- # Tasks | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/tasks.md) . Tasks are how CISO Assistant tracks the operational work that keeps controls effective: the weekly access review, the monthly backup test, the quarterly policy refresh, the one-off offboarding checklist. They are deliberately separate from applied controls — a control says _what is done_; a task says _that someone has actually done it on a given date_. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/tasks#mental-model) Mental model -------------------------------------------------------------------------------------------------------------------- The task template is the definition — assignee, recurrence rule, expected evidence — and the task occurrence is the actual unit of work scheduled from it. The schedule is a JSON field describing the cadence (DAILY / WEEKLY / MONTHLY / YEARLY with the usual iCalendar refinements). Templates can be wired to many other objects — applied controls being the canonical one (the "maintains" semantics: this work keeps that control healthy) — and when an occurrence is completed, the evidence revision it produces is back-linked through `task_node` so the audit trail closes the loop. User-facing Internal Notes Task definition / template `TaskTemplate` One spec, one schedule Task occurrence `TaskNode` One scheduled run Schedule `schedule` JSON field on the template iCal-style recurrence rule [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/tasks#definition-vs-occurrence) Definition vs occurrence -------------------------------------------------------------------------------------------------------------------------------------------- Tasks come in two layers, mirroring the **template → instance** pattern used elsewhere in the platform: * A **task definition** is the reusable spec — the title, description, assignee, expected evidence, and the recurrence rule (`every Monday`, `the 1st of each month`, `every 90 days`). It says _what should happen_ and _how often_. Internally a `TaskTemplate`. * A **task occurrence** is a single scheduled run produced from a definition — the actual row with a due date, a status (pending → in progress → completed / cancelled), and the evidence collected when the work was done. Internally a `TaskNode`. A one-off task is just a definition that produces a single occurrence. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/tasks#lifecycle) Lifecycle -------------------------------------------------------------------------------------------------------------- 1. **Define.** Create a task definition with the assignee, the cadence, and what's expected when the task runs. 2. **Schedule.** Occurrences are materialised from the recurrence rule. The platform creates them as their due dates come into view, so the list of upcoming work is always visible. 3. **Work the occurrence.** When a due date arrives, the assignee opens the occurrence, records what they did, attaches evidence, and marks it completed. 4. **Iterate.** Edit the definition to adjust the cadence, assignee, or expected evidence — existing occurrences keep their state; future occurrences pick up the change. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/tasks#why-tasks-and-not-just-calendar-reminders) Why tasks (and not just calendar reminders) -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The point of tracking tasks inside the platform — rather than in a calendar or ticketing system — is so that the **evidence** of execution lives next to the rest of your compliance record. An auditor asking "show me proof of monthly backup testing" can be answered by pointing at the task and walking through the completed occurrences with their attached evidence. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/tasks#related) Related ---------------------------------------------------------------------------------------------------------- * [Applied controls](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/applied-controls) * [Evidence](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/evidence) * [Vocabulary → Task definition / Task occurrence](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary) [PreviousApplied controls](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/applied-controls) [NextIncidents](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/incidents) Last updated 1 month ago Was this helpful? * [Mental model](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/tasks#mental-model) * [Definition vs occurrence](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/tasks#definition-vs-occurrence) * [Lifecycle](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/tasks#lifecycle) * [Why tasks (and not just calendar reminders)](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/tasks#why-tasks-and-not-just-calendar-reminders) * [Related](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/tasks#related) Was this helpful? --- # Threats | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/threats.md) . A **threat** is a catalogued source of potential harm — a phenomenon, agent, or event that could compromise an asset, a business process, or a regulatory obligation. Threats are reusable building blocks: a single threat (say, "Phishing") may appear in many risk scenarios, EBIOS RM operational scenarios, and applied control rationales without being duplicated. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/threats#when-threats-appear) When threats appear --------------------------------------------------------------------------------------------------------------------------------- * **Risk scenarios** — most qualitative risk scenarios name the threat that drives them. * **EBIOS RM operational scenarios** — threats are mapped to attacker techniques in the kill chain. * **Vulnerability tracking** — threats can be linked to vulnerabilities to express _what could exploit this weakness_. * **Applied controls** — controls can declare which threats they address. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/threats#where-threats-come-from) Where threats come from ----------------------------------------------------------------------------------------------------------------------------------------- CISO Assistant ships with curated threat libraries based on common sources — MITRE ATT&CK, ENISA, the ISO 27005 illustrative threat catalogue, sector-specific catalogues. You can also create your own threats inside a domain, or contribute a custom threat library. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/threats#optional-but-useful) Optional, but useful ---------------------------------------------------------------------------------------------------------------------------------- A risk assessment _can_ be done without referencing threats — the platform doesn't force it. Naming the threat behind a scenario makes the analysis sharper, more reusable, and easier to map back to threat-intelligence feeds. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/threats#related) Related --------------------------------------------------------------------------------------------------------- * [Risk assessments](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/risk-assessments) * [Libraries](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/libraries) * [Vocabulary → Threat](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary) [PreviousRisk matrices](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/risk-matrices) [NextThreat intelligence](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/threat-intel) Last updated 1 month ago Was this helpful? * [When threats appear](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/threats#when-threats-appear) * [Where threats come from](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/threats#where-threats-come-from) * [Optional, but useful](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/threats#optional-but-useful) * [Related](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/threats#related) Was this helpful? --- # Libraries | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/libraries.md) . A **library** is a bundled set of catalog objects — frameworks, threats, risk matrices, reference controls, mappings, security advisories, CWE entries — distributed as a YAML file. Libraries are how content gets into CISO Assistant. They make the platform extensible: anything from a regulator's framework to a vendor's threat feed to your organisation's internal control catalogue is just another library. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/libraries#mental-model) Mental model --------------------------------------------------------------------------------------------------------------------- A library starts life as a **stored** record — its YAML is parsed and registered but contents stay inactive. Loading it materialises whatever catalog objects the YAML declares — any subset of framework, risk matrix, threats, reference controls, or mapping set (all dashed, all optional). A loaded library can also declare dependencies on other loaded libraries — for example, a framework library that ships its companion reference-control catalogue as a separate dependency. User-facing Internal Notes Stored library `StoredLibrary` Inventory entry, contents inactive Loaded library `LoadedLibrary` Activated; contents visible across the platform Mapping set `RequirementMappingSet` Crosswalk between two frameworks [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/libraries#stored-vs-loaded) Stored vs loaded ----------------------------------------------------------------------------------------------------------------------------- A library can be in one of two states: * **Stored** — the library is known to the instance but its content hasn't been activated yet. It's visible in the libraries store, ready to be loaded on demand. * **Loaded** — the library is active. Its catalog objects show up across the platform: a loaded framework becomes available when creating an audit; a loaded threat appears in the threats list; loaded reference controls power autosuggestion. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/libraries#whats-in-a-library) What's in a library ---------------------------------------------------------------------------------------------------------------------------------- A library typically contains a single primary object (for example, one framework) but may bundle related ones — a framework alongside its companion reference-control catalogue and its mapping to a sibling framework. Library content is referenced by **URN** (Uniform Resource Name), an immutable identifier that survives renames and re-imports. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/libraries#built-in-community-and-custom) Built-in, community, and custom --------------------------------------------------------------------------------------------------------------------------------------------------------- * **Built-in libraries** ship with the platform — over 100 frameworks plus the standard threat, matrix, and reference-control catalogues. * **Community libraries** are contributed by the open-source community; see [Contributing a framework or library](https://intuitem.gitbook.io/ciso-assistant/product-docs/contributing/framework) . * **Custom libraries** can be built locally and loaded without sharing them, useful for internal frameworks or control sets. See [Designing your own libraries](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/libraries/custom-libraries) for the format. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/libraries#lifecycle) Lifecycle --------------------------------------------------------------------------------------------------------------- Libraries are versioned. When a newer version is available, you can upgrade in place — your existing audits keep using the version they were created with until you migrate them explicitly. See [Library upgrade](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/libraries/library-upgrade) and [Library clean-up](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/libraries/library-cleanup) . [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/libraries#related) Related ----------------------------------------------------------------------------------------------------------- * [Frameworks](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/frameworks) * [Threats](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/threats) * [Vocabulary → Library / Catalog object / URN](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary) [PreviousCatalog](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog) [NextFrameworks](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/frameworks) Last updated 1 month ago Was this helpful? * [Mental model](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/libraries#mental-model) * [Stored vs loaded](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/libraries#stored-vs-loaded) * [What's in a library](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/libraries#whats-in-a-library) * [Built-in, community, and custom](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/libraries#built-in-community-and-custom) * [Lifecycle](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/libraries#lifecycle) * [Related](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/libraries#related) Was this helpful? --- # Frameworks | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/frameworks.md) . A **framework** is a normative body of requirements that audits are measured against — an industry standard (ISO/IEC 27001, NIST CSF, SOC 2), a regulation (NIS2, DORA, GDPR), a custom internal standard, or any other structured set of requirements. In CISO Assistant, frameworks are shipped as YAML libraries and are the foundation of every audit. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/frameworks#mental-model) Mental model ---------------------------------------------------------------------------------------------------------------------- A framework lives inside a loaded library and is read-only. It comprises a tree of requirement nodes — some assessable, some structural — linked parent-to-child via the self-loop. Creating an audit instantiates the framework: each assessable node becomes a requirement assessment inside the audit. Requirements can optionally suggest reference controls (templates for the applied controls that satisfy them), and a framework can be mapped to other frameworks for cross-walks. User-facing Internal Notes Framework `Framework` Read-only catalog object Requirement `RequirementNode` Tree node (assessable or section) Library `LoadedLibrary` Active library bundle Audit `ComplianceAssessment` One per (framework × domain × optional perimeter) Reference control `ReferenceControl` Template for an applied control [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/frameworks#structure) Structure ---------------------------------------------------------------------------------------------------------------- A framework is a tree of **requirement nodes**. Most nodes are _assessable_ — concrete requirements you evaluate one by one — while others act as section or chapter headings that organise the tree. Each assessable node becomes a [requirement assessment](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits) inside an audit, carrying its own status, score, and evidence. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/frameworks#scoring-scales) Scoring scales -------------------------------------------------------------------------------------------------------------------------- Frameworks can define a default scoring scale with a minimum score, a maximum score, and optional level descriptions. For example, a CMMI-style framework may use `0..5`, while another framework may use `1..4` or `0..100`. An individual requirement node can override that default scale with its own `min_score`, `max_score`, and `scores_definition_ref`. These overrides are useful when a standard mixes different scoring shapes in the same tree: for example, a mostly maturity-based framework that also contains binary pass/fail requirements. The override is resolved independently for each field: * If a requirement defines `min_score`, that value is used; otherwise the audit-level minimum is used. * If a requirement defines `max_score`, that value is used; otherwise the audit-level maximum is used. * If a requirement defines `scores_definition_ref`, those labels (resolved from the framework's alternatives registry) are used; otherwise the audit-level labels are used when they fit the requirement's effective range. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/frameworks#alternative-scales-registry) Alternative scales registry Per-requirement label overrides go through a named **alternatives** registry declared on the framework alongside its default scale. Each requirement references an entry by name, keeping shared scales DRY and avoiding duplication on the node: One-off scales that only apply to a single requirement are added as a new entry in the framework's alternatives registry and referenced by name, just like shared scales. The node always carries a reference, never inlined labels. The audit copies the framework's `scores_definition` (default scale + alternatives) at creation, so per-requirement references resolve against the audit's own copy. This keeps the audit self-contained: customising the audit's scale later doesn't break references on its requirements. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/frameworks#aggregation-across-mixed-scales) Aggregation across mixed scales Roll-ups keep mixed scales comparable. Average-based aggregation normalises each requirement score against its effective range before computing the parent or global score, then displays the result on the audit scale. Sum-based aggregation remains a raw weighted sum, so each requirement contributes its own effective maximum. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/frameworks#built-in-vs-custom) Built-in vs custom ---------------------------------------------------------------------------------------------------------------------------------- CISO Assistant ships with 100+ built-in frameworks covering most international standards and regulations. When none of them fits your needs, you can build your own — see [Designing your own libraries](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/libraries/custom-libraries) and [Getting your custom framework](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/libraries/custom-frameworks) . [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/frameworks#mappings-between-frameworks) Mappings between frameworks ---------------------------------------------------------------------------------------------------------------------------------------------------- A **mapping** (or crosswalk) is a directed graph linking the requirements of one framework to those of another, using the [NIST OLIR](https://csrc.nist.gov/projects/olir) convention. Once a mapping is loaded, an existing audit can be projected onto the target framework — reusing requirement assessments where the mapping is strong, surfacing gaps where it isn't. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/frameworks#related) Related ------------------------------------------------------------------------------------------------------------ * [Audits](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits) * [Libraries](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/libraries) * [Mappings feature](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/mappings) * [Vocabulary → Framework / Requirement / Mapping](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary) [PreviousLibraries](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/libraries) [NextMappings](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/mappings) Last updated 1 month ago Was this helpful? * [Mental model](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/frameworks#mental-model) * [Structure](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/frameworks#structure) * [Scoring scales](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/frameworks#scoring-scales) * [Alternative scales registry](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/frameworks#alternative-scales-registry) * [Aggregation across mixed scales](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/frameworks#aggregation-across-mixed-scales) * [Built-in vs custom](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/frameworks#built-in-vs-custom) * [Mappings between frameworks](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/frameworks#mappings-between-frameworks) * [Related](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/frameworks#related) Was this helpful? Copy framework: scores_definition: scale: # default scale, inherited by requirements that don't override - score: 0 name: "N/A" - score: 1 name: "Initial" - score: 5 name: "Optimised" alternatives: binary: # named alternative shared by several requirements - score: 0 name: "No" - score: 1 name: "Yes" requirement_nodes: - urn: ...:r1 min_score: 0 max_score: 1 scores_definition_ref: binary # reference by name, DRY - urn: ...:r2 min_score: 0 max_score: 1 scores_definition_ref: binary # same reference, same scale --- # Mappings | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/mappings.md) . A **mapping** (also called a _crosswalk_) describes how the requirements of one framework relate to those of another. Once a mapping is loaded, an audit performed against the source framework can be **projected** onto the target framework — reusing the existing requirement assessments where the mapping is strong, surfacing gaps where it isn't. Mappings are catalog objects: defined once as a YAML library, loaded into the platform, and applied on demand. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/mappings#mental-model) Mental model -------------------------------------------------------------------------------------------------------------------- A mapping set is the unit shipped by a library — it pins exactly one source framework and one target framework. Inside the set, each individual mapping connects one source requirement node to one target requirement node and carries a relationship type (equal / subset / superset / intersect / not\_related). Applying the set to an audit projects the existing requirement assessments onto the target framework: full-coverage relationships (`equal`, `superset`) copy directly; partial-coverage (`intersect`, `subset`) require manual review. User-facing Internal Notes Mapping set `RequirementMappingSet` One per (source, target) library entry Mapping `RequirementMapping` Single SRC → TGT pair, typed Requirement `RequirementNode` Read-only catalog entry from a framework [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/mappings#why-they-matter) Why they matter -------------------------------------------------------------------------------------------------------------------------- Most organisations have to demonstrate compliance against multiple frameworks at once — ISO 27001 plus SOC 2 plus a sector-specific regulation, for instance. Without mappings, you re-assess the same control posture against every framework's requirement list, which is busywork. With mappings, you assess once and project. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/mappings#structure) Structure -------------------------------------------------------------------------------------------------------------- A mapping is a directed graph linking assessable nodes of a **source** (SRC) framework to assessable nodes of a **target** (TGT) framework, using the convention from [NIST's OLIR](https://csrc.nist.gov/projects/olir) project. Each relationship between a SRC node and a TGT node has a **type**, which is easiest to read as a set relation between what each requirement covers: ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-0f9511b81035957028f8d1653fb80e9b919d0685%252Fmapping-set-theory.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=f240fc93&sv=2) Mapping relationship types as set relations between source and target requirements * **No relationship** — the two requirements are disjoint; nothing carries over. * **Equal** — the two requirements are equivalent in scope and intent. * **Subset** — the SRC requirement is contained within (narrower than) the TGT requirement. * **Superset** — the SRC requirement contains (is broader than) the TGT requirement. * **Intersect** — the two overlap in part but neither contains the other. The directionality matters: a mapping from A → B does not automatically imply B → A. Reverse mappings can be generated, but the relationship type usually inverts (a SRC subset becomes a TGT superset). [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/mappings#applying-a-mapping) Applying a mapping -------------------------------------------------------------------------------------------------------------------------------- Once a mapping library is loaded, it can be applied to an existing audit: 1. Open the source audit. 2. Click **Apply mapping** and pick the target framework. 3. The platform creates a new audit on the target framework and copies over the requirement assessments where the mapping is strong (typically _equal_), leaving the rest to be assessed. The apply-mapping feature can also clone an audit onto the **same** framework — useful for creating a new revision while keeping the previous one for history. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/mappings#transitive-inference-pivot-mappings) Transitive inference (pivot mappings) -------------------------------------------------------------------------------------------------------------------------------------------------------------------- You don't need a direct mapping between every pair of frameworks. If the platform holds a mapping from **A → B** and another from **B → C**, it can **chain them automatically** to project an A audit onto C, using B as a _pivot_ — even though no one ever authored an A → C crosswalk. The mapping engine treats the loaded mapping sets as a directed graph of frameworks and searches for a path between your audit's framework and the target you pick. When you open an audit and choose **Apply mapping**, the list of available targets already includes every framework reachable through the graph — both directly mapped ones and those reachable only through one or more pivots. You select the destination; the chaining happens behind the scenes. How the chain behaves: * **Coverage degrades to the weakest hop.** Full-coverage relationships (`equal`, `superset`) chain cleanly. If _any_ hop in the path is partial (`subset`, `intersect`), the projected result is marked partial and flagged for manual review — a chain is only as strong as its loosest link. * **The best path wins.** When several pivots connect A to C, the engine keeps the path that successfully maps the most requirements, and records which intermediate framework(s) it went through so the projection is auditable. * **Depth is bounded.** Chaining is limited by the **Mapping max depth** setting in [General settings](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/general) (default **3** nodes — i.e. up to one pivot, A → B → C). Raise it (up to 5) to allow longer chains (A → B → C → D…), at the cost of progressively weaker, more indirect inferences and slower computation. This is what makes a modest set of crosswalks go a long way: a hub framework such as ISO 27001 or NIST CSF that is mapped to many others effectively becomes a translation pivot between all of them. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/mappings#loading-vs-authoring) Loading vs authoring ------------------------------------------------------------------------------------------------------------------------------------ Many cross-walks ship as built-in or community libraries (ISO 27001 ↔ NIST CSF, SOC 2 ↔ ISO 27002, and so on). When none of them fits, you can author your own — see [Designing your own libraries](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/libraries/custom-libraries) and the `prepare_mapping_v2.py` tool that scaffolds a mapping skeleton between two loaded frameworks. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/mappings#related) Related ---------------------------------------------------------------------------------------------------------- * [Frameworks](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/frameworks) * [Audits](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits) * [Libraries](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/libraries) * [Mappings feature](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/mappings) — the UI flow for applying a mapping * [Mapping explorer](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/mapping-explorer) — visualising a mapping graph * [Vocabulary → Mapping / Requirement mapping set](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary) [PreviousFrameworks](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/frameworks) [NextRisk matrices](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/risk-matrices) Last updated 1 month ago Was this helpful? * [Mental model](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/mappings#mental-model) * [Why they matter](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/mappings#why-they-matter) * [Structure](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/mappings#structure) * [Applying a mapping](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/mappings#applying-a-mapping) * [Transitive inference (pivot mappings)](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/mappings#transitive-inference-pivot-mappings) * [Loading vs authoring](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/mappings#loading-vs-authoring) * [Related](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/mappings#related) Was this helpful? --- # Policies | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/policies.md) . A **policy** is a specific type of applied control: a document describing what is expected from some part of your stakeholders — an acceptable-use policy, a password policy, a data-classification policy, an incident-response procedure, anything that defines _how things should be done_. Because policies are applied controls under the hood, they inherit the full applied-control machinery: they live in a domain, have an assignee and a status, link to the requirements they satisfy, and carry evidence. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/policies#why-give-policies-their-own-page) Why give policies their own page --------------------------------------------------------------------------------------------------------------------------------------------------------------- Policies are central to most compliance frameworks — almost every requirement expects a documented policy as part of the substantiating artifacts. Pulling policies onto a dedicated page lets you: * Maintain the catalogue of published documents independently of the broader action plan. * Track policy review and approval cycles separately from operational controls. * Surface policies by domain when responding to audit requests or external reviews. The Policies page in the platform is a filtered view of applied controls where the type is _policy_; everything you can do to an applied control, you can do to a policy. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/policies#authoring-options) Authoring options --------------------------------------------------------------------------------------------------------------------------------- Policies can come from either side of the divide: * **Author in CISO Assistant.** Each policy can carry one or more **managed documents** — versioned documents tracked in-platform through a draft → in-review → validated → published → deprecated lifecycle. Useful when you want the policy text to live where the rest of the GRC programme lives, with revision history and approval workflow attached. * **Bring an existing document.** If a policy already exists as a file, or lives in Confluence, SharePoint, or a DMS, its managed document can be **uploaded** (the file itself) or **linked** (a pointer to where it lives) — the same lifecycle, versioning, and links apply, without duplicating the source of truth. Both paths are first-class — you can mix them across an organisation, or even across policies in the same domain. The applied-control machinery (assignee, status, linked requirements, evidence) is the same either way. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/policies#versioning-history-and-diff) Versioning, history, and diff ------------------------------------------------------------------------------------------------------------------------------------------------------- For policies authored in CISO Assistant, every change produces a new **revision** of the managed document rather than overwriting the previous text. Each revision carries: * A monotonically increasing **version number** (`v1`, `v2`, …). * A revision **status** (draft / in review / change requested / validated / published / deprecated). * A timestamp, the actor who edited it, and the content at that point in time. The full revision list is reachable from the **version history** sidebar on the document page — you can switch between revisions to read any past version exactly as it was published. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/policies#diff-between-revisions) Diff between revisions Two diff views help reviewers and approvers see what actually changed: * **Diff between two revisions** — pick a "from" revision and a "to" revision in the history sidebar and the platform renders the textual differences between them. Useful for periodic reviews ("what changed between v3 and v6?") and for the approval workflow ("show me the delta the requester is asking me to validate"). * **Edit diff (within a revision)** — while a draft is being worked on, the platform also tracks the diff between the _last loaded state_ and the _current edits_ in the editor. This lets the author see exactly what they're about to commit before they save the increment. The diff is computed on the document content itself — it's not a binary file diff, so it works well for the plain-text or Markdown policies typically authored in-platform. For policies attached as external files (PDF, DOCX, etc.), version history is preserved through evidence revisions, but the inline diff view is not available. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/policies#lifecycle) Lifecycle ----------------------------------------------------------------------------------------------------------------- Policies have their own lifecycle — drafting, review, approval, publication, periodic review, retirement. The platform tracks these states through the standard applied-control status field and the supporting evidence on each policy entry. When authoring in-platform, the managed-document revision states (draft, in review, validated, published, deprecated) provide a finer-grained workflow on top. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/policies#related) Related ------------------------------------------------------------------------------------------------------------- * [Documents](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/documents) * [Applied controls](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/applied-controls) * [Audits](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits) * [Evidence](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/evidence) * [Vocabulary → Policy](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary) [PreviousGovernance](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance) [NextDocuments](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/documents) Last updated 22 minutes ago Was this helpful? * [Why give policies their own page](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/policies#why-give-policies-their-own-page) * [Authoring options](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/policies#authoring-options) * [Versioning, history, and diff](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/policies#versioning-history-and-diff) * [Diff between revisions](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/policies#diff-between-revisions) * [Lifecycle](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/policies#lifecycle) * [Related](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/policies#related) Was this helpful? --- # Compliance | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance.md) . [Audits](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits) [Evidence](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/evidence) [PreviousVulnerabilities](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/vulnerabilities) [NextAudits](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits) Last updated 1 month ago Was this helpful? Was this helpful? --- # Risk matrices | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/risk-matrices.md) . A **risk matrix** is a configurable lookup table that maps a `(probability, impact)` pair to a resulting risk level. It's what turns "likely × severe" into "critical" — the encoded judgement that lets a risk assessment be more than a free-form narrative. Risk matrices are catalog objects: defined once, packaged into libraries, loaded into the platform, and reused across many risk assessments. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/risk-matrices#mental-model) Mental model ------------------------------------------------------------------------------------------------------------------------- A risk matrix is a JSON definition (probability axis, impact axis, risk levels, and the grid linking them) bundled in a library. Once a risk assessment is created against a matrix the binding is permanent — the FK uses `on_delete=PROTECT` — because switching matrices mid-assessment would silently change every risk level, which is what auditors don't want. Each risk scenario in the assessment reads its inherent, current, and residual risk levels from the same matrix's grid using the `(probability, impact)` pair the assessor sets at each tier. User-facing Internal Notes Risk matrix `RiskMatrix` `json_definition` with probability / impact / risk / grid Risk assessment `RiskAssessment` `risk_matrix` FK is fixed at creation (`PROTECT`) [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/risk-matrices#anatomy) Anatomy --------------------------------------------------------------------------------------------------------------- A matrix has four pieces: * **Probability levels** — the ordered scale used for likelihood (e.g. negligible, low, medium, high, very high). * **Impact levels** — the ordered scale used for severity (financial, reputational, operational, or whatever scale the organisation uses). * **Risk levels** — the resulting categories (e.g. low / medium / high / critical), usually colour-coded. * **The grid** — the lookup from each `(probability × impact)` cell to a risk level. The grid is the substance of the matrix; the visual rendering (orientation, colours, layout) is handled by the UI based on the loaded matrix definition. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/risk-matrices#why-a-matrix-is-fixed-per-risk-assessment) Why a matrix is fixed per risk assessment ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- When a risk assessment is created, its risk matrix is captured and **stays fixed** for the lifetime of that assessment. Re-evaluating the same scenarios against a different matrix would silently change the risk levels under your feet, which is exactly what auditors don't want. If you change matrices mid-programme, you create a new risk assessment against the new matrix and migrate the scenarios. The old assessment keeps its history; the new one starts clean against the new scale. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/risk-matrices#three-tier-evaluation) Three-tier evaluation ------------------------------------------------------------------------------------------------------------------------------------------- Each scenario in a risk assessment is evaluated three times against the chosen matrix: * **Inherent risk** — what the risk would be with no controls. * **Current risk** — what it is today given existing applied controls. * **Residual risk** — what it will be once planned applied controls are implemented. The matrix is the same for all three tiers; what changes is the `(probability, impact)` pair the assessor sets at each tier. See [Risk assessments](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/risk-assessments) for how the three tiers are used. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/risk-matrices#authoring-a-matrix) Authoring a matrix ------------------------------------------------------------------------------------------------------------------------------------- Matrices ship as YAML libraries — the same format as frameworks, with `_meta` and `_content` sheets defining the probability/impact/risk axes and the grid. They are typically authored in Excel using the templates under `tools/excel/matrix/` and converted to YAML. Designing a matrix correctly — particularly the grid — is non-trivial. Start from one of the existing examples and adapt the levels and grid logic rather than building from scratch. See [Designing your own libraries](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/libraries/custom-libraries) . [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/risk-matrices#related) Related --------------------------------------------------------------------------------------------------------------- * [Risk assessments](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/risk-assessments) * [Libraries](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/libraries) * [Vocabulary → Risk matrix](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary) * [Designing your own libraries](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/libraries/custom-libraries) [PreviousMappings](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/mappings) [NextThreats](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/threats) Last updated 1 month ago Was this helpful? * [Mental model](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/risk-matrices#mental-model) * [Anatomy](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/risk-matrices#anatomy) * [Why a matrix is fixed per risk assessment](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/risk-matrices#why-a-matrix-is-fixed-per-risk-assessment) * [Three-tier evaluation](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/risk-matrices#three-tier-evaluation) * [Authoring a matrix](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/risk-matrices#authoring-a-matrix) * [Related](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/risk-matrices#related) Was this helpful? --- # Validation flows | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/validation-flows.md) . A **validation flow** (labelled **Validations** in the sidebar) is the platform's structured sign-off workflow. It takes one or more objects — an audit, a risk assessment, a policy, a security exception, a contract, an accreditation — bundles them into a single request, and routes that request to a designated approver for a formal decision. The decision and its context are preserved as an audit trail. It's the answer to _"who approved this, when, and on what evidence?"_ — the question that comes up in every certification audit, every internal review, and every regulator visit. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/validation-flows#mental-model) Mental model ------------------------------------------------------------------------------------------------------------------------------- A **requester** submits a validation flow for one or more objects in their domain. The flow carries optional **request notes**, a **validation deadline**, and is routed to a designated **approver**. The approver moves the flow through a status machine ending in one of: _Accepted_, _Rejected_, _Change requested_, _Revoked_, _Expired_, or _Dropped_. The original objects remain unchanged — what's recorded is the validation flow itself, with the link back to whatever was up for approval. User-facing Internal Notes Validation flow `ValidationFlow` Lives in a domain; carries the request, the bundled objects, the deadline, and the decision Validations (sidebar) `validationFlows` i18n key The list view label Requester `requester` FK to User The platform account that submitted the flow Approver `approver` FK to User Foreign key to a **User** (not an actor) — approval is always personal accountability, even if assignment elsewhere can fan out to a team Request notes `request_notes` Free-text explanation of what's being asked for Validation deadline `validation_deadline` Optional date used for expiry and dashboards [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/validation-flows#what-can-be-validated) What can be validated ------------------------------------------------------------------------------------------------------------------------------------------------- There are two ways to start a flow, and they cover slightly different objects: * **From the Validations list** — click **+**, then expand the **More** section to attach objects. The picker offers **Audits**, **Risk assessments**, **Business impact analyses**, **Findings assessments** (follow-ups), **Security exceptions**, **Processings** (privacy), **Accreditations**, and **Contracts** (third-party). You can mix several types in one flow when they belong to the same approval decision (e.g. "approve this audit and the related exceptions"). * **From an object's own page** — objects that carry a validation section let you submit the open object directly. This is the only way to route a **Policy** through a flow, and it's also available on audits, risk assessments, BIAs, follow-ups, exceptions, processings, accreditations, and contracts. So the full set of objects that can go through a validation flow is: audits, risk assessments, business impact analyses, follow-ups, policies, security exceptions, processings, accreditations, and contracts. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/validation-flows#status-lifecycle) Status lifecycle --------------------------------------------------------------------------------------------------------------------------------------- The flow moves through a small state machine: Status Meaning **Submitted** Sent to the approver; awaiting decision **Change requested** Approver wants edits before deciding; the requester reworks and resubmits **Accepted** Approved — decision and timestamp recorded **Rejected** Declined — decision and rationale recorded **Revoked** Approval was rescinded after the fact (e.g. underlying conditions changed) **Expired** Validation deadline passed without a decision **Dropped** Requester withdrew the flow before a decision was reached The status is the audit-trail field that gets cited in evidence reports — "policy v3 was _Accepted_ by Jane Doe on 2026-03-12" is what makes the decision provable later. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/validation-flows#approver-user-not-actor) Approver — user, not actor -------------------------------------------------------------------------------------------------------------------------------------------------------- Most ownership/assignment fields across the platform hold an **actor** (which can resolve to a user, a team, or an entity). The validation-flow **approver** is the deliberate exception: it's a foreign key to a **User** directly. Approval is a personal accountability act — _"a named individual signed off"_ — and a team can't approve in the same way it can co-own work. When the [My assignments](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/my-assignments) page surfaces validation flows, it wraps the user-only approver field so the team-broadening toggle still works: switching to "include team assignments" adds every team member's user ID into the approver filter, giving you a per-team queue without changing the underlying _"one named user approves"_ semantics. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/validation-flows#reference-id) Reference ID ------------------------------------------------------------------------------------------------------------------------------- Each validation flow carries an optional, unique **reference ID** — useful when you need to cite the approval in external systems (a change-management ticket, a regulator submission, an internal governance record). The platform enforces uniqueness across the instance. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/validation-flows#when-to-use-a-validation-flow) When to use a validation flow ----------------------------------------------------------------------------------------------------------------------------------------------------------------- The pattern fits anywhere a decision needs **formal, traceable sign-off**: * A policy moving from _validated_ to _published_ — the approver records that the document is fit for release. * A security exception being granted — naming the risk-owner who accepted the residual risk. * An audit's results being signed off before publication to stakeholders. * A risk assessment's residual-risk acceptance — the formal capture required by ISO 27005 and most internal risk frameworks. * A third-party contract going through procurement sign-off. It is _not_ the right tool for casual review or peer feedback — for those, use comments, the requirement-assessment review status, or a [findings assessment](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/findings-assessments) . Validation flows are explicitly heavy: they exist so that the approval is preserved as evidence. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/validation-flows#related) Related --------------------------------------------------------------------------------------------------------------------- * [Policies](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/policies) — typical objects routed through validation flows for publication * [Findings assessments](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/findings-assessments) — lighter-weight review/remediation tracking * [Risk assessments](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/risk-assessments) — formal risk acceptance is one of the most common reasons a validation flow is submitted * [My assignments](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/my-assignments) — where approvers see flows queued for them * [Actors and teams](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/actors-and-teams) — explains why approver is a user, not an actor [PreviousFindings assessments](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/findings-assessments) [NextRisk](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk) Last updated 1 month ago Was this helpful? * [Mental model](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/validation-flows#mental-model) * [What can be validated](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/validation-flows#what-can-be-validated) * [Status lifecycle](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/validation-flows#status-lifecycle) * [Approver — user, not actor](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/validation-flows#approver-user-not-actor) * [Reference ID](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/validation-flows#reference-id) * [When to use a validation flow](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/validation-flows#when-to-use-a-validation-flow) * [Related](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/validation-flows#related) Was this helpful? --- # Journeys | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/journeys.md) . A **journey** is a guided, step-by-step workflow that walks a domain through a recognised process — getting an organisation ready for ISO 27001 certification, running a DORA readiness assessment, building out a privacy register, and so on. Journeys remove the "what do I do first?" problem. Instead of staring at an empty domain and assembling the right libraries, assessments, and tasks by hand, you pick a journey, apply it to a domain, and start working through the prescribed steps. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/journeys#preset-vs-journey) Preset vs journey ------------------------------------------------------------------------------------------------------------------------------ Journeys come in two flavours of object that mirror the **Framework → Audit** pattern elsewhere in the platform: * A **preset** is the template. It bundles a set of starter objects (typically an audit, a risk assessment, sometimes additional scaffolds) plus an ordered list of steps with descriptions and links into the platform. Presets are versioned and shipped via libraries; they can also be authored locally. * A **journey** is an instance of a preset, materialised in a specific domain. Applying a preset creates the scaffolded objects in the chosen domain and copies the step list onto the journey so that step statuses can be tracked independently from any other journey. The same preset can be applied to multiple domains and yields a distinct journey each time. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/journeys#lifecycle) Lifecycle -------------------------------------------------------------------------------------------------------------- 1. **Browse the catalogue.** The presets page lists everything available on the instance — library-backed presets shipped with CISO Assistant (ISO 27001 starter, DORA readiness, NIS2, sector-specific bundles, etc.) and any presets authored locally. Filter by region tag to narrow the list. 2. **Apply to a domain.** Pick a target domain (or create one on the fly). Optionally let the journey **create the scaffolded objects** for you and apply any **feature flags** the preset suggests. 3. **Work the steps.** Each step has a title, description, and either a target object (e.g. "open the SOA review for the ISO audit") or a target URL inside the platform. Mark steps as **in progress**, **done**, or **skipped** as you advance, and add notes. 4. **Track progress.** The recently-active journeys panel shows a progress ring per journey; the underlying step counts feed dashboards. 5. **Upgrade when a newer preset ships.** When a library-backed preset is updated, journeys derived from it flag an upgrade. Upgrading re-applies the newer template while preserving user-state (statuses and notes) on steps that survived the new version. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/journeys#whats-inside-a-preset) What's inside a preset --------------------------------------------------------------------------------------------------------------------------------------- * **Scaffolded objects** — the assessments and supporting records that get created when the preset is applied. Typical scaffolds include compliance assessments (with framework + implementation-group selection), risk assessments (with a chosen matrix), and occasionally task templates, perimeters, or entities. * **Steps** — an ordered list of actions to perform. Each step can point at a scaffolded object (via a named reference resolved at apply time) or at a generic internal route such as the SOA results page. Steps carry translations so the workflow speaks the user's language. * **Feature flags** — some presets enable optional features when applied (reports, sec-intel feeds, etc.), letting the journey come with a fully-configured environment. * **Dependencies** — required libraries (frameworks, matrices) that must be loaded for the preset to apply cleanly. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/journeys#permissions) Permissions ------------------------------------------------------------------------------------------------------------------ Applying a preset requires permission to load libraries on the target domain. Viewing journeys and updating their step statuses follows the standard domain-scoped permission model — see [Understanding the IAM model](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/organization/iam-model) . [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/journeys#related) Related ---------------------------------------------------------------------------------------------------------- * [Vocabulary → Preset](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary) * [Libraries](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/libraries) * [Audits](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits) * [Risk assessments](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/risk-assessments) [PreviousMetrics](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/metrics) [NextAssets and resilience](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/assets-and-resilience) Last updated 1 month ago Was this helpful? * [Preset vs journey](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/journeys#preset-vs-journey) * [Lifecycle](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/journeys#lifecycle) * [What's inside a preset](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/journeys#whats-inside-a-preset) * [Permissions](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/journeys#permissions) * [Related](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/journeys#related) Was this helpful? --- # Applied controls | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/applied-controls.md) . An **applied control** is the main building block of the action plan: the actual action your team has implemented or will implement to address a security need. It can be technical, organisational, a process, a policy, a piece of documentation — anything that materially changes risk or compliance posture. A single applied control can satisfy any number of requirements across any number of frameworks — it's where _what the framework asks_ meets _what the organisation actually does_. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/applied-controls#mental-model) Mental model ------------------------------------------------------------------------------------------------------------------------------- The applied control sits at the centre — anything that asks for action **points to** it; everything that proves the action took place **hangs off** it. Compliance work (requirement assessments), risk work (scenarios), follow-up work (findings), and operational maintenance (tasks — periodic reviews, evidence refresh, assignee rotation) all reference the same control, while evidences and protected assets accumulate on the other side. This is the [decoupling principle](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/philosophy) made concrete: one applied control, many demand-side users. User-facing Internal Notes Applied control `AppliedControl` The action you take Reference control `ReferenceControl` Optional library template; an applied control can also be created from scratch Task `TaskTemplate` (definition) / `TaskNode` (occurrence) A task definition lists which controls it keeps alive; occurrences are the recurring instances Evidence `Evidence` M2M; one evidence can prove several controls [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/applied-controls#applied-control) Applied control ------------------------------------------------------------------------------------------------------------------------------------- Applied controls are fundamental for both compliance and remediation. They can derive from a **reference control** for consistency, or be created independently. They are always defined by the organisation and can be attached to the global domain or to a specific domain. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/applied-controls#status-lifecycle) Status lifecycle --------------------------------------------------------------------------------------------------------------------------------------- The **status** field is what turns an applied control from a static catalogue entry into a live, trackable piece of work. It's the single signal that drives roll-ups across audits, dashboards, action plans, and reporting — so it's worth understanding how it moves. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/applied-controls#why-active-and-why-no-done) Why "Active" — and why no "Done" The target state of an applied control is **Active**, not _Done_. This is deliberate. A control is never finished in the way a project task is finished: a backup policy that's been written and approved still has to keep being followed, a firewall rule that's been deployed still has to keep being enforced, an access review that's been run still has to be run again next cycle. Reaching **Active** doesn't end the work — it starts the maintenance phase. The work shifts to _keeping the control in Active_, through periodic reviews, evidence refresh, and the [tasks](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/tasks) that "maintain" it. This is why the lifecycle has **Active**, **Degraded**, and **Deprecated** rather than _Done_. A control that's failing partially moves to _Degraded_ (signal to act); a control that's no longer needed moves to _Deprecated_ (retire with history intact). There's no terminal "done" state on purpose — the whole point of cybersecurity controls is that they're a continuous effort to stay in Active, not a checkbox you tick once. The lifecycle runs through seven states: Status Meaning Counts as "in place"? **Undefined** Default — status not yet set No **To do** Planned but not started No **In progress** Being implemented No **On hold** Started then paused — blocked, deprioritised, or waiting on a dependency No **Active** Implemented and operating as intended **Yes** **Degraded** Was active, now partially failing — gap detected at audit or in operations Partial **Deprecated** Retired or superseded — no longer in scope No Why the lifecycle matters across the platform: * **Risk model** — _Current risk_ uses controls in `active` (and partly `degraded`); _residual risk_ also factors in controls in `to_do` / `in_progress` (the planned ones). Moving a control from `to_do` to `active` is what closes the gap between residual and current. * **Action plan** — the Kanban view and the Control Plan grid both swimlane by status. A control sitting in `on_hold` for too long is the signal to escalate. * **ETA enforcement** — when ETA passes and the status isn't `active`, the control is flagged overdue. Reaching `active` is what stops the clock. * **Framework / audit roll-ups** — compliance percentages and analytics treat `active` as "in place" and `degraded` as a partial signal that wants follow-up. Other statuses don't contribute coverage. * **Deprecation** — preferred over deletion. A deprecated control keeps its history, evidence, and links to the requirements it once satisfied — useful for past-audit traceability — without polluting current views. The transitions aren't enforced as a strict state machine — you can move a control between any two statuses — but staying within the lifecycle above makes audit trails and analytics meaningful. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/applied-controls#financial-tracking) Financial tracking ------------------------------------------------------------------------------------------------------------------------------------------- Applied controls carry a structured **cost** field, so the financial weight of your security programme isn't a separate spreadsheet — it's attached to the controls themselves and rolled up wherever they appear (most notably on every [action plan](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/action-plans) ). The platform models the **build vs run** distinction that controls actually carry in practice: Cost type Meaning How it's counted **Build** One-shot setup cost — buying hardware, integrating a tool, drafting and approving a policy, running a project to roll out the control Amortised over the configured **amortisation period** (in years) **Run** Ongoing operational cost — licence renewals, the time spent every quarter on access reviews, the hours of the team that operates the control Counted as an annual cost — applied every year for as long as the control runs Each side accepts two inputs: * **Fixed cost** — a money amount (hardware purchase, licence fee, contractor invoice). * **People days** — a measure of internal effort. The platform converts this to money using the **daily rate** configured in **General settings**, so internal time is comparable with external spend. From these inputs, the platform computes an **annual cost** for every control: annual cost\=Bfixed+Bdays⋅rT+Rfixed+Rdays⋅r\\text{annual cost} = \\frac{B\_{\\text{fixed}} + B\_{\\text{days}} \\cdot r}{T} + R\_{\\text{fixed}} + R\_{\\text{days}} \\cdot rannual cost\=TBfixed​+Bdays​⋅r​+Rfixed​+Rdays​⋅r Symbol Meaning _B_fixed, _B_days Build fixed cost and people-days _R_fixed, _R_days Run fixed cost and people-days _r_ Configured daily rate (from General settings) _T_ Amortisation period, in years That single number is what feeds every roll-up — the action plan's budget overview, the per-assignee and per-domain breakdowns, the by-status / by-priority / by-CSF-function totals. Controls without a cost set contribute zero, so partial adoption of the financial tracking still works — you fill in numbers where you have them and the totals reflect what's known. The annualised view matters because cybersecurity controls are continuous (see [Why "Active" — and why no "Done"](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/applied-controls#why-active--and-why-no-done) above). A capex-style "we paid €40k once" view doesn't compare well across controls; an "annual cost in steady state" view lets you put a single line per control on the budget and compare them like-for-like. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/applied-controls#reference-control) Reference control ----------------------------------------------------------------------------------------------------------------------------------------- A **reference control** is a template for an applied control. Reference controls facilitate the creation of applied controls and help keep them consistent across the organisation. They can be provided by security frameworks imported from a library, or you can create your own — in the global domain or in a specific domain. Reference controls are optional but recommended. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/applied-controls#policy) Policy ------------------------------------------------------------------------------------------------------------------- A **policy** is a specific type of applied control: a document describing what is expected from some part of your stakeholders. Putting your cybersecurity policies in CISO Assistant makes them readily available for audits, and lets you manage their lifecycle alongside the rest of your controls. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/applied-controls#related) Related --------------------------------------------------------------------------------------------------------------------- * [Policies](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/policies) * [Audits](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits) * [Findings assessments](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/findings-assessments) * [Philosophy → Decoupling principle](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/philosophy) * [Vocabulary → Applied control / Reference control / Evidence](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary) [PreviousOperations](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations) [NextTasks](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/tasks) Last updated 1 month ago Was this helpful? * [Mental model](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/applied-controls#mental-model) * [Applied control](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/applied-controls#applied-control) * [Status lifecycle](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/applied-controls#status-lifecycle) * [Why "Active" — and why no "Done"](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/applied-controls#why-active-and-why-no-done) * [Financial tracking](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/applied-controls#financial-tracking) * [Reference control](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/applied-controls#reference-control) * [Policy](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/applied-controls#policy) * [Related](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/applied-controls#related) Was this helpful? --- # Findings assessments | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/findings-assessments.md) . A **findings assessment** — called **Follow-up** in the UI — tracks the issues raised by a review and drives their remediation through to closure. Findings can come from a CISO Assistant audit, an internal security review, a penetration test, an external assessor's report, or any other source. It's the place where the action plan meets reality: each non-compliance, observation, or recommendation gets an assignee, a due date, and a status, and is followed all the way to "fixed". [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/findings-assessments#mental-model) Mental model ----------------------------------------------------------------------------------------------------------------------------------- A findings assessment is an **assessment** scoped to a perimeter, in the same family as audits, risk assessments, and business impact analyses. Inside it sit individual **findings**, each with: * A severity, often aligned with the assessor's severity scale. * An assignee and a due date. * A status from _open_ → _in progress_ → _remediated_ → _closed_. * One or more linked applied controls that address it. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/findings-assessments#where-findings-come-from) Where findings come from ----------------------------------------------------------------------------------------------------------------------------------------------------------- The same findings model serves several sources: * **Audit findings** — non-compliances or partial compliances raised during an audit, especially when extended results are enabled (minor / major nonconformity, observation, opportunity for improvement, good practice). * **External assessments** — penetration-test reports, third-party security reviews, regulator inspections. * **Internal reviews** — self-imposed checks outside the formal audit cycle. Because the model is uniform, dashboards aggregate across sources: you can see _all open findings due this quarter, across all reviews_, without preselecting which kind of review they came from. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/findings-assessments#driving-remediation) Driving remediation ------------------------------------------------------------------------------------------------------------------------------------------------- Findings link to applied controls — closing a finding usually means standing up or updating one or more controls. The link is many-to-many: a single control can close several findings, and a single finding can require several controls. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/findings-assessments#related) Related ------------------------------------------------------------------------------------------------------------------------- * [Audits](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits) * [Applied controls](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/applied-controls) * [Vocabulary → Findings assessment](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary) [PreviousDocuments](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/documents) [NextValidation flows](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/validation-flows) Last updated 1 month ago Was this helpful? * [Mental model](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/findings-assessments#mental-model) * [Where findings come from](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/findings-assessments#where-findings-come-from) * [Driving remediation](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/findings-assessments#driving-remediation) * [Related](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/findings-assessments#related) Was this helpful? --- # Incidents | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/incidents.md) . An **incident** is a security or operational event being investigated or responded to. CISO Assistant treats incidents as first-class objects so that detection, response, evidence, and the controls that should prevent recurrence all live in one place. Incidents are deliberately distinct from related concepts: * A **risk scenario** is a _potential_ adverse event — the possibility. * A **vulnerability** is a _weakness_ that could be exploited — the gap. * An **incident** is something that has _actually happened_ and is being handled. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/incidents#mental-model) Mental model ------------------------------------------------------------------------------------------------------------------------ An incident lives in a domain and aggregates everything about the event: the assets it affected, the threats it's attributed to, the actors handling it, the applied controls invoked during response, and any task templates set up for follow-up work (post-mortem, control review). Timeline entries are the append-only log of what happened and when — detection, mitigation, observation, severity / status changes. User-facing Internal Notes Incident `Incident` First-class operational event Threat `Threat` Library catalog object Actor `Actor` XOR(User / Team / Entity) Task template `TaskTemplate` Spawns occurrences Timeline entry `TimelineEntry` Append-only response log [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/incidents#what-an-incident-captures) What an incident captures -------------------------------------------------------------------------------------------------------------------------------------------------- * **Identifiers and classification** — a name, an optional reference ID, the severity (critical / major / moderate / minor / low / unknown), and the status through its lifecycle. * **Timing** — when it occurred, when it was reported, when it was resolved. * **Detection** — internal vs external, optionally with a link to the source signal. * **Scope** — the affected assets, the threats believed to be in play, the entities (third parties) involved. * **Assignees** — the actors handling the response. * **Response and qualifications** — qualifying terminology, BCP-activation flag, resolution notes. * **Linked controls and tasks** — the applied controls invoked during response, plus the task definitions that should run as follow-up (e.g. a post-mortem, a control review). [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/incidents#lifecycle) Lifecycle ------------------------------------------------------------------------------------------------------------------ Incidents follow a five-state lifecycle: `new` → `ongoing` → `resolved` → `closed` (or `dismissed` at any point if the event turns out not to be a real incident) State transitions are recorded in the incident **timeline**, an append-only log of significant moments: detection, mitigation, free-form observation, severity changes, status changes. The timeline is what an auditor or a post-mortem author will read to reconstruct what happened. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/incidents#dora-incident-reports) DORA incident reports ------------------------------------------------------------------------------------------------------------------------------------------ For regulated tenants, CISO Assistant ships a **DORA incident report** — a structured form aligned with the Digital Operational Resilience Act notification requirements (initial, intermediate, and final reports). It draws from the underlying incident but adds the regulatory fields and timing that DORA prescribes. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/incidents#related) Related -------------------------------------------------------------------------------------------------------------- * [Risk assessments](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/risk-assessments) * [Vulnerabilities](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/vulnerabilities) * [Applied controls](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/applied-controls) * [Tasks](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/tasks) * [Vocabulary → Incident / Severity](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary) [PreviousTasks](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/tasks) [NextGovernance](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance) Last updated 1 month ago Was this helpful? * [Mental model](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/incidents#mental-model) * [What an incident captures](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/incidents#what-an-incident-captures) * [Lifecycle](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/incidents#lifecycle) * [DORA incident reports](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/incidents#dora-incident-reports) * [Related](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/incidents#related) Was this helpful? --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://intuitem.gitbook.io/ciso-assistant/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/philosophy.md). # Philosophy CISO Assistant is built around a small set of design principles. A lot of object boundaries, naming choices, and workflow shapes only make sense once you have these in mind. ## Applied controls at the centre The \*\*applied control\*\* is the unifying object in CISO Assistant. Everything the organisation \*does\* to manage risk and prove compliance is captured as an applied control — a technical safeguard, an organisational process, a documented policy, a tested recovery plan. Once that's in place, the rest of the platform connects to it: \* An \*\*audit\*\* assesses requirements; each requirement assessment links to the applied controls that satisfy it. \* A \*\*risk scenario\*\* lowers its current and residual levels by attaching the applied controls in place and planned. \* A \*\*task\*\* records that an applied control was actually exercised on a given date and produces the evidence to prove it. \* \*\*Evidence\*\* lives on an applied control — and through it, substantiates every requirement and scenario the control supports. \* An \*\*incident\*\* response invokes applied controls; a \*\*vulnerability\*\* is mitigated by them; a \*\*policy\*\* \*is\* one. Authoring an applied control once and reusing it across all the places it applies — instead of redoing the same work per audit, per risk study, per framework — is the productivity gain that justifies the whole architecture. ## Decoupling principle The corollary of putting applied controls at the centre is that everything around them must be decoupled, so that one applied control can serve many consumers without being rewritten for each: \* \*\*Security controls\*\* are decoupled from \*\*compliance requirements\*\* — a single applied control can satisfy many requirements across many frameworks. \* \*\*Risk assessments\*\* are decoupled from \*\*frameworks\*\* — the same risk scenario can inform multiple compliance audits. \* \*\*Assets\*\* are decoupled from \*\*threat scenarios\*\* — assets exist independently of any specific risk study and can be reused across them. The payoff is reuse, end-to-end. One applied control answers many requirements. One assessment covers many frameworks. One asset participates in many scenarios. One evidence file substantiates everything the underlying control supports. {% embed url="" %} Decoupling concept — full screen is recommended for a better experience. {% endembed %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/philosophy.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Documents | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/documents.md) . **Document management** lets you author, version, and publish documents — policies, procedures, charters, records, meeting minutes — directly inside CISO Assistant, so the text of your governance programme lives where the rest of your GRC data lives, with revision history and an approval workflow attached. Documents can be **authored in-platform** (a Markdown editor with a draft → published lifecycle), **uploaded** (an existing PDF or file carried through the same lifecycle), or **linked** (a pointer to a document that lives in another system). Whatever the source, a document can be classified, linked to the objects it governs, and referenced by other documents. Document management is controlled by the `document_management` [feature flag](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/feature-flags) (on by default). The **Documents** reading catalogue, the document list, and templates all live behind it. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/documents#mental-model) Mental model ------------------------------------------------------------------------------------------------------------------------ A **document container** is the language-independent identity of a document: it holds the document's type, its domain, its classification, and its links. Under it sit one **managed document** per language, and each managed document is a chain of **document revisions** — one per saved increment. A new document can be **seeded** from a template, **classified** with a level, **reference** other containers, and be **linked to** the objects it governs. Solid edges are always present; dashed edges are optional. In the UI Internally Document `DocumentContainer` Language version `ManagedDocument` Revision `DocumentRevision` Document template `DocumentTemplate` [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/documents#document-types) Document types ---------------------------------------------------------------------------------------------------------------------------- Every document has a **Document type**, used to group the reading catalogue and to scope the template picker. The built-in types are **Policy**, **Procedure**, **Charter**, **Record**, **Meeting minutes**, and **Other**. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/documents#content-sources) Content sources ------------------------------------------------------------------------------------------------------------------------------ A document's content comes from one of three sources, chosen when you create it: * **Authored** — written in the in-platform Markdown editor (formatting toolbar, live preview, insert links to other documents). The published version is rendered to a PDF snapshot. * **Uploaded** — an existing file (e.g. a signed PDF) attached to the document. It runs through the same lifecycle and version history, but is served as-is rather than rendered from Markdown. * **Linked** — a pointer to a document that lives in another system (Confluence, SharePoint, a DMS, …). The document carries the URL through the same lifecycle; readers open it in place rather than reading content inside CISO Assistant. All three share the same versioning, lifecycle, languages, classification, and links — they differ only in where the content lives. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/documents#lifecycle-and-versioning) Lifecycle and versioning ------------------------------------------------------------------------------------------------------------------------------------------------ Each language version moves through its own lifecycle — **Draft → In review → Change requested → Validated → Published → Deprecated** — and every saved change produces a new revision (`v1`, `v2`, …) rather than overwriting the previous text. The **Version history** sidebar lets you read any past revision and diff two of them. The lifecycle, revision history, and diff mechanics are shared with policy documents and are described in detail under [Policies → Versioning, history, and diff](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/policies#versioning-history-and-diff) . [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/documents#multiple-languages) Multiple languages ------------------------------------------------------------------------------------------------------------------------------------ A single document can carry a version per language. One language is the **default** (used for the catalogue title and status); the others are translations. Each language version has its own lifecycle, so a French translation can still be in draft while the English original is published. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/documents#references) References -------------------------------------------------------------------------------------------------------------------- When you link one document to another from inside the editor (**Link to document**), CISO Assistant records the edge automatically. Each document then shows: * **References** — the documents this one points to. * **Referenced by** — the documents that point at this one. These are computed from the content — there is no separate list to maintain, and they stay accurate as the text changes. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/documents#links-to-governed-objects) Links to governed objects -------------------------------------------------------------------------------------------------------------------------------------------------- A document can be linked to one or more **Policies**, **Applied controls**, **Task definitions**, or **Processings**. The link is associative — it never changes the document's domain or publication state — and it is bi-directional: the linked object shows a **Documents** panel listing the documents attached to it. This is how a policy or a control points at the document that describes it without duplicating the text. See [Policies → Authoring options](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/policies#authoring-options) . [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/documents#classification) Classification ---------------------------------------------------------------------------------------------------------------------------- A document can carry a **Classification** — a level from an [object classification](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/specialised-modules/object-classification) scheme such as TLP. Once set, the level shows as a coloured badge on the reading catalogue, in the reader, and in the documents table, and it is stamped on every page of the document's exported PDF (for example `TLP:AMBER`). Classification is optional and independent of the document's type, domain, and lifecycle. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/documents#templates) Templates ------------------------------------------------------------------------------------------------------------------ New authored documents can start from a **document template** — a reusable Markdown body, chosen in the editor's template picker. The picker only offers templates matching the document's type and language. See the [Document templates guide](https://intuitem.gitbook.io/ciso-assistant/product-docs/guides/documents/document-templates) . [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/documents#reading-catalogue) Reading catalogue ---------------------------------------------------------------------------------------------------------------------------------- The **Documents** page is a read-oriented catalogue: published documents shown as tiles, grouped by type, with search and type filters. It is the place to browse and read the published corpus, separate from the authoring workflow. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/documents#related) Related -------------------------------------------------------------------------------------------------------------- * [Authoring documents](https://intuitem.gitbook.io/ciso-assistant/product-docs/guides/documents/authoring-documents) * [Document templates](https://intuitem.gitbook.io/ciso-assistant/product-docs/guides/documents/document-templates) * [Policies](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/policies) * [Feature flags](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/feature-flags) [PreviousPolicies](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/policies) [NextFindings assessments](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/findings-assessments) Last updated 22 minutes ago Was this helpful? * [Mental model](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/documents#mental-model) * [Document types](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/documents#document-types) * [Content sources](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/documents#content-sources) * [Lifecycle and versioning](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/documents#lifecycle-and-versioning) * [Multiple languages](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/documents#multiple-languages) * [References](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/documents#references) * [Links to governed objects](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/documents#links-to-governed-objects) * [Classification](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/documents#classification) * [Templates](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/documents#templates) * [Reading catalogue](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/documents#reading-catalogue) * [Related](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/documents#related) Was this helpful? --- # Threat intelligence | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/threat-intel.md) . The **threat intelligence** layer holds the catalogued knowledge CISO Assistant uses to prioritise vulnerabilities, qualify incidents, and connect operational findings to the wider security ecosystem. Today it covers security advisories, weakness catalogues, and a small set of public enrichment feeds; the surface is expected to grow significantly in upcoming releases. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/threat-intel#security-advisories) Security advisories -------------------------------------------------------------------------------------------------------------------------------------- A **security advisory** is a catalogued security warning published by a vendor, CERT, or standards body. CISO Assistant supports four sources today: * **CVE** — the MITRE/NIST CVE Program identifiers (`CVE-YYYY-NNNN`). * **EUVD** — the EU Vulnerability Database (post-NIS2 European equivalent). * **GHSA** — GitHub Security Advisories. * **Other** — for sources that don't fit the above. Each advisory carries the usual identifying metadata (reference ID, published date, references) plus the bits that drive prioritisation: * **CVSS base score** and **CVSS vector** — severity per the standard scoring system. * **EPSS score** and **EPSS percentile** — probabilistic exploitation likelihood from FIRST. * **Active exploitation flag** and the **KEV date** when the advisory landed on CISA's Known Exploited Vulnerabilities list. * **Aliases** — cross-references to other identifiers when an advisory exists under multiple IDs. Advisories are catalog objects: library-backed, root-folder-published, referenced from vulnerabilities and assets rather than re-created per scope. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/threat-intel#cwes) CWEs -------------------------------------------------------------------------------------------------------- The **Common Weakness Enumeration** is MITRE's catalogue of software-weakness categories — buffer overflows, missing authentication, improper input validation, and so on. Where a security advisory is "this _specific_ vulnerability in this _specific_ product", a CWE is "this _class_ of flaw". CWEs are catalogued separately and tagged onto advisories and vulnerabilities to enable categorical analysis ("how many of our open vulns are credential-handling bugs?"). CWEs ship as their own catalog library; loading the CWE library makes the entries available across the platform. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/threat-intel#how-they-connect-to-vulnerabilities) How they connect to vulnerabilities ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- A **vulnerability** in CISO Assistant is the organisation-specific record — "we have this exposed in our environment, here's the SLA". It links to: * One or more **security advisories** — the upstream finding(s) it corresponds to. * One or more **CWEs** — the weakness categories it belongs to. This linkage is what lets enrichment feeds work end-to-end: advisories get scores from EPSS, exploitation status from KEV, and category mappings from NVD; vulnerabilities inherit that context via their advisory links and surface it in dashboards and SLA prioritisation. See [Vulnerabilities](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/vulnerabilities) . [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/threat-intel#enrichment-feeds) Enrichment feeds -------------------------------------------------------------------------------------------------------------------------------- Three public feeds enrich the catalogue when enabled — they keep the threat-intel layer current without manual data entry. Configuration is under [Security intelligence feeds](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/sec-intel-feeds) : * **KEV feed** — CISA's Known Exploited Vulnerabilities; flags advisories under active exploitation. * **EPSS feed** — FIRST's Exploit Prediction Scoring System; attaches a probabilistic exploitation score. * **NVD enrichment** — pulls extra metadata from the NIST National Vulnerability Database (CWE mappings, affected configurations, references). Each feed is a separate flag and can be toggled independently. The platform stores feed status, network timeout, and last-update timestamps centrally. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/threat-intel#where-this-is-going) Where this is going -------------------------------------------------------------------------------------------------------------------------------------- The threat-intelligence surface is being expanded to cover full STIX-style threat intelligence — threat actors, attack patterns, indicators of compromise, campaigns, sightings — along with STIX 2.1 / TAXII / MISP / OpenCTI interop and DORA cyber-threat notification workflows. The objects on this page remain the entry point; new SDOs will sit alongside them. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/threat-intel#related) Related -------------------------------------------------------------------------------------------------------------- * [Vulnerabilities](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/vulnerabilities) * [Incidents](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/incidents) * [Security intelligence feeds](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/sec-intel-feeds) * [Vocabulary → Security advisory / CWE](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary) [PreviousThreats](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/threats) [NextMetrics](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/metrics) Last updated 1 month ago Was this helpful? * [Security advisories](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/threat-intel#security-advisories) * [CWEs](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/threat-intel#cwes) * [How they connect to vulnerabilities](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/threat-intel#how-they-connect-to-vulnerabilities) * [Enrichment feeds](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/threat-intel#enrichment-feeds) * [Where this is going](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/threat-intel#where-this-is-going) * [Related](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/threat-intel#related) Was this helpful? --- # EBIOS RM | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/ebios-rm.md) . **EBIOS RM** (_Expression des Besoins et Identification des Objectifs de Sécurité — Risk Manager_) is the structured risk-management method published by the French national cybersecurity agency, [ANSSI](https://cyber.gouv.fr/securisation/analyse-des-risques/methode-ebios-rm/) . CISO Assistant supports EBIOS RM natively, with a dedicated object graph rather than forcing the method into a generic risk-assessment shape. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/ebios-rm#the-five-workshops) The five workshops ----------------------------------------------------------------------------------------------------------------------------- EBIOS RM organises a study around five workshops: 1. **Scope and security baseline** — define the studied system, its mission, and the regulations it must comply with. 2. **Risk origins and target objectives** — identify _who_ might attack and _what_ they want (the **RO/TO couples**). 3. **Strategic scenarios** — model attack paths through stakeholders to reach target objectives. 4. **Operational scenarios** — drop into technical detail: kill chains, attacker techniques, supporting assets touched. 5. **Risk treatment** — score residual risk and plan the action plan. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/ebios-rm#mental-model) Mental model ----------------------------------------------------------------------------------------------------------------- An EBIOS RM **study** lives in a **domain** (no perimeter — the study itself is the scope envelope). It unfolds through five workshops that produce, in order: **feared events** (undesirable outcomes on primary assets) and **stakeholders** in workshop 1; **RO/TO couples** (Risk Origin × Target Objective) in workshop 2; **strategic scenarios** showing high-level attack paths through stakeholders in workshop 3; and **operational scenarios** drilling into kill chains, operating modes, and elementary actions in workshop 4. Workshop 5 reuses the platform's standard objects — **applied controls**, **evidence**, residual risk — to treat both strategic and operational scenarios. User-facing Internal Notes EBIOS RM study `EbiosRMStudy` Container for the five workshops Feared event `FearedEvent` Workshop 1 outcome on a primary asset Stakeholder `Stakeholder` Workshop 1 — internal/external party with trust + dependency scores RO/TO couple `RoTo` Workshop 2 — Risk Origin × Target Objective Strategic scenario `StrategicScenario` Workshop 3 — uses an attack path through stakeholders Operational scenario `OperationalScenario` Workshop 4 — composed of kill chains, operating modes, elementary actions Applied control `AppliedControl` Shared with the rest of the platform; used at workshop 5 [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/ebios-rm#mapping-to-qualitative-risk) Mapping to qualitative risk ----------------------------------------------------------------------------------------------------------------------------------------------- EBIOS RM scenarios sit alongside qualitative risk scenarios in the same risk register: both contribute to the residual-risk picture for a perimeter, and both can be treated with the same applied controls. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/ebios-rm#related) Related ------------------------------------------------------------------------------------------------------- * [Risk assessments](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/risk-assessments) * [Quantitative risk studies](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/quantitative-risk-studies) * [Guide → EBIOS RM study](https://intuitem.gitbook.io/ciso-assistant/product-docs/guides/assessments/ebios-rm) * [Vocabulary → EBIOS RM and related terms](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary) [PreviousRisk assessments](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/risk-assessments) [NextQuantitative risk studies](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/quantitative-risk-studies) Last updated 1 month ago Was this helpful? * [The five workshops](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/ebios-rm#the-five-workshops) * [Mental model](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/ebios-rm#mental-model) * [Mapping to qualitative risk](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/ebios-rm#mapping-to-qualitative-risk) * [Related](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/ebios-rm#related) Was this helpful? --- # Quantitative risk studies | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/quantitative-risk-studies.md) . A **quantitative risk study** evaluates risk in monetary terms — the expected annualised loss from each scenario — using probabilistic methods rather than a qualitative matrix. It's the sibling of qualitative risk assessment and EBIOS RM: same problem (what could go wrong, how bad would it be), different lens (statistics rather than categories). [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/quantitative-risk-studies#mental-model) Mental model ---------------------------------------------------------------------------------------------------------------------------------- A study is the container for one quantitative analysis. It comprises scenarios — each one a discrete risk being modelled — and each scenario comprises one or more hypotheses, typically one per risk stage (inherent / current / residual). The hypothesis carries the probability and impact distributions plus the applied controls it assumes are in place — split into existing / added / removed sets so the delta between stages is explicit. Scenarios reference the assets they impact and the vulnerabilities they exploit, mirroring the qualitative side of the platform. User-facing Internal Notes Study `QuantitativeRiskStudy` Container; carries risk tolerance + loss threshold Scenario `QuantitativeRiskScenario` One row of risk Hypothesis `QuantitativeRiskHypothesis` Parameter set + Monte-Carlo simulation cache [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/quantitative-risk-studies#how-it-works) How it works ---------------------------------------------------------------------------------------------------------------------------------- Each **scenario** in the study is parametrised by one or more **hypotheses**: * A **loss-event frequency** distribution — how often the bad thing happens per year, expressed as a distribution rather than a point estimate. * A **loss magnitude** distribution — how much it costs when it happens, also as a distribution. The platform runs Monte-Carlo simulation over those distributions and derives the loss exceedance curve (LEC) plus aggregate metrics: expected loss, value-at-risk, tail loss. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/quantitative-risk-studies#when-to-use-it) When to use it -------------------------------------------------------------------------------------------------------------------------------------- * You need to compare risk against budget — "should we spend €X on control Y?" becomes tractable when both sides are in euros. * You need to talk to the board or finance about risk in the language they speak. * You have enough data — or enough informed judgement — to bound the loss distributions. Qualitative methods stay useful for everything else. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/quantitative-risk-studies#related) Related ------------------------------------------------------------------------------------------------------------------------ * [Risk assessments](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/risk-assessments) * [EBIOS RM](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/ebios-rm) * [Guide → Cyber risk quantification](https://intuitem.gitbook.io/ciso-assistant/product-docs/guides/assessments/quantitative-risk) — click walkthrough for running a study. * [Guide → Cyber risk quantification methodology](https://intuitem.gitbook.io/ciso-assistant/product-docs/guides/assessments/quantitative-risk-methodology) — the math behind the LEC, VaR, expected shortfall, ROSI, and tolerance overlay. * [Vocabulary → Quantitative risk study / scenario / hypothesis](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary) [PreviousEBIOS RM](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/ebios-rm) [NextVulnerabilities](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/vulnerabilities) Last updated 1 month ago Was this helpful? * [Mental model](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/quantitative-risk-studies#mental-model) * [How it works](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/quantitative-risk-studies#how-it-works) * [When to use it](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/quantitative-risk-studies#when-to-use-it) * [Related](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/quantitative-risk-studies#related) Was this helpful? --- # Risk | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk.md) . [Risk assessments](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/risk-assessments) [EBIOS RM](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/ebios-rm) [Quantitative risk studies](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/quantitative-risk-studies) [Vulnerabilities](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/vulnerabilities) [PreviousValidation flows](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/validation-flows) [NextRisk assessments](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/risk-assessments) Last updated 1 month ago Was this helpful? Was this helpful? --- # Metrics | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/metrics.md) . ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/metrics#expected-outcome) Expected outcome * define your metrics or import their definition * instantiate them on your domains * feed data to your metric instances * create dashboards with builtin and custom metrics [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/metrics#mental-model) Mental model ------------------------------------------------------------------------------------------------------------------- A metric definition is the catalog template — qualitative (level) or quantitative (number with unit) — and can be shipped via a library. Each instance scopes one definition to a domain and carries the operational fields: assignee, target value, collection frequency (auto-stale logic kicks in when the latest sample exceeds the cadence + grace period). Samples are timestamped data points against an instance. Dashboards are independent of the metrology pipeline: they comprise widgets, and each widget either reads a custom metric instance, pulls from a **builtin sample** (a system-computed daily snapshot attached generically to any tracked object — assets, audits, projects, incidents, etc.), or just displays free text. User-facing Internal Notes Metric definition `MetricDefinition` Catalog template; optional `library` FK Metric instance `MetricInstance` One definition × one domain Sample `CustomMetricSample` Timestamped data point on an instance Builtin sample `BuiltinMetricSample` System-computed; daily; `ContentType` GFK to any object Dashboard `Dashboard` Container Widget `DashboardWidget` KPI / donut / pie / bar / line / area / gauge / sparkline / table / text * * * [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/metrics#metric-definitions) Metric definitions ------------------------------------------------------------------------------------------------------------------------------- Consider metric definition as a template of your metric. It serves as the guideline of the actual metric instance that you will track accross your domains. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/metrics#importing-definitions) Importing definitions #### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/metrics#id-1.-introduction) 1\. Introduction You will learn how to import off-the-shelf metrics definitions on CISO Assistant. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2Fstatic.guidde.com%2Fv0%2Fqg%252FJ0RVKao966SmT5uQXRHVpcgc2yd2%252FvTb9cHNSPqash2GGUZdeys%252F8Q3gdFyrUPF4skriW4JL7M_doc.png%3Falt%3Dmedia%26token%3D11940028-5485-4889-87b7-01257a9ae71b&width=768&dpr=3&quality=100&sign=bf9d88a8&sv=2) Introduction #### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/metrics#id-2.-open-metric-definitions) 2\. Open Metric Definitions Click "Metric definitions". ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2Fstatic.guidde.com%2Fv0%2Fqg%252FJ0RVKao966SmT5uQXRHVpcgc2yd2%252FvTb9cHNSPqash2GGUZdeys%252FhoqCSfxdDNPGFAJfuQKuYJ_doc.png%3Falt%3Dmedia%26token%3D32b9f469-998f-436e-a68f-2f2f63a2c7ef&width=768&dpr=3&quality=100&sign=43ce6ba&sv=2) Open Metric Definitions #### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/metrics#id-3.-click-import) 3\. Click import Click here to proceed to the next menu. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2Fstatic.guidde.com%2Fv0%2Fqg%252FJ0RVKao966SmT5uQXRHVpcgc2yd2%252FvTb9cHNSPqash2GGUZdeys%252FvcwEUhbs8ZrAacw8QJgFMU_doc.png%3Falt%3Dmedia%26token%3D796e72b7-a370-480e-9155-cf9c73a50e8e&width=768&dpr=3&quality=100&sign=b2bf9193&sv=2) Click import #### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/metrics#id-4.-import-the-library-matching-your-criteria) 4\. Import the library matching your criteria You can also preview the content before importing it. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2Fstatic.guidde.com%2Fv0%2Fqg%252FJ0RVKao966SmT5uQXRHVpcgc2yd2%252FvTb9cHNSPqash2GGUZdeys%252F9TmRRuzyLXwZxEYvXfTakF_doc.png%3Falt%3Dmedia%26token%3D25d4a3b1-11fb-45f8-a836-75eec79c783a&width=768&dpr=3&quality=100&sign=9ef153b9&sv=2) Import the library matching your criteria #### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/metrics#id-5.-return-to-metric-definitions) 5\. Return to Metric Definitions Click "Metric definitions" to revisit the main metrics page. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2Fstatic.guidde.com%2Fv0%2Fqg%252FJ0RVKao966SmT5uQXRHVpcgc2yd2%252FvTb9cHNSPqash2GGUZdeys%252F4wTQWHiwwYZoU6xvvinm9t_doc.png%3Falt%3Dmedia%26token%3Dbc756aa3-f19a-4bb3-a890-6cd0513f877f&width=768&dpr=3&quality=100&sign=ce696242&sv=2) Return to Metric Definitions #### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/metrics#id-6.-look-for-the-metric-definition-you-want) 6\. Look for the metric definition you want Click "Search..." to begin finding specific metrics. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2Fstatic.guidde.com%2Fv0%2Fqg%252FJ0RVKao966SmT5uQXRHVpcgc2yd2%252FvTb9cHNSPqash2GGUZdeys%252F4PceckBSLsN6G5GJsgz1gH_doc.png%3Falt%3Dmedia%26token%3D90b71177-1ed2-4f65-9775-622fa064fcd7&width=768&dpr=3&quality=100&sign=abe6bfdf&sv=2) Look for the metric definition you want #### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/metrics#id-7.-select-the-specific-metric) 7\. Select The Specific Metric You can now instantiate this metric as you see fit for your domains. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2Fstatic.guidde.com%2Fv0%2Fqg%252FJ0RVKao966SmT5uQXRHVpcgc2yd2%252FvTb9cHNSPqash2GGUZdeys%252F11dAiGvXZQ1oazVXaVYEKj_doc.png%3Falt%3Dmedia%26token%3Df8d96903-dfeb-41e4-a7e8-3dcae9d05990&width=768&dpr=3&quality=100&sign=14efe93a&sv=2) Select The Specific Metric You can now instantiate this metric as needed across your domains. Keep in mind that you can also create your own metric definition directly without going through the library. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/metrics#creating-a-definition) Creating a definition Metrics can be quantitative (number with unit) or qualitative (choices): ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-0e9475dabd1b21a5a239d10abafbc864dac08ff1%252Fimage%2520%2851%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=b52d124b&sv=2) Quantitative metric You can add your options during declaration or afterward: ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-3b0367236fec2bb0667b42c7050e716b8e550024%252Fimage%2520%2852%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=35ba9001&sv=2) Qualitative metric The "higher is better" setting is used to indicate if the trend is a good thing or not. * * * [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/metrics#metric-instance) Metric instance ------------------------------------------------------------------------------------------------------------------------- The metric instance is the projection of the definition to a specific domain and it's _what you'll be tracking_. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-00b5d13869456c971a7721fcb3cb2e33af6937e3%252Fimage%2520%2853%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=80ad35e5&sv=2) Parameters: * Metric definition (it will inherit its settings) * Domain: the scope of this metric * Status: lifecycle of the metric. The stale is specially interesting as the application will auto-toggle it according to the data freshness * Collection frequency: expected collection frequency, on which we add a grace period before toggling the metric to stale status * Target value: expected target of this metric for this specific domain. This is handy as you can have different targets of the same metric definition according to the domain. * Assigned to: actor responsible for the metric instance and its updates. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/metrics#metric-sample) Metric sample --------------------------------------------------------------------------------------------------------------------- This is the actual data of the metric instance on a given timestamp. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-ab0350778b50a1fafc333c358e56b65f5ac9196e%252Fimage%2520%2854%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=2bc36aff&sv=2) Keep in mind that you can add the data manually or through all the supported integrations (API, n8n, etc.). Note that data cannot be in the future. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-cac0f4dac948f8dfbeb352e76e0f5de936f3fd44%252Fimage%2520%2855%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=5e7b0ceb&sv=2) [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/metrics#dashboards) Dashboards --------------------------------------------------------------------------------------------------------------- Dashboards are the visual representation of the metrics and support: * custom metrics instance (multiple charts) * built-in metrics (multiple charts) * markdown text widget ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-3346fd0a96a4e35c1e8076a625f8332211754356%252Fimage%2520%2856%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=8236ebab&sv=2) In edit mode, you can add different widgets, place and resize them as you see fit: ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-1123243e201dbab46f9fdddd0de365ba1391ddcd%252Fimage%2520%2857%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=499dcffb&sv=2) Once done, you can go back to view mode to see the result: ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-975d65709ff56d2f9a832cef3998bb11a62a526a%252Fimage%2520%2858%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=bc156558&sv=2) In addition to the custom metrics for your internal KPI and KRI, you can also include some of the built-in metrics tracked by the platform: ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-44ae4bd5d08df4d144284736732077d2c191de32%252Fimage%2520%2859%29.png%3Falt%3Dmedia&width=300&dpr=3&quality=100&sign=2d652848&sv=2) Those are updated on each change of your data and tracked as daily metrics. [PreviousThreat intelligence](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/threat-intel) [NextJourneys](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/journeys) Last updated 1 month ago Was this helpful? * [Expected outcome](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/metrics#expected-outcome) * [Mental model](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/metrics#mental-model) * [Metric definitions](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/metrics#metric-definitions) * [Importing definitions](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/metrics#importing-definitions) * [Creating a definition](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/metrics#creating-a-definition) * [Metric instance](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/metrics#metric-instance) * [Metric sample](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/metrics#metric-sample) * [Dashboards](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/metrics#dashboards) Was this helpful? --- # Risk assessments | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/risk-assessments.md) . A **risk assessment** (also called a _risk study_) is a scenario-based evaluation of risk over a perimeter. CISO Assistant supports qualitative approaches (configurable risk matrices), quantitative approaches (Monte Carlo over loss distributions), and the structured EBIOS RM methodology. The platform follows the ISO 27005 risk-management workflow. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-c77f11a5da4cf70ef292c09d70c19a8bc74d1648%252Fiso27005.svg%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=70bbe43f&sv=2) ISO 27005 risk management workflow [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/risk-assessments#mental-model) Mental model ------------------------------------------------------------------------------------------------------------------------- A risk assessment always lives inside a **domain** (the mandatory IAM scope) and is bound to one **risk matrix** that supplies the probability × impact scale (the matrix can be swapped later; existing scores are clamped to the new scale). A **perimeter** can optionally narrow the assessment to a specific service or process inside the domain. The assessment is composed of **risk scenarios**; each scenario links to the **assets** it impacts, the **threats** it materialises, and the **applied controls** that mitigate it (split between _existing_ and _planned_ to drive the three-tier risk model below). User-facing Internal Notes Risk assessment `RiskAssessment` Also called "Risk study" in the UI Risk scenario `RiskScenario` A row inside the assessment Risk matrix `RiskMatrix` Can be changed; existing scenario scores are clamped to the new scale's bounds Domain `Folder` Required; drives IAM scoping Threat `Threat` Catalog entry from a library [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/risk-assessments#risk-assessment) Risk assessment ------------------------------------------------------------------------------------------------------------------------------- A risk assessment encompasses three steps: * **Risk identification** — defining the risk scenarios. * **Risk analysis** — assessing probability, impact, and strength of knowledge for each scenario. * **Risk evaluation** — done automatically based on the selected risk matrix. In CISO Assistant, **risk treatment is combined with the risk assessment** rather than tracked as a separate phase. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/risk-assessments#risk-scenario) Risk scenario --------------------------------------------------------------------------------------------------------------------------- Scenarios can be defined directly from the risk-assessment view or separately via the scenarios view. The same scenario can be reused across multiple studies. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/risk-assessments#risk-levels-inherent-current-residual) Risk levels: inherent, current, residual ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ CISO Assistant tracks three risk levels for each scenario, reflecting where the organisation stands along the treatment journey: * **Inherent risk** — the natural level of the scenario _without any controls in place_. The starting point. Surfaced in the UI when the `inherent_risk` feature flag is on. * **Current risk** — the level given the applied controls _already in place_. The state of risk today. * **Residual risk** — the level expected once all _planned_ applied controls have been implemented. The target state, and the figure used in risk-acceptance decisions. Each level has its own probability, impact, and overall level fields. The assessment's consistency check flags a scenario whose **residual** risk exceeds its **current** risk (on level, probability, or impact), and also flags a residual lowered below current when no applied control justifies the reduction. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/risk-assessments#risk-acceptance) Risk acceptance ------------------------------------------------------------------------------------------------------------------------------- Risk acceptance is when an organisation or individual decides to tolerate a certain level of risk without taking further action to reduce it. CISO Assistant provides a workflow to capture formal approval of risk acceptances by management — the approver must hold the **Approver** role. For the formal definition, see [ISO 31073:2022, term 3.3.32 — risk acceptance](https://www.iso.org/obp/ui/#iso:std:iso:31073:ed-1:v1:en:term:3.3.32) . [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/risk-assessments#risk-matrix) Risk matrix ----------------------------------------------------------------------------------------------------------------------- Risk levels are calculated as a function of the probability and impact of a scenario, using a configurable **risk matrix**. Matrices are imported from libraries — pick one of the built-in matrices or define your own via a custom library. Most organisations define an official matrix to be used for all risk assessments, but CISO Assistant lets you choose a different matrix per assessment when needed. The matrix **can be changed** after the assessment has been created. When you do, each scenario's existing probability and impact values are clamped to the new scale's bounds — a score that falls outside the new range is clipped to the nearest valid value, and unrated scenarios stay unrated. There is no proportional rescaling, so review the scenarios afterwards and correct any score that no longer reflects your intent. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/risk-assessments#related) Related --------------------------------------------------------------------------------------------------------------- * [Assets](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/assets-and-resilience/assets) * [Applied controls](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/applied-controls) * [Vocabulary → Threat / Risk assessment](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary) [PreviousRisk](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk) [NextEBIOS RM](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/ebios-rm) Last updated 1 month ago Was this helpful? * [Mental model](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/risk-assessments#mental-model) * [Risk assessment](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/risk-assessments#risk-assessment) * [Risk scenario](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/risk-assessments#risk-scenario) * [Risk levels: inherent, current, residual](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/risk-assessments#risk-levels-inherent-current-residual) * [Risk acceptance](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/risk-assessments#risk-acceptance) * [Risk matrix](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/risk-assessments#risk-matrix) * [Related](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/risk-assessments#related) Was this helpful? --- # Vulnerabilities | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/vulnerabilities.md) . A **vulnerability** is a weakness in a system, process, or product that could be exploited to compromise confidentiality, integrity, or availability. CISO Assistant tracks vulnerabilities as first-class objects, separately from the **incidents** they may cause and the **risk scenarios** they feed into. The vulnerability surface answers two operational questions: _what's exposed_ and _are we treating it fast enough?_ [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/vulnerabilities#mental-model) Mental model ------------------------------------------------------------------------------------------------------------------------ A vulnerability sits inside a domain and points outward at what it affects (assets) and what's treating it (applied controls). Threat-intel feeds enrich it asynchronously — KEV/NVD/EUVD feeds attach security advisories, NVD enrichment tags it with CWEs. The vulnerability SLA policy is a single platform-wide setting that maps severity to a deadline: when severity changes and no explicit due date has been set, the platform recomputes the due date from the policy. User-facing Internal Notes Vulnerability `Vulnerability` First-class object Security advisory `sec_intel.SecurityAdvisory` Ingested from KEV / NVD / EUVD CWE `sec_intel.CWE` Common Weakness Enumeration SLA policy `GlobalSettings("vulnerability-sla")` Severity → days mapping [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/vulnerabilities#what-a-vulnerability-captures) What a vulnerability captures ---------------------------------------------------------------------------------------------------------------------------------------------------------- * **Identification** — a name, an optional reference ID (typically a CVE), a description. * **Severity** — the shared scale (undefined / info / low / medium / high / critical). * **Status** — undefined, potential, exploitable, mitigated, fixed, not exploitable, unaffected. * **Affected scope** — the assets exposed, and the entities (third parties) involved when relevant. * **Treatment** — linked applied controls (the remediations), security exceptions (formal deviations), CWE entries, and one or more security advisories. * **Timing** — detection date, publication date, ETA, and the SLA due date computed from the severity-driven policy. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/vulnerabilities#sla-driven-due-dates) SLA-driven due dates ---------------------------------------------------------------------------------------------------------------------------------------- Vulnerabilities are unusual in that the platform sets a **due date** automatically based on severity, via the [Vulnerability SLA policy](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/vulnerability-sla) . The flow: 1. A vulnerability is created (or its severity changes). 2. If no explicit due date is set, the SLA policy is applied — high severity gets a tighter deadline than medium, and so on. 3. The bulk "refresh due dates" action re-applies the policy across existing rows when the SLA configuration changes. Explicit due dates the user (or an import) sets are preserved — the policy only fills in the blank. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/vulnerabilities#threat-intelligence-enrichment) Threat-intelligence enrichment ------------------------------------------------------------------------------------------------------------------------------------------------------------ Vulnerabilities don't live in isolation. CISO Assistant can pull from external feeds to enrich them automatically — see [Security intelligence feeds](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/sec-intel-feeds) : * **KEV feed** flags vulnerabilities confirmed exploited in the wild. * **EPSS feed** attaches a probabilistic exploitation score. * **NVD enrichment** pulls CWE mappings, affected configurations, and references. These enrichments link a vulnerability to its **security advisory** and **CWE** entries, making severity triage less guesswork. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/vulnerabilities#lifecycle) Lifecycle ------------------------------------------------------------------------------------------------------------------ The status field captures where each vulnerability sits in that flow; the linked applied controls and security exceptions explain _how_ it's being treated. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/vulnerabilities#related) Related -------------------------------------------------------------------------------------------------------------- * [Applied controls](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/applied-controls) * [Incidents](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/incidents) * [Risk assessments](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/risk-assessments) * [Vulnerability SLA policy](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/vulnerability-sla) * [Security intelligence feeds](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/sec-intel-feeds) * [Vocabulary → Vulnerability / Security advisory / CWE / Severity](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary) [PreviousQuantitative risk studies](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/quantitative-risk-studies) [NextCompliance](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance) Last updated 1 month ago Was this helpful? * [Mental model](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/vulnerabilities#mental-model) * [What a vulnerability captures](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/vulnerabilities#what-a-vulnerability-captures) * [SLA-driven due dates](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/vulnerabilities#sla-driven-due-dates) * [Threat-intelligence enrichment](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/vulnerabilities#threat-intelligence-enrichment) * [Lifecycle](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/vulnerabilities#lifecycle) * [Related](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/risk/vulnerabilities#related) Was this helpful? Copy detected → triaged → treated (mitigated / fixed / exception / accepted) → closed --- # Manage extended result | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits/extended-results.md) . [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits/extended-results#manage-minor-nonconformities-and-audit-results-efficiently) [Manage Minor Nonconformities And Audit Results Efficiently](https://app.guidde.com/playbooks/tfJoxjgR2GViiWgprnp1hn) ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- This tutorial guides you through managing minor nonconformities and major audit results within your audits #### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits/extended-results#go-to-your-instance) Go to your instance #### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits/extended-results#id-1.-introduction) 1\. Introduction You will learn how to add extra attribute to your audit through extended result. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2Fstatic.guidde.com%2Fv0%2Fqg%252FJ0RVKao966SmT5uQXRHVpcgc2yd2%252FtfJoxjgR2GViiWgprnp1hn%252FafRc7XrhcmCnoYZph2xWjV_doc.png%3Falt%3Dmedia%26token%3D30d72ef0-ff8a-4bee-b019-f3d871b40219&width=768&dpr=3&quality=100&sign=f8b35e0a&sv=2) Introduction #### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits/extended-results#id-2.-open-your-audit) 2\. Open your audit Click "ISO 27002 SOA" to access the relevant audit for managing audit results. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2Fstatic.guidde.com%2Fv0%2Fqg%252FJ0RVKao966SmT5uQXRHVpcgc2yd2%252FtfJoxjgR2GViiWgprnp1hn%252Fj1VL7jnL2eroQcG62W5oeb_doc.png%3Falt%3Dmedia%26token%3D768fc383-898b-42b9-bf4d-658ea1384470&width=768&dpr=3&quality=100&sign=cf356367&sv=2) Open ISO 27002 SOA Assessment #### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits/extended-results#id-3.-enter-edit-mode) 3\. Enter Edit Mode Click "Edit" to enable modifications on the selected audit. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2Fstatic.guidde.com%2Fv0%2Fqg%252FJ0RVKao966SmT5uQXRHVpcgc2yd2%252FtfJoxjgR2GViiWgprnp1hn%252Forw9CaCJAXvg8kdRM7HCoy_doc.png%3Falt%3Dmedia%26token%3Da181a480-c9e7-46ec-8530-09e68173271e&width=768&dpr=3&quality=100&sign=cda1ee32&sv=2) Enter Edit Mode #### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits/extended-results#id-4.-access-more-options) 4\. Access More Options Click "More" to reveal additional settings and options for the assessment. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2Fstatic.guidde.com%2Fv0%2Fqg%252FJ0RVKao966SmT5uQXRHVpcgc2yd2%252FtfJoxjgR2GViiWgprnp1hn%252F5a4xNe5eu82T16YFp4YWaP_doc.png%3Falt%3Dmedia%26token%3D40bbd64c-ec76-48af-8204-af6735aa04b3&width=768&dpr=3&quality=100&sign=95dcdc0b&sv=2) Access More Options #### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits/extended-results#id-5.-enable-extended-result) 5\. Enable extended result Click "on" to activate the desired feature or option within the assessment settings. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2Fstatic.guidde.com%2Fv0%2Fqg%252FJ0RVKao966SmT5uQXRHVpcgc2yd2%252FtfJoxjgR2GViiWgprnp1hn%252FvZsoTYBQguqAo61YCTCQdz_doc.png%3Falt%3Dmedia%26token%3Dce8b91b0-6e23-4bcf-8b87-68077cdd55a1&width=768&dpr=3&quality=100&sign=264d65d9&sv=2) Enable Specific Setting #### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits/extended-results#id-7.-save-audit-changes) 7\. Save audit Changes Click "Save" to apply and store the changes made to the audit. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2Fstatic.guidde.com%2Fv0%2Fqg%252FJ0RVKao966SmT5uQXRHVpcgc2yd2%252FtfJoxjgR2GViiWgprnp1hn%252FtiKYvUWatYdcAd9KZGcbRH_doc.png%3Falt%3Dmedia%26token%3D23b8061a-9ff8-40ee-ad5f-71096b8289f0&width=768&dpr=3&quality=100&sign=92328bef&sv=2) Save Assessment Changes #### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits/extended-results#id-10.-open-a-requirement) 10\. Open a requirement Click "4.1 - Understanding the organization and its context" to examine specific requirements. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2Fstatic.guidde.com%2Fv0%2Fqg%252FJ0RVKao966SmT5uQXRHVpcgc2yd2%252FtfJoxjgR2GViiWgprnp1hn%252FvkbffqqNuYVzRYAFxjpsJ4_doc.png%3Falt%3Dmedia%26token%3D32cf95d4-024d-48f8-a0d9-1dd3cd7ca791&width=768&dpr=3&quality=100&sign=e77076b5&sv=2) Open Context Subsection #### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits/extended-results#id-11.-choose-the-value-for-your-extended-result) 11\. Choose the value for your extended result Select the appropriate category such as major nonconformity, minor nonconformity, observation, opportunity for improvement, or good practice. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2Fstatic.guidde.com%2Fv0%2Fqg%252FJ0RVKao966SmT5uQXRHVpcgc2yd2%252FtfJoxjgR2GViiWgprnp1hn%252FmDK4VZ1rkF2zup9uCNGw2q_doc.png%3Falt%3Dmedia%26token%3D4f817784-90b7-4fb7-86fe-26e60e7d4eb2&width=768&dpr=3&quality=100&sign=d4413ea2&sv=2) Choose Nonconformity Type #### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits/extended-results#id-14.-make-sure-its-consistent-with-the-audit-result) 14\. Make sure it's consistent with the audit result Click the note stating "Major and minor nonconformities are only applicable when result is non-compliant or partially compliant." to understand criteria. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2Fstatic.guidde.com%2Fv0%2Fqg%252FJ0RVKao966SmT5uQXRHVpcgc2yd2%252FtfJoxjgR2GViiWgprnp1hn%252FnF9EAnNMomWES5R8ASqweo_doc.png%3Falt%3Dmedia%26token%3De1ae0a1b-bb4e-45ed-b13b-3ca9c8a07388&width=768&dpr=3&quality=100&sign=c4f4dbcf&sv=2) Review Nonconformity Applicability #### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits/extended-results#id-17.-select-the-value-and-save) 17\. Select the value and save Click "Save" to store the additional nonconformity or observation details. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2Fstatic.guidde.com%2Fv0%2Fqg%252FJ0RVKao966SmT5uQXRHVpcgc2yd2%252FtfJoxjgR2GViiWgprnp1hn%252FxeGyNXVcfNnyPqEToY8KVe_doc.png%3Falt%3Dmedia%26token%3D37965077-966d-463b-98e7-b34c4e8306df&width=768&dpr=3&quality=100&sign=61df6b3a&sv=2) Save Additional Entry #### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits/extended-results#id-21.-use-the-observation-field-for-more-information) 21\. Use the Observation field for more Information Click "Save" to finalize and save the observation or nonconformity information entered. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2Fstatic.guidde.com%2Fv0%2Fqg%252FJ0RVKao966SmT5uQXRHVpcgc2yd2%252FtfJoxjgR2GViiWgprnp1hn%252FbdL8REWuvPb26ZorthrWfH_doc.png%3Falt%3Dmedia%26token%3D540844c2-f9ea-4b23-99ad-7827169aa45e&width=768&dpr=3&quality=100&sign=894ae1dc&sv=2) Save Observation Information You have successfully managed minor nonconformities and major audit results by editing, documenting, and saving relevant audit details. This ensures accurate tracking and supports effective audit management for your organization. [PreviousAudits](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits) [NextEvidence](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/evidence) Last updated 1 month ago Was this helpful? Was this helpful? --- # Prerequisites | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/prerequisites.md) . ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/prerequisites#prerequisites-to-install-ciso-assistant-on-premises) Prerequisites to Install CISO Assistant On-Premises 1. **Hardware Requirements:** 1. CPU: 4 cores 2. RAM: Minimum 16 GB 3. Storage: Minimum 10 GB (consider more for evidences) You can start with lower specs of course for testing. 1. **Software Requirements:** 1. Ubuntu/Debian, CentOS, RHEL: LTS versions recommended when applicable\* 2. Docker 27 or up, with Docker compose, **or** Kubernetes Cluster 1.31 or up 3. Postgres 16 or up if you are choosing this variant 4. Any SMTP compatible Mailer \*most Linux distributions supporting Docker should be compatible but have not been tested. Some distributions are not using the official repositories so make sure to follow the instructions from docker page. [PreviousQuick start](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/quick-start) [NextDeployment methods](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods) Last updated 6 days ago Was this helpful? Was this helpful? --- # Audits | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits.md) . An **audit** is the evaluation of a perimeter against a framework. It produces a per-requirement view of status, score, evidence, and the applied controls that substantiate each requirement. Because applied controls are decoupled from compliance requirements, a single set of controls can be evaluated against many frameworks in parallel without re-doing the work. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits#mental-model) Mental model --------------------------------------------------------------------------------------------------------------------- An audit always lives inside a **domain** (the mandatory IAM scope) and is assessed against one **framework**. A **perimeter** can optionally narrow the audit further — e.g. to a specific service or process inside the domain. On creation the platform spawns one **requirement assessment** per requirement in the framework — those rows are where status, score, and the supporting **applied controls** and **evidences** live. User-facing Internal Notes Audit `ComplianceAssessment` One audit = one framework × one domain (× optional perimeter) Requirement assessment `RequirementAssessment` Per-requirement row inside the audit Requirement `RequirementNode` Read-only catalog entry from the framework library Domain `Folder` Required; drives IAM scoping Framework `Framework` Read-only library import [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits#framework) Framework --------------------------------------------------------------------------------------------------------------- The fundamental input to an audit is a **framework** — a published standard such as ISO/IEC 27001:2022 or NIST CSF. Frameworks ship as YAML libraries. If you can't find one that fits your needs, you can build your own and import it. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits#audit) Audit ------------------------------------------------------------------------------------------------------- An audit assesses compliance against the chosen framework. The evaluation of a single requirement inside an audit is called a **requirement assessment**. A requirement assessment is not a single value — it captures _several dimensions_ at once, separating **the compliance result** from **how the work got done** and from **the depth of the implementation**. The point is that the same row tracks the auditor's view, the analyst's progress, and the maturity of the underlying implementation without conflating them. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits#progress-column) Progress column Every audit in the audit tables (and on dashboards and campaigns) shows a **Progress** percentage. It answers a single question: _how much of the audit has been assessed?_ A requirement assessment counts as **assessed** as soon as it carries _any_ compliance result — **Compliant**, **Partially compliant**, **Non compliant**, or **Not applicable**. Requirements still on the default **Not assessed** state are the only ones that don't count. A requirement that only carries a score (no result) is also treated as assessed, so maturity- or scoring-only audits still show meaningful progress. In other words, **progress is an auditing-activity signal, not a compliance signal**. An audit can be 100% _in progress_ and still be largely non-compliant — the column tells you the team has gone through every requirement and reached a verdict, not that the verdicts are good. The actual compliance picture lives in the donut and score read-outs computed from the [compliance result](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits#compliance-result) below. Only **assessable** requirements count toward the denominator — section titles and headings from the framework are skipped. When the audit is scoped to specific [implementation groups](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits#implementation-groups) , only the requirements inside those groups count, so progress reflects the work you actually committed to rather than the framework's full catalogue. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits#implementation-groups) Implementation groups Several frameworks ship with their requirements pre-tagged into **implementation groups (IG)** — labels that act as filters over the requirement catalogue. They serve two recurring purposes, depending on how the framework's authors used them: * **Maturity tiers** — _basic / intermediate / advanced_ (CIS Controls' IG1 / IG2 / IG3, CyFun's _Basic / Important / Essential_, FedRAMP's _Low / Moderate / High_). Picking IG1 narrows the audit to the minimum baseline; IG2 adds the next tier; IG3 expands to the full catalogue. This is the "how mature do we want to be?" axis. * **Scope or applicability** — slices like _physical security_, _SaaS_, _cloud_, or framework-specific selectors like ISO 27001's `SoA` group. Picking these narrows the audit to the requirements that actually apply to your context, regardless of maturity. The two patterns are not exclusive — a single framework can mix them, and several IGs can be combined on the same audit. If no IG is selected the audit covers the full catalogue, and you can change the selection later (adding or removing IGs) without losing the work already done on requirements that stay in scope. Where IGs show up in the platform: * **Audit scope** — selected at creation, editable afterwards. Anything outside the selection isn't dropped, it's simply hidden from the audit's assessable count. * **Progress, score, donut, and analytics** — all roll-ups respect the IG selection. The [Implementation Groups Breakdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/audit-analytics) widget in audit analytics shows progress _per IG_ when you want to compare tiers. * **Framework report** — the report filter lets you re-slice the audit by IG after the fact, so the same audit can produce an IG1-only view and a full-catalogue view without re-running the assessment. See [Multi-level support](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/multi-level-support) for the mechanic of selecting IGs at audit creation, and the framework library's own documentation for which IG taxonomy a given standard ships with. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits#compliance-result) Compliance result The headline dimension — the actual answer to _"does this requirement hold?"_. Each requirement carries one of: * **Compliant** * **Partially compliant** * **Non compliant** * **Not applicable** This is the field that feeds the framework's compliance percentages, the report, and the cross-framework roll-ups. For questionnaire-driven frameworks (whether authored in the [framework builder UI](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/authoring/framework/framework-builder#questions-and-choices) or imported from an [Excel source](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/authoring/framework#questions-and-choices) — same vocabulary on both paths), the result is computed from the `compute_result` tag carried by each question choice and aggregated _worst-wins_ across the requirement's questions, with `not_applicable` neutral. The full rule lives in the framework builder reference. If you maintain a tenant whose audits were produced under the older boolean-collapse logic, see [Special cases — Recompute assessment results](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/maintenance/special-cases#recompute-assessment-results-after-the-semantic-compute_result-upgrade) for the realignment procedure. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits#analyst-dimension-assignee--workflow-status) Analyst dimension (assignee + workflow status) Independently of the compliance result, each requirement assessment captures _who is working on it_ and _where they are in their process_: * An **assignee** (an actor — user, team, or entity) — who is responsible for assessing this requirement. * A **workflow status** — **To do** / **In progress** / **In review** / **Done**. This is the _analyst's_ status, not the auditor's verdict. The two layers exist because the same requirement can be _Compliant_ but still _In review_ (the analyst has reached a conclusion, but a peer hasn't validated it yet) — and an _In progress_ requirement obviously doesn't have a final compliance result yet. Splitting analyst progress from compliance result lets dashboards and the campaign view show meaningful "still to do" counts without polluting the compliance percentage. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits#extended-results-severity-of-non-conformities) Extended results (severity of non-conformities) When you enable [extended results](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits/extended-results) on the audit, each non-compliant or partially-compliant requirement can carry an additional qualification on a specific scale: * **Major nonconformity** * **Minor nonconformity** * **Observation** * **Opportunity for improvement** * **Good practice** This is the auditor's grading language, useful when the framework requires distinguishing _major_ from _minor_ non-conformities (ISO certification audits being the canonical case). It's an extra layer attached to the result — not a replacement for it. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits#scoring-layers) Scoring layers Beyond the binary compliance result, each requirement assessment can carry a **score** on the framework's scale. Scoring captures _how mature or deep_ an implementation is, not just whether it exists. There are two ways to score, depending on what the audit needs: * **Maturity score** _(single layer)_ — one score per requirement, typically used for CMMI-style or NIST-CSF-style maturity assessments. * **Implementation + Documentation scores** _(two layers)_ — toggle on **documentation score** to split scoring into _is this implemented?_ and _is the implementation documented?_. The platform computes the maturity score as the average of the enabled layers. Each requirement assessment uses an **effective scoring scale**. At audit runtime the fallback is the audit's own scoring scale (`ComplianceAssessment`), which is usually initialised from the framework when the audit is created. A requirement can override that audit-level scale with its own `min_score`, `max_score`, and level labels. The scoring UI, documentation score, exports, and tree views use that effective scale for the requirement. When an audit contains mixed scales, average-based roll-ups normalise each requirement against its effective range before aggregating, then display the result on the audit scale. Sum-based roll-ups stay raw: they add `score x weight`, and their maximum is the sum of each requirement's effective maximum times its weight. If **anchor N/A to target** is enabled, not-applicable requirements contribute the audit target projected onto their own effective range. If no target is configured, they contribute their effective maximum. Together with the compliance result, the analyst dimension, the extended results, and the scoring layers, a single requirement assessment can record: _what's the compliance state_, _who is working on it and where they are_, _how severe any non-conformity is_, and _how mature the implementation is_ — all without conflating them. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits#comments) Comments Each requirement assessment can carry a thread of **comments** — short, dated, author-attributed notes used for in-context conversation during the audit. They sit alongside the formal fields and don't change the compliance result or the score; they're where the back-and-forth between the analyst, the reviewer, and the auditee happens (clarifications, follow-up questions, agreed-upon next steps). Each comment has a body, an author, a creation timestamp, and an **active / processed** toggle so resolved threads can be filtered out of the default view without losing the history. Comments can be edited (the platform records the edited state), preserving who said what and when. The panel is collapsed by default and shows the comment count, so it stays out of the way until you open it. Comments are not exclusive to requirement assessments — the same thread is available on **risk scenarios**, **applied controls**, and **findings**. On audits, **Comments** is governed by two controls: the `comments` [feature flag](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/feature-flags) (the platform-wide master switch, default on) and the per-audit [field-visibility editor](https://intuitem.gitbook.io/ciso-assistant/product-docs/guides/assessments/customize-audit) , which lets you make the thread visible to respondents, auditor-only, or hidden. So you can keep comments enabled everywhere while still hiding the discussion from third-party respondents on a sensitive audit. Authors are also masked for third-party participants who can't see other users. See [Comments](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/comments) for the full feature reference — processed state, edit history, permissions, and author privacy. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits#evidence) Evidence ------------------------------------------------------------------------------------------------------------- Evidence justifies the status of a compliance requirement or proves that an applied control has been implemented. It can be a description, a link, or an uploaded file, and it can be attached to any number of applied controls or requirement assessments. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits#related) Related ----------------------------------------------------------------------------------------------------------- * [Applied controls](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/applied-controls) * [Findings assessments](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/governance/findings-assessments) * [Perimeters](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/foundations/perimeters) * [Vocabulary → Audit / Requirement / Evidence](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary) [PreviousCompliance](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance) [NextManage extended result](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits/extended-results) Last updated 29 days ago Was this helpful? * [Mental model](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits#mental-model) * [Framework](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits#framework) * [Audit](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits#audit) * [Progress column](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits#progress-column) * [Implementation groups](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits#implementation-groups) * [Compliance result](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits#compliance-result) * [Analyst dimension (assignee + workflow status)](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits#analyst-dimension-assignee--workflow-status) * [Extended results (severity of non-conformities)](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits#extended-results-severity-of-non-conformities) * [Scoring layers](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits#scoring-layers) * [Comments](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits#comments) * [Evidence](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits#evidence) * [Related](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits#related) Was this helpful? --- # Specialised modules | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/specialised-modules.md) . [Third-party risk](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/specialised-modules/third-party-risk) [Privacy register](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/specialised-modules/privacy-register) [Project management](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/specialised-modules/project-management) [Terminology](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/specialised-modules/terminology) [Object classifications](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/specialised-modules/object-classification) [PreviousEvidence](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/evidence) [NextThird-party risk](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/specialised-modules/third-party-risk) Last updated 1 month ago Was this helpful? Was this helpful? --- # Overview | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/installation.md) . CISO Assistant is delivered as a set of containers — frontend, backend, database, and reverse proxy — that can run locally via Docker, on a VPS, or on Kubernetes via the Helm chart. The diagram below sketches how the pieces fit together. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Fintuitem%2Fciso-assistant-community%2Fraw%2Fmain%2Fdocumentation%2Fsystem-architecture.png&width=768&dpr=3&quality=100&sign=90686bd1&sv=2) System architecture > This section is being expanded. Material to come: prerequisites, local Docker setup, virtualisation and remote deployment, deploying on a VPS, the Helm chart, S3 storage, mailer, custom certificates, secrets management, and instance upgrades. [PreviousObject classifications](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/specialised-modules/object-classification) [NextQuick start](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/quick-start) Last updated 1 month ago Was this helpful? Was this helpful? --- # Evidences from clipboard | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/evidences-from-clipboard.md) . If you have a screenshot on your clipboard, you can directly paste it into the file field to have it as evidence instead of going through an intermediate file as illustrated below: [PreviousApplied controls analytics](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/applied-controls-analytics) [NextMappings](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/mappings) Last updated 1 month ago Was this helpful? Was this helpful? --- # Evidence | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/evidence.md) . **Evidence** is anything that substantiates a claim in CISO Assistant — that a control has been implemented, that a requirement is met, or that a process is being followed as described. Evidence is the connective tissue between what the audit asks and what the organisation actually does. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/evidence#mental-model) Mental model ----------------------------------------------------------------------------------------------------------------------- Evidence is the shared substantiation surface — the same record can back an applied control, a requirement assessment, and a finding at the same time, which is why a single proof can satisfy many frameworks at once. Each evidence comprises a chain of revisions; the latest revision holds the current attachment (with its SHA-256 hash) or external link. When a recurring task produces evidence, the corresponding task occurrence is recorded on the revision so the audit trail goes both ways. User-facing Internal Notes Evidence `Evidence` Logical record (stable identity) Evidence revision `EvidenceRevision` Versioned payload (file or link) Task occurrence `TaskNode` Optional producer back-link [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/evidence#what-counts-as-evidence) What counts as evidence --------------------------------------------------------------------------------------------------------------------------------------------- * An uploaded file — PDF, screenshot, configuration export, signed approval, exported policy. * A link to an external system — a Jira ticket, a Confluence page, a Git commit, a monitoring dashboard, a signed agreement. * A free-form description, when the proof is the assertion itself (rare but allowed). [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/evidence#what-evidence-attaches-to) What evidence attaches to ------------------------------------------------------------------------------------------------------------------------------------------------- Evidence attaches to two places: * **Applied controls** — proof that the control is in place and working. * **Requirement assessments** — proof that a specific compliance requirement is met. Because the same applied control can satisfy many requirements across many frameworks, a single piece of evidence often substantiates compliance against several requirements at once — without duplication. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/evidence#lifecycle) Lifecycle ----------------------------------------------------------------------------------------------------------------- Evidence isn't attached once and forgotten. Each piece carries metadata — description, timestamp, expiry, assignee — and a status. Auditors regularly refresh evidence: a yearly penetration-test report needs to be re-uploaded each year; an exported configuration needs to be re-pulled after each significant change. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/evidence#revisions) Revisions ----------------------------------------------------------------------------------------------------------------- Each piece of evidence keeps a versioned history through **evidence revisions**. Replacing an attachment doesn't overwrite the previous file — it creates a new revision under the same evidence object. Every revision carries: * A monotonically increasing **version number**. * The **attachment** (file) or **link** for this revision. * An **SHA-256 hash** of the attachment, computed automatically and used for integrity checks. * An **observation** field for notes about what changed. * An optional link to the **task occurrence** that produced it — when an evidence file is generated by completing a recurring task, the task occurrence is recorded on the revision so the audit trail goes both ways. The current attachment shown on the evidence page is always the latest revision; older revisions remain accessible for audit. This matters when an assessor asks "what proof did you have on date X?" — the historical revision is still there. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/evidence#related) Related ------------------------------------------------------------------------------------------------------------- * [Applied controls](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/applied-controls) * [Audits](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits) * [Tasks](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/tasks) * [Vocabulary → Evidence](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary) [PreviousManage extended result](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/audits/extended-results) [NextSpecialised modules](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/specialised-modules) Last updated 1 month ago Was this helpful? * [Mental model](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/evidence#mental-model) * [What counts as evidence](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/evidence#what-counts-as-evidence) * [What evidence attaches to](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/evidence#what-evidence-attaches-to) * [Lifecycle](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/evidence#lifecycle) * [Revisions](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/evidence#revisions) * [Related](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/compliance/evidence#related) Was this helpful? --- # Frequent questions | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/faq.md) . ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/faq#stop-and-restart) Stop and restart `docker compose down` `docker compose up -d` ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/faq#getting-the-logs) Getting the logs All services logs combined: `docker compose logs` Specific service: `docker compose logs backend` ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/faq#didnt-get-the-prompt-for-the-first-user) Didn't get the prompt for the first user If you didn't get the prompt to create the first user, or lost the password but you still have access to the infra level, you can trigger the `createsuperuser` command to fix that. In your compose file folder, try: `docker compose exec backend uv run python manage.py createsuperuser` Alternatively, in a docker environment: `docker ps -a | grep backend` (this will get you the id of the Backend for CISO Assistant container, keep it for the next step) `docker exec -it uv run python manage.py createsuperuser` and you should get a prompt now 😉 ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/faq#lost-the-first-user-password) Lost the first user password `docker compose exec backend uv run python manage.py changepassword ` You'll get a prompt to change the password ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/faq#random-issues-after-upgrading) Random issues after upgrading In some rare cases, the migration of database schemas can take longer than expected or fail silently. First thing to check is the backend container logs: Make sure you share these information if you're reporting an issue on Discord or the Support portal. If you want to trigger the migration to make sure that all increments have been properly applied: ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/faq#healthcheck-fails-during-the-installation) Healthcheck fails during the installation most likely because the initialization took longer than expected. Make sure you provide the expected specs or tune the docker compose to give the app more time to finish the init phase. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/faq#dont-want-cant-run-the-init-script) Don't want / Can't run the init script The recommended pattern for a first local setup is to go with ./docker-compose.sh ; In case you can't: Run wait for the init to finish and then trigger the first user creation manually: ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/faq#payload-too-large-when-uploading-a-file-to-the-frontend) "Payload too large" when uploading a file to the frontend By default, the `BODY_SIZE_LIMIT` environment variable is set to 20 MB in the frontend Dockerfile: In order to upload larger files, this value must be increased. How to do so depends on you rmode of deployment. Here are relevant docs: * [https://docs.docker.com/compose/how-tos/environment-variables/set-environment-variables/](https://docs.docker.com/compose/how-tos/environment-variables/set-environment-variables/) * [https://helm.sh/docs/helm/helm\_env/](https://helm.sh/docs/helm/helm_env/) * [https://docs.docker.com/reference/cli/docker/container/run/#env](https://docs.docker.com/reference/cli/docker/container/run/#env) If you use helm, this value is overwritten by the `bodySizeLimit` variable. Note the camel case here. [PreviousMigrate between different databases](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/maintenance/migrate-database) [NextOverview](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/configuration) Last updated 1 month ago Was this helpful? * [Stop and restart](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/faq#stop-and-restart) * [Getting the logs](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/faq#getting-the-logs) * [Didn't get the prompt for the first user](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/faq#didnt-get-the-prompt-for-the-first-user) * [Lost the first user password](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/faq#lost-the-first-user-password) * [Random issues after upgrading](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/faq#random-issues-after-upgrading) * [Healthcheck fails during the installation](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/faq#healthcheck-fails-during-the-installation) * [Don't want / Can't run the init script](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/faq#dont-want-cant-run-the-init-script) * ["Payload too large" when uploading a file to the frontend](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/faq#payload-too-large-when-uploading-a-file-to-the-frontend) Was this helpful? Copy docker compose logs backend Copy docker compose exec backend uv run python manage.py migrate Copy docker compose up -d Copy docker compose exec backend uv run python manage.py createsuperuser Copy # frontend/Dockerfile ENV BODY_SIZE_LIMIT=20000000 --- # Setting up S3 | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/s3.md) . By default, CISO Assistant stores attachments on the local filesystem. You can configure it to use an S3-compatible object storage (AWS S3, MinIO, etc.). ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/s3#prerequisitories) Prerequisitories * A running S3-compatible storage * An existing bucket (must be created **before** starting CISO Assistant) * Valid access credentials (Access Key / Secret Key) ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/s3#configure-environment-variables) Configure environment variables Set the following environment variables in the backend environment: Copy export USE_S3=True export AWS_ACCESS_KEY_ID= export AWS_SECRET_ACCESS_KEY= export AWS_STORAGE_BUCKET_NAME= export AWS_S3_ENDPOINT_URL= That's it ! You can now launch your backend and your attachments will be sent to your S3 🔥 ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/s3#example-case-local-minio-block-storage) Example case : local MinIO block storage You can test S3 support using MinIO: Copy docker run -d \ --name minio \ -p 9000:9000 \ -p 9001:9001 \ -e MINIO_ROOT_USER=ciso-assistant-admin \ -e MINIO_ROOT_PASSWORD=not_secure_password \ -v minio_data:/data \ minio/minio server /data --console-address ":9001" Then go on [http://localhost:9001](http://localhost:9001/) , enter your minio root user/password and create a bucket with the name 'my-ciso-bucket'. The backend environment variables will be: You can now see your attachments on the MinIO console after importing them in ciso-assistant. [PreviousManaging secrets](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/managing-secrets) [NextSetting up mailer](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/mailer) Last updated 1 month ago Was this helpful? * [Prerequisitories](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/s3#prerequisitories) * [Configure environment variables](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/s3#configure-environment-variables) * [Example case : local MinIO block storage](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/s3#example-case-local-minio-block-storage) Was this helpful? Copy export USE_S3=True export AWS_ACCESS_KEY_ID=ciso-assistant-admin export AWS_SECRET_ACCESS_KEY=not_secure_password export AWS_STORAGE_BUCKET_NAME=my-ciso-bucket export AWS_S3_ENDPOINT_URL=http://localhost:9000 --- # Add and manage users | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/organization/users.md) . Under Organization, click on Users and then Add user: ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-9cb3335477df78795e9d51065811d3b88f429f8d%252Fimage%2520%2814%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=90953150&sv=2) Set up the email of the new user: ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-aed11dd7e952132585e663f582ebf38b9a28cd06%252Fimage%2520%2815%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=5e51692a&sv=2) Once created, a new user doesn't have any permissions by default. Click edit and update the user groups: ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-bb96eb4138f0b05b5965eae19885a38275c49a78%252Fimage%2520%2817%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=c13266e4&sv=2) If you are working on a single domain, or working on solo, you might just set \`Global - Administrator\` ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-939eb7efb1e55f0bbeec2456d6df1eb4bf1201c0%252Fimage%2520%2816%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=595cd092&sv=2) When the user are added, and if the mailer is set, he/she will receive an email to set up the password. If not, you can set a temporary password as illustrated above. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/organization/users#disable-a-users-mfa) Disable a user's MFA ------------------------------------------------------------------------------------------------------------------------------------------ If a user has lost access to all their MFA factors (phone wiped, hardware key lost) and has no recovery codes left, an administrator can disable their MFA from the user's edit page. The link only appears when the target user has MFA enabled and you are not editing yourself. See [Setting up Multi-Factor Authentication (MFA) → Admin recovery](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/mfa#admin-recovery-disabling-another-users-mfa) for the full procedure. [PreviousOrganization](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/organization) [NextUser groups](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/organization/user-groups) Last updated 12 days ago Was this helpful? Was this helpful? --- # Migrate between different databases | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/maintenance/migrate-database.md) . [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/maintenance/migrate-database#primordial-step-create-backups) Primordial step: create backups ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Do not forget that this kind of operation can be tricky and may impact your data if something goes wrong. To stay safe, we strongly recommend creating a backup of the volume, disk, or `db/` folder used to host your CISO Assistant instance. We also recommend testing your backup procedure by deploying another CISO Assistant instance and restoring the backup into it. This will help verify that your backups work correctly before you start switching database engines. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/maintenance/migrate-database#switch-from-sqlite-to-postgresql) Switch from SQLite to PostgreSQL ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Here is a complete guide of all the steps you should perform (after backing up your volume). The new PostgreSQL-backed instance must run the **exact same CISO Assistant version** as the source SQLite instance. The restore will refuse a backup produced by a different version. Migrate first, then upgrade afterwards if needed. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/maintenance/migrate-database#id-1.-export-your-data) 1\. Export your data To facilitate the backup and restore workflow, we designed a backup-restore page with a button to back up the database. Go in **Extra > Backup & restore**, then click on **Export database**. You will get a `.bak` file. Evidence files and other uploaded files are **not** included in this export — they live on disk under `db/attachments/` and are handled separately in step 7. If you'd rather get both the database and the attachments in a single bundle, skip this step and use the `clica` CLI instead — see step 7, Option B. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/maintenance/migrate-database#id-2.-stop-the-instance-of-ciso-assistant) 2\. Stop the instance of CISO Assistant Copy docker compose down ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/maintenance/migrate-database#id-3.-set-up-postgresql) 3\. Set up PostgreSQL You can install whichever PostgreSQL setup you prefer, as you only need the environment variables afterwards to connect it to CISO Assistant. Here are the two main ways: #### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/maintenance/migrate-database#on-your-host-using-a-service) On your host using a service Depending on your OS, install PostgreSQL — here on Ubuntu: Configure your PostgreSQL instance with at minimum: Also check the port on which PostgreSQL is running (normally `5432`). #### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/maintenance/migrate-database#in-a-docker-container) In a Docker container In your `docker-compose.yml`, add a service like this: ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/maintenance/migrate-database#id-4.-connect-ciso-assistant-to-postgresql) 4\. Connect CISO Assistant to PostgreSQL Define these environment variables in your `docker-compose.yml` (or via `export` if running without containers): If PostgreSQL is running on your **host** (not in a container), set `DB_HOST=host.docker.internal` and add the following to your backend service: The exact host settings depend on your setup — OS, Docker version, whether you run rootless Docker, or whether you bridge the backend container to the host network. Adjust `DB_HOST` and `extra_hosts` accordingly. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/maintenance/migrate-database#id-5.-restart-migrate-and-create-a-superuser) 5\. Restart, migrate and create a superuser Bring the stack back up — if you are using Docker, migrations run automatically at startup: Since the PostgreSQL database is brand new and empty, you also need to create a temporary superuser: This is a temporary user. The backup restore will delete it while giving you back your original users. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/maintenance/migrate-database#id-6.-restore-your-data) 6\. Restore your data Connect with your new temporary superuser, go to the **Backup & restore** section, and click the restore button. Select the `.bak` file you downloaded in step 1. Your database will be fully restored. Reconnect with one of your original users. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/maintenance/migrate-database#id-7.-make-sure-evidence-files-are-still-reachable) 7\. Make sure evidence files are still reachable The `.bak` only contains database rows. The actual evidence files (PDFs, images, …) live on the filesystem under `db/attachments/`, independent of which database engine you use. Database rows reference them by path, so if the files aren't where the rows expect them, evidence records will appear to exist but their attachments will be broken. You have two ways to keep them: **Option A — Same host, same volume (typical case).** If you're switching the database engine in place on the same machine and you kept the `db/` volume mounted on the new stack, you don't need to do anything: `db/attachments/` is already there and the restored records will resolve to the existing files. **Option B — Cross-host migration, or you want one atomic snapshot.** Use the `clica` CLI shipped under [`cli/`](https://github.com/intuitem/ciso-assistant-community/tree/main/cli/README.md) instead of the UI export. It packages the database **and** every attachment in a single backup, then restores both in one atomic call: Requires a Personal Access Token with the backup permission set in `.clica.env`. The CLI verifies SHA-256 hashes and is resumable. See `cli/README.md` for setup details. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/maintenance/migrate-database#switch-from-postgresql-to-sqlite) Switch from PostgreSQL to SQLite ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The logic is the same in reverse: 1. Export the database from the **Extra > Backup & restore** page on your PostgreSQL-backed instance (or run `clica backup-full` if you want attachments included). 2. Stop the stack (`docker compose down`). 3. Remove the PostgreSQL environment variables (`POSTGRES_NAME`, `POSTGRES_USER`, `POSTGRES_PASSWORD`, `DB_HOST`, `DB_PORT`) and the `db` service from your `docker-compose.yml`. With `POSTGRES_NAME` unset, CISO Assistant falls back to SQLite at `db/ciso-assistant.sqlite3`. 4. Bring the stack back up, create a temporary superuser, and restore the `.bak` file (or run `clica restore-full`). 5. Keep `db/attachments/` in place — the same caveat from step 7 above applies. The same version-match rule applies: the SQLite-backed instance must run the exact same CISO Assistant version as the PostgreSQL-backed source. [PreviousSpecial cases](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/maintenance/special-cases) [NextFrequent questions](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/faq) Last updated 1 month ago Was this helpful? * [Primordial step: create backups](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/maintenance/migrate-database#primordial-step-create-backups) * [Switch from SQLite to PostgreSQL](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/maintenance/migrate-database#switch-from-sqlite-to-postgresql) * [1\. Export your data](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/maintenance/migrate-database#id-1.-export-your-data) * [2\. Stop the instance of CISO Assistant](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/maintenance/migrate-database#id-2.-stop-the-instance-of-ciso-assistant) * [3\. Set up PostgreSQL](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/maintenance/migrate-database#id-3.-set-up-postgresql) * [4\. Connect CISO Assistant to PostgreSQL](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/maintenance/migrate-database#id-4.-connect-ciso-assistant-to-postgresql) * [5\. Restart, migrate and create a superuser](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/maintenance/migrate-database#id-5.-restart-migrate-and-create-a-superuser) * [6\. Restore your data](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/maintenance/migrate-database#id-6.-restore-your-data) * [7\. Make sure evidence files are still reachable](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/maintenance/migrate-database#id-7.-make-sure-evidence-files-are-still-reachable) * [Switch from PostgreSQL to SQLite](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/maintenance/migrate-database#switch-from-postgresql-to-sqlite) Was this helpful? Copy sudo apt install postgresql Copy POSTGRES_DB=ciso-assistant POSTGRES_USER=ciso-assistantuser POSTGRES_PASSWORD= Copy db: container_name: db image: postgres:16 restart: always environment: - POSTGRES_DB=ciso-assistant - POSTGRES_USER=ciso-assistantuser - POSTGRES_PASSWORD= volumes: - ./pgdata:/var/lib/postgresql/data healthcheck: test: ["CMD-SHELL", "pg_isready -U ciso-assistantuser -d ciso-assistant"] interval: 10s timeout: 5s retries: 10 start_period: 50s Copy POSTGRES_NAME=ciso-assistant POSTGRES_USER=ciso-assistantuser POSTGRES_PASSWORD= DB_HOST=db DB_PORT=5432 Copy extra_hosts: - "host.docker.internal:host-gateway" Copy docker compose up -d Copy docker exec -it backend uv run python manage.py createsuperuser Copy # On the source instance — produces backup.json.gz + attachments/ + manifest uv run clica.py backup-full --dest-dir ./db_backup # On the new (PostgreSQL-backed) instance, after step 5 uv run clica.py restore-full --src-dir ./db_backup --- # Multi-level support | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/multi-level-support.md) . Multiple frameworks have their requirements organized into subgroups, mostly cumulative but not always. We introduced it in v1.3.x better support for such a concept using the concept of `implementation groups` from CIS, but with a generic implementation to cover both cases. illustration of implementation groups When creating a new audit with a framework that supports implementation groups (IG), you'll get a drop-down menu to select the ones you want to use. They can be combined to suit your needs. If no implementation group is selected, the audit will start with all the requirements, and you can still update it to add or remove other IG. CyFun and CIS, and FedRamp have been updated to take advantage of this feature. Other relevant frameworks are currently being updated. [PreviousControls autosuggestion](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/controls-autosuggestion) [NextFlash mode](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/flash-mode) Last updated 1 month ago Was this helpful? Was this helpful? --- # Remote/Virtualization | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/remote-virtualization.md) . New: Use the config builder at the `config` folder of the repo for an interactive and reliable experience. To get started with the config builder, make sure you have python and docker installed. Here is an example on ubuntu: Copy #update ubuntu repository and OS sudo apt update sudo apt upgrade # install docker sudo snap install docker #install python sudo apt install python3-pip python3.14-venv #clone the repo git clone https://github.com/intuitem/ciso-assistant-community.git #go to the config generator cd ciso-assistant-community cd config # setting up the python project and dependencies python3 -m venv .venv source .venv/bin/activate pip install -r requirements.txt # run the interactive config generator python make_config.py **You cannot use IP addresses on the configuration and you need to have a FQDN mapped to it.** 1. If you aim to expose the **VM to internet**, use this dedicated guide: [https://github.com/intuitem/ciso-assistant-community/tree/main/product-docs/installation/deploy-on-a-vps.md](https://github.com/intuitem/ciso-assistant-community/tree/main/product-docs/installation/deploy-on-a-vps.md) 2. If you aim to connect **from the VM** 3. If you aim to connect **to the VM from your network** ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/remote-virtualization#from-the-vm) From the VM This means that you _**will be using a browser from within the VM**_ so localhost settings are applicable. You can simply use the default ./docker-compose.sh at the root of the repository or trigger the config builder with the following settings: ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-f8dc736680585847d948342a7bf081a853a87f86%252Fimage%2520%2836%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=b939f1b9&sv=2) run `./docker-compose.sh` and connect from within the VM using `https://localhost:8443` ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/remote-virtualization#from-your-network-host-os) From your network / host OS * setup a FQDN for your VM and make sure it's known by the host you are connecting from. This will vary depending on your OS. For instance, for linux/mac, you can add a line to your `/etc/hosts` file such as: `192.168.1.87 ca.homelab.local` in this example, the first part is your VM's ip and the second one will be the FQDN you'll be providing to the config builder and that you will use to connect later on. Run the config builder and provide the following settings: ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-03a4e5b914f69221b09ba65c5a795c82e8ec6997%252Fimage%2520%2837%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=11262be&sv=2) run `./docker-compose.sh` and connect from your host this time using `https://ca.homelab.local:8443` _Notes:_ * If you don't want to have a specific port, use the port 443 during the settings, given it's not used by another application on your system. * In the remote setup, if you also want to connect from within the VM, you can add your custom FQDN to the /etc/hosts of your VM but mapped to 127.0.0.1 \--- ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/remote-virtualization#legacy-kept-for-reference-purposes) Legacy - Kept for reference purposes Let's say that you want to setup or experiment with CISO Assistant on a Network or Virtualized environment (eg. Hypervisor) on a remote host, for instance, to use with multiple users: ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-7eab7416e5412d19792f7f482ee4022cf6ccce58%252Fimage%2520%2810%29%2520%281%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=edf43a85&sv=2) * Install a recent version of Docker on your remote server * Given that we are using TLS with Caddy, we need to have DNS entries and not IPs * The workstations need to be able to reach the remote using an FQDN (DNS entry). If not you can add an entry on your `/etc/hosts`. Keep track of the remote server DNS as you'll put it on the next step, let's say the remote is `cool-vm` for instance * Clone the repo, but don't run anything yet. **Edit** the `docker-compose.yml` file as follows: (red is for deletion and green for addition); your diff should look like: ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-807d0816b913d4f9418ad4221db5394b4a63252c%252Fimage%2520%2813%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=477b4226&sv=2) * Five lines need to be edited. Save the file and move to the next step If you're getting `SSL_ERROR_INTERNAL ERROR_ALERT` (Can be different on other browsers) blocking you from continuing, make sure that you've made the 5 changes above. The `tls internal` (equivalent to `-i` in CLI mode) parameter of Caddy can present some security issues and is not recommended for production and internet exposure. You should consider proper certificates for that. You're all set, and you can simply run: Your CISO Assistant can be reached now from `https://cool-vm:8443`, and you can skip the SSL warning for the self-signed certificate. [PreviousDocker rootless configuration](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/docker-rootless) [NextDeploy on a VPS](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/vps) Last updated 1 month ago Was this helpful? * [From the VM](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/remote-virtualization#from-the-vm) * [From your network / host OS](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/remote-virtualization#from-your-network-host-os) * [Legacy - Kept for reference purposes](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/remote-virtualization#legacy-kept-for-reference-purposes) Was this helpful? Copy ./docker-compose.sh --- # Library clean-up | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/libraries/library-cleanup.md) . If you want to delete a load library, make sure it's not used anywhere (for framework, that's an audit is not depending on them, for a risk matrix, that a risk assessment is not relying on it, etc.) and head to the loaded libraries section of your libraries (Governance/Libraries). If the item is not used, it will show as "deletable" as below: ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-3c96e912dfa251df30ed29d1d690b54e80caaa6e%252Fimage%2520%2838%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=3bdef0aa&sv=2) [PreviousUpgrading a library](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/libraries/upgrading-a-library) [NextAuthoring](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/authoring) Last updated 1 month ago Was this helpful? Was this helpful? --- # Library upgrade | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/libraries/library-upgrade.md) . ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-cf8a61ae46b1b480bb22b0d6038ea44653ebb429%252Fimage%2520%289%29%2520%281%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=308ec553&sv=2) When new upgrades are available for a library, you can choose to pull the upgrade on your existing audits. This is pretty useful for applying nondestructive updates such as typo fixes, adding implementation groups, and so on. [PreviousCIS Controls / Cloud Controls Matrix (CCM)](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/libraries/cis-controls) [NextUpgrading a library](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/libraries/upgrading-a-library) Last updated 1 month ago Was this helpful? Was this helpful? --- # Deployment methods | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods.md) . [Local](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/local) [Docker rootless configuration](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/docker-rootless) [Remote/Virtualization](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/remote-virtualization) [Deploy on a VPS](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/vps) [Helm Chart](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/helm-chart) [PreviousPrerequisites](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/prerequisites) [NextLocal](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/local) Last updated 1 month ago Was this helpful? Was this helpful? --- # Prometheus metrics | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/prometheus-metrics.md) . [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/prometheus-metrics#overview) Overview ------------------------------------------------------------------------------------------------------------------------------------- When enabled, the backend exposes a `/metrics` endpoint that returns instance-level gauges in the [Prometheus exposition format](https://prometheus.io/docs/instrumenting/exposition_formats/) : * User and editor counts * Number of loaded libraries, domains, perimeters, assets, threats * Number of compliance assessments, risk assessments, risk scenarios, risk acceptances * Number of applied controls and evidences * License expiration date, instance creation date, last login date * Build information (version, commit, schema) ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/prometheus-metrics#enabling-the-endpoint) Enabling the endpoint Set the following environment variable on the backend container: Copy EXPOSE_METRICS=True The endpoint is disabled by default (`EXPOSE_METRICS=False`). ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/prometheus-metrics#security-never-expose-metrics-publicly) Security — never expose `/metrics` publicly The `/metrics` endpoint is **unauthenticated**. If you enable it, make sure it is never reachable from the public internet — either by restricting access to trusted IP ranges, or by binding the endpoint to an internal interface only. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/prometheus-metrics#prometheus-configuration-single-vm) Prometheus configuration (single VM) If your prometheus runs in local you can for example check the /metrics endpoint with this config If you have multiple instances on different machines, add them to `targets`: Start Prometheus with: The Prometheus UI is available at `http://localhost:9090`. Search for `ciso_assistant_nb_users` to confirm that scraping is working. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/prometheus-metrics#verifying-the-endpoint) Verifying the endpoint From a machine that has access to the backend (not from the public internet): You should see output similar to: If the endpoint returns a 404, check that `EXPOSE_METRICS=True` is set and that the backend has restarted. [PreviousSetting up mailer](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/mailer) [NextStructured logging](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/structured-logging) Last updated 1 month ago Was this helpful? * [Overview](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/prometheus-metrics#overview) * [Enabling the endpoint](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/prometheus-metrics#enabling-the-endpoint) * [Security — never expose /metrics publicly](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/prometheus-metrics#security-never-expose-metrics-publicly) * [Prometheus configuration (single VM)](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/prometheus-metrics#prometheus-configuration-single-vm) * [Verifying the endpoint](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/prometheus-metrics#verifying-the-endpoint) Was this helpful? Copy global: scrape_interval: 30s scrape_configs: - job_name: ciso-assistant static_configs: - targets: - localhost:8000 metrics_path: /metrics/ Copy static_configs: - targets: - 192.168.1.10:8000 - 192.168.1.11:8000 Copy prometheus --config.file=prometheus.yml Copy curl http://localhost:8000/metrics Copy # HELP ciso_assistant_nb_users Number of users in the CISO Assistant instance # TYPE ciso_assistant_nb_users gauge ciso_assistant_nb_users 3.0 ... --- # Controls autosuggestion | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/controls-autosuggestion.md) . The recommendation system allow you to create applied controls and automatically assign them to your audit requirements, based on the reference controls of the catalog: [PreviousAnalytics](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/analytics) [NextMulti-level support](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/multi-level-support) Last updated 1 month ago Was this helpful? Was this helpful? --- # Domain export/import | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/domain-export-import.md) . Pro users (eg. consultants) can export a full domain with its affiliated objects ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-0198359a4a30775ff68dcdbfca86feb536daaef2%252Fimage%2520%281%29%2520%282%29%2520%281%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=1c31336e&sv=2) You can import it on Pro or Community edition on the domains list: ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-9a09cf15df71cf245e1894f2d60d734861de420f%252Fimage%2520%281%29%2520%282%29%2520%281%29%2520%281%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=2b4f0038&sv=2) [PreviousAudit log](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/audit-log) [NextFocus mode](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/focus-mode) Last updated 1 month ago Was this helpful? Was this helpful? --- # Quick start | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/quick-start.md) . [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/quick-start#config-builder) Config Builder ----------------------------------------------------------------------------------------------------------------------- Customise the local deployment according to your needs: Make sure to have Docker 27 or above. If you get an error saying the `docker compose` command is not recognised, your Docker version is too old. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/quick-start#docker-compose) Docker Compose ----------------------------------------------------------------------------------------------------------------------- Make sure Docker and Docker Compose are installed on your system. * clone the repo: `git clone https://github.com/intuitem/ciso-assistant-community.git` * run the preparation script and follow the instructions: `./docker-compose.sh` You can also find other variants for different setups as a starting point for your specific needs: * [Remote / Virtualization](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/remote-virtualization) * [Deploy on a VPS](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/vps) [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/quick-start#helm-chart) Helm chart --------------------------------------------------------------------------------------------------------------- Make sure the Helm binary is installed and switch to your cluster context. The chart is published to a GitHub OCI registry — no `helm repo add` needed. 1. Pull the default values: 2. Edit `custom.yaml` for your environment. At minimum, look at: * `global.domain` — the hostname your instance will serve on. * `global.tls` and `ingress.tls.*` — enable TLS. * `backend.config.djangoSecretKey` — rotate from the default. * `backend.config.databaseType` (`sqlite`, `pgsql`, or `externalPgsql`) and the matching `postgresql.*` / `externalPgsql.*` block. 3. Create a namespace: `kubectl create ns ciso-assistant` 4. Install: `helm install ciso-assistant-release oci://ghcr.io/intuitem/helm-charts/ce/ciso-assistant -f custom.yaml -n ciso-assistant` See [Helm Chart](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/helm-chart) for the full procedure (image tag pinning, values reference, and operational notes). This setup assumes Caddy will handle TLS on your behalf. If you experience SSL-related issues, you may need to patch your `ingress-nginx-controller` to enable the `enable-ssl-passthrough` flag. [PreviousOverview](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/installation) [NextPrerequisites](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/prerequisites) Last updated 1 month ago Was this helpful? * [Config Builder](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/quick-start#config-builder) * [Docker Compose](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/quick-start#docker-compose) * [Helm chart](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/quick-start#helm-chart) Was this helpful? Copy helm show values oci://ghcr.io/intuitem/helm-charts/ce/ciso-assistant > custom.yaml --- # Maintenance | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/maintenance.md) . [Updating your local instance](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/maintenance/updating) [Special cases](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/maintenance/special-cases) [Migrate between different databases](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/maintenance/migrate-database) [PreviousStructured logging](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/structured-logging) [NextUpdating your local instance](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/maintenance/updating) Last updated 1 month ago Was this helpful? Was this helpful? --- # Terminology | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/specialised-modules/terminology.md) . CISO Assistant ships with a default vocabulary for the values that appear in dropdowns and badges across the UI — risk origin types in EBIOS RM, project status values, qualifications on incidents, accreditation status labels, metric units, and so on. The **terminology** layer lets each organisation override those defaults to match its own internal vocabulary, without changing the platform's data model. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/specialised-modules/terminology#why-it-exists) Why it exists ------------------------------------------------------------------------------------------------------------------------------------- Two organisations can use CISO Assistant against the same framework and the same methodology, but speak entirely different internal languages. One team's "Risk Origin: state-actor" is another team's "Adversary: nation-state". The terminology surface lets you reshape the labels without forking the platform. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/specialised-modules/terminology#how-it-works) How it works ----------------------------------------------------------------------------------------------------------------------------------- A terminology entry binds a **label** to a **field path** — the specific UI surface where the label appears. The shipped field paths today cover: * `ro_to.risk_origin` — Risk Origin types on RO/TO couples in EBIOS RM. * `qualifications` — qualification tags on incidents, risk scenarios, and BIA escalation thresholds. * `accreditation.status` and `accreditation.category` — labels on accreditation records. * `entity.relationship` — third-party relationship types. * `metric_definition.unit` — units shown alongside metric values. * `project.status` and `project.health` — workflow labels on projects. * `processing.nature` — the nature of a processing activity (collection, storage, disclosure, erasure, …) in the privacy register. * `personal_data.category` — categories of personal data (name, email, health data, …) in the privacy register. For each field path, the platform ships a **built-in** set of entries (state, organised crime, terrorist, activist, … for risk origins, for example). You can: * **Hide** built-in entries you don't want to surface — the `is_visible` flag controls dropdown inclusion. * **Add** organisation-specific entries alongside the built-ins. * **Translate** entries through the standard library translation mechanism. The platform falls back to the built-in default whenever an entry is missing or hidden — terminology is additive on top of a working set, not a replacement. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/specialised-modules/terminology#scoping) Scoping ------------------------------------------------------------------------------------------------------------------------- Terminology entries live in the root folder by default, meaning they apply organisation-wide. Built-in entries cannot be deleted; they can only be hidden. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/specialised-modules/terminology#where-you-find-it) Where you find it --------------------------------------------------------------------------------------------------------------------------------------------- In the sidebar under **Extra → Terminologies**. The feature is gated by the `terminologies` feature flag, which is on by default. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/specialised-modules/terminology#related) Related ------------------------------------------------------------------------------------------------------------------------- * [Vocabulary → Terminology](https://intuitem.gitbook.io/ciso-assistant/product-docs/introduction/vocabulary) * [Custom roles](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/organization/custom-roles) — a different kind of organisation-defined override [PreviousProject management](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/specialised-modules/project-management) [NextObject classifications](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/specialised-modules/object-classification) Last updated 2 days ago Was this helpful? * [Why it exists](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/specialised-modules/terminology#why-it-exists) * [How it works](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/specialised-modules/terminology#how-it-works) * [Scoping](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/specialised-modules/terminology#scoping) * [Where you find it](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/specialised-modules/terminology#where-you-find-it) * [Related](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/specialised-modules/terminology#related) Was this helpful? --- # Upgrading a library | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/libraries/upgrading-a-library.md) . In you've updated your instance and didn't see the changes on a loaded library, you can do the following to refresh the library to the latest version: ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-9ddc9c99e2fb6891d3f0aa47d1bf7264675fd191%252Fscsh-2025-01-01-10.09.59.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=472572a9&sv=2) This also applies to custom framework as long as you respect the incremental step of the library's version. [PreviousLibrary upgrade](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/libraries/library-upgrade) [NextLibrary clean-up](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/libraries/library-cleanup) Last updated 1 month ago Was this helpful? Was this helpful? --- # User groups | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/organization/user-groups.md) . For now, it is not possible to create custom role assignments so you need to use built-in user groups. They are linking a domain with a role which contains precise permissions, that will be given to users in this group. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/organization/user-groups#roles) Roles Let's give some details on the 5 built-in roles: Role Permissions Administrator full access (except approval), and specifically management of domains, users and users rights Domain manager full access to selected domains (except approval), in particular managing rights for these domains. Read access to global objects Analyst read-write access to selected perimeters/domains. Read access to global and domain objects Reader read access to selected perimeters/domains Approver like reader, but with additional capability to approve risk acceptances Respondent see [Assignments / respondent mode](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/assignments) for more details Django superuser is given administrator rights automatically on startup. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/organization/user-groups#global-user-groups) Global user groups Once your instance is created, five user groups are already present: * Global - Administrator * Global - Analyst * Global - Reader * Global - Approver * Global - Respondent They give corresponding permissions on Global scope so on every object of your instance. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/organization/user-groups#domain-user-groups) Domain user groups They are created for each domain you add. For example, if you create a domain _R&D_, there will be: * R&D - Domain Manager * R&D - Analyst * R&D - Reader * R&D - Approver * R&D - Respondent They give corresponding permissions on the domain scope so on every object inside _R&D_. [PreviousAdd and manage users](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/organization/users) [NextCustom roles](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/organization/custom-roles) Last updated 1 month ago Was this helpful? * [Roles](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/organization/user-groups#roles) * [Global user groups](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/organization/user-groups#global-user-groups) * [Domain user groups](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/organization/user-groups#domain-user-groups) Was this helpful? --- # SAML | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/sso/saml.md) . Please note: if OIDC mode has ben configured before, you must **reset the Client ID field to** `**0**` **in the OIDC tab and save** before proceeding. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-2f62c048bd6f9fa550d2c4b8243933528305d348%252Fimage%2520%2811%29.png%3Falt%3Dmedia&width=300&dpr=3&quality=100&sign=989ab44a&sv=2) Failure to do so will prevent proper SAML configuration. This behavior is known and will be addressed in future releases. General configuration Advanced settings ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/sso/saml#configure-ciso-assistant-with-saml) Configure CISO Assistant with SAML Once you've retrieved the **IdP Entity ID,** the **Metadata URL** and the **Entity ID** from your provider (see the list of providers for specific details), the configuration on CISO Assistant is pretty simple. 1. Log in into CISO Assistant as an **administrator > Extra > Settings** ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-7aaf14a372e2c23052887a6fcb7a219a579f101a%252FScreenshot%25202024-09-02%252012.31.25.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=6f017a9f&sv=2) 2. **Enable SSO** ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-354a9567ee3386367180f24b6eb5993b631f5587%252FScreenshot%25202024-09-02%252012.32.06.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=7c52cf47&sv=2) 3. Enter the **Idp Entity ID** ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-ac0413f3859e068f8d06c3f8de10188033a24ac2%252FScreenshot%25202024-09-02%252012.32.42.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=3def4320&sv=2) 4. Choose the option 1 or 2 depending of your provider and fill **Metadata URL** or **SSO URL**, **SLO URL**, **x509 certificate** retrieved from your provider ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-c4c21f046dec49f3d48dc717782b598de89d4f54%252FScreenshot%25202024-09-02%252012.33.52%2520%281%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=8447244&sv=2) 5. Check that the **SP Entity ID** is similar to the **Entity/Client ID** specified on your provider ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-23de0b75f8d883f8d5b65fc20f9011fd6c3436c9%252Fciso-sso-step-4.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=d27d9d23&sv=2) 6. And that's it! Don't forget to save changes 7. You should now be able to see the **Login with SSO** button ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-887d7b79f3b5342213f99ac1ea3b82b257f00ea1%252Fciso-sso-step-6.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=5dfae277&sv=2) * **Allow single label domains**: This allows you to authenticate through SAML on a single-label domain (e.g. `https://ciso-assistant:8443`). If this is left unchecked, the only host forms allowed are: * IPv4 * IPv6 * FQDN (e.g. https://www.example.com/) * `localhost` * **Authn request signed**: allows the Service Provider (SP) to digitally sign the SAML authentication request sent to the Identity Provider (IdP). This option should be enabled if your IdP requires signed authentication requests or if you are looking to enforce additional security on SAML authentication flows: ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-072088cebd75af5688cf9f2e6007a30d3a3d2705%252Fimage%2520%2883%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=3fef7151&sv=2) Be aware that the user needs to be created on CISO Assistant to be authenticated with SSO. [PreviousSSO](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/sso) [NextOpenID Connect (OIDC)](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/sso/oidc) Last updated 1 month ago Was this helpful? Was this helpful? --- # Google Workspace | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/sso/identity-providers/google-workspace.md) . Google Workspace doesn't allow callbacks to urls containing `http` or `localhost` so it can be tricky to test it locally. You should deploy CISO Assistant with a FQDN to bypass these restrictions. Go into **Google Workspace Admin console** 1. On the sidebar menu, go to **Applications** > **Web and mobile applications** ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-ad97d977a05ab89226844dda9074ceb4c8ce8612%252Fimage%2520%2819%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=5bab895f&sv=2) 2. Click on **Add an application** > **Add a custom SAML Application** ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-a59ab5998ababe1b532a113f411905cb7fb1dbb2%252Fimage%2520%2820%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=5e66fc70&sv=2) 3. Enter **ciso-assistant** or the name of your choice and click on **continue** ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-a7969a361530b83fe9354319706fc5060ac0d309%252Fimage%2520%2823%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=1f24e679&sv=2) 4. You can copy the **SSO URL**, **Entity Id** and **x509 certificate** here but you'll be able to retreive them later ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-11ffa3f2f041bc379ba195220a42a62f53342ea2%252Fimage%2520%2824%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=d4ede5de&sv=2) 5. Fill **ACS URL** with `/api/accounts/saml/0/acs/`, enter the **Entity ID** which has to be the same than **SP entity Id** in CISO Assistant (**ciso-assistant** by default) and choose **Email** in **Name ID Format** ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-9f31bb45d0455be9e9a7fd03715a3308eb20e1e5%252Fimage%2520%2825%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=291591&sv=2) 6. Add two mappings for **First name** and **Last Name**, fill them with those two values: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname` `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname` ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-1dafc8125d1030c22c660f317046dddc0c58b7a6%252Fimage%2520%2826%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=46986edb&sv=2) 7. On application home page, you can now find the **Entity ID**, **SSO URL** and **x509 certificate** ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-e49fa572cf01c609586b00d9cea724e072cd5a78%252Fimage%2520%2827%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=5e2cbe16&sv=2) Add a user in your application doesn't automatically create the user on CISO Assistant You can now [configure CISO Assistant](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/sso/saml#configure-ciso-assistant-with-saml) with the **3 parameters** you've retrieved. [PreviousOkta](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/sso/identity-providers/okta) [NextKeycloak](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/sso/identity-providers/keycloak) Last updated 1 month ago Was this helpful? Was this helpful? --- # Analytics | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/analytics.md) . The main page to track your perimeters over time. You can focus on risk or compliance via their respective tabs, or take a global view from the governance one. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-b503d04479a4ebd60743704b5086e24b72418c59%252Fscreenshot-2024-03-20-16-13-24.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=406c6ed7&sv=2) Governance tab At the bottom of the governance tab, you'll find an applied-controls ranking score and a watch list to warn you about upcoming deadlines on applied controls or risk acceptances. The applied-controls ranking score table is there to help you prioritise. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-1b3f28e833fdaffb9ac4dcf80c95a5cdf797153b%252Fscreenshot-2024-03-20-16-13-30.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=38fcb0c4&sv=2) Focus on watch list [PreviousCatalogue overview](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/features) [NextControls autosuggestion](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/controls-autosuggestion) Last updated 1 month ago Was this helpful? Was this helpful? --- # Mappings | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/mappings.md) . One common challenge when dealing with audits is reusing your assessment on one framework to move to a different one. This is commonly referred to as **mapping** or **crosswalk** between standards. CISO Assistant supports this capability and lets you create a projection of the content of an audit, given that a mapping is available. Mappings are library objects that can be customised, imported, and submitted to the community. To see the available ones, head to the libraries store and filter to mapping: ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-9b342c38da351e0b5289c8b9ca07b63d7f14cef4%252Fimage%2520%281%29%2520%281%29%2520%281%29%2520%281%29%2520%281%29%2520%281%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=43dd6cd3&sv=2) Mappings library filter view Mappings are essentially a representation of the links between assessable nodes of a framework, using the convention documented on NIST's OLIR project. A mapping is a directed graph linking a SRC framework to a TGT framework, where the nodes can have one of the following relationships: ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-4bd053b54b3d6cad5b779536f7e70965ff4e6e99%252Fimage%2520%282%29%2520%281%29%2520%281%29%2520%281%29%2520%281%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=6e54bd77&sv=2) Example mapping relationship types between framework nodes To create your own, follow one of the examples under `/tools` in the repository, or bootstrap a starter using the `prepare_mapping` script. To apply a mapping, first load it from the library. Then head to your audit, click `apply mapping`, select the targeted framework, and watch the projection get created. The list of targets isn't limited to frameworks you mapped directly. If a mapping exists from your framework to a pivot (e.g. ISO 27001) and from that pivot to another framework, the engine **chains them automatically** and offers the far framework as a target too — no dedicated crosswalk required. See [transitive inference](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/catalog/mappings#transitive-inference-pivot-mappings) for how chained coverage is computed. > The apply-mapping feature can also be reused to clone an audit and create a new revision, if the same framework and same scope are selected. [PreviousEvidences from clipboard](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/evidences-from-clipboard) [NextMapping explorer](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/mapping-explorer) Last updated 1 month ago Was this helpful? Was this helpful? --- # Catalogue overview | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/features.md) . A running index of CISO Assistant's shipped features. Each page describes what the feature does and how to use it. > The catalogue is being populated. New entries are added as features ship. [PreviousCommon TPRM pitfalls](https://intuitem.gitbook.io/ciso-assistant/product-docs/guides/third-party/tprm-challenges) [NextAnalytics](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/analytics) Last updated 1 month ago Was this helpful? Was this helpful? --- # Settings | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings.md) . The **Settings** page in CISO Assistant is where instance-wide configuration lives — the dials and switches that affect everyone using the platform, regardless of which domain or perimeter they're in. Settings are grouped into the following categories: * [**General settings**](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/general) — display preferences, default language, currency and daily rate, AI/LLM provider configuration, retention defaults, and a handful of behavioural toggles (self-validation, MFA enforcement, external-link warnings). * [**Feature flags**](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/feature-flags) — toggles that turn whole product areas on or off. Use these to tailor the UI to what your team actually needs and to keep advanced or experimental capabilities out of sight until you want them. * [**Vulnerability SLA policy**](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/vulnerability-sla) — the remediation deadlines (in days) that apply to vulnerabilities by severity, and the anchor date used to compute the clock. * [**Security intelligence feeds**](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/sec-intel-feeds) — switches for the optional external feeds (KEV, EPSS, NVD enrichment) and the network timeout the platform uses when reaching them. * [**Branding**](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/branding) _(PRO)_ — replace the default logo, favicon, and client name with your organisation's identity. * [**Custom templates**](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/custom-templates) _(PRO)_ — override the subject and body of system emails, and the `.docx` templates used for document exports. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings#permissions) Permissions --------------------------------------------------------------------------------------------------------------- Editing settings requires the `change_globalsettings` permission. In practice, this means a Domain Manager on the global domain or an equivalent custom role. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings#scope) Scope --------------------------------------------------------------------------------------------------- Settings on this page are **global** — they apply to the whole instance. Domain-level overrides aren't available at this layer; if you need per-domain behaviour, look at the relevant domain or perimeter's own settings. [PreviousOverview](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/configuration) [NextGeneral settings](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/general) Last updated 1 month ago Was this helpful? * [Permissions](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings#permissions) * [Scope](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings#scope) Was this helpful? --- # Helm Chart | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/helm-chart.md) . The chart lives at `oci://ghcr.io/intuitem/helm-charts/ce/ciso-assistant`. Source: [`charts/ciso-assistant-next/`](https://github.com/intuitem/ciso-assistant-community/tree/main/charts/ciso-assistant-next/README.md) in the repo. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/helm-chart#prerequisites) Prerequisites --------------------------------------------------------------------------------------------------------------------------------------- * A Kubernetes cluster you have admin access to. * `helm` 3.8+ (OCI registries require 3.8 or newer). * `kubectl` configured for the target cluster. * An ingress controller if you want to expose the app externally. * A persistent storage class (defaults work on most managed clusters). [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/helm-chart#install) Install --------------------------------------------------------------------------------------------------------------------------- 1. **Pull the default values** into a working file: Copy helm show values oci://ghcr.io/intuitem/helm-charts/ce/ciso-assistant > custom.yaml 2. **Customise** `custom.yaml`. The most important settings: * `global.domain` — the hostname your instance will serve on. * `global.tls` — set to `true` if you're serving over HTTPS. * `ingress.enabled` and `ingress.tls.*` — enable + configure the ingress. * `backend.config.djangoSecretKey` — **rotate from the default** `**changeme**`. * `backend.config.databaseType` — `sqlite` (default, single-pod), `pgsql` (bundled PostgreSQL via Bitnami subchart), or `externalPgsql`. * `postgresql.*` — when using the bundled PostgreSQL. * `externalPgsql.*` — when pointing at your own PostgreSQL instance. * `backend.config.smtp.*` — outgoing email configuration. The chart README in the repository carries the full values table (`charts/ciso-assistant-next/README.md`) — refer to it for every key with its default and description. 3. **Pin the appVersion** to a published release if you want predictable upgrades. Set `global.image.tag` in `custom.yaml` to the version you tested against (e.g. `v3.18.2`). Leaving it empty pins to the chart's `appVersion`, which moves with the chart. 4. **Create a namespace and install**: Copy kubectl create ns ciso-assistant helm install ciso-assistant-release oci://ghcr.io/intuitem/helm-charts/ce/ciso-assistant \ -f custom.yaml \ -n ciso-assistant [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/helm-chart#verify) Verify ------------------------------------------------------------------------------------------------------------------------- The backend pod runs migrations on startup; allow it ~30s before checking the frontend. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/helm-chart#ai-assistant-chat-rag) AI assistant (chat / RAG) ----------------------------------------------------------------------------------------------------------------------------------------------------------- The in-product AI assistant needs two things wired in the chart: the `ENABLE_CHAT` flag on the backend and a reachable [Qdrant](https://qdrant.tech/) vector database for retrieval-augmented generation. Setting `qdrant.enabled: true` deploys the official [Qdrant chart](https://github.com/qdrant/qdrant-helm) as a dependency (a StatefulSet with persistent storage and health probes) and injects `QDRANT_URL` automatically. Notes: * Any key under `qdrant:` is passed through to the Qdrant subchart (e.g. `qdrant.persistence.size`, `qdrant.resources`). Persistence is on by default; see the [subchart values](https://github.com/qdrant/qdrant-helm/tree/main/charts/qdrant) for all options. * The Qdrant subchart is bundled inside the published chart, so installing needs no access to the Qdrant Helm repo. Air-gapped clusters still pull the **Qdrant image** at runtime: mirror it and override `qdrant.image.repository` (same as for the backend/frontend images). * To point at an **external** Qdrant instead of the bundled one, leave `qdrant.enabled: false` and set `QDRANT_URL` through `backend.env` and `backend.huey.env`. * The **LLM provider** (Ollama or any OpenAI-compatible endpoint, model, base URL) is configured from the in-app **Settings → Chat/AI** section, not from the chart. LLM inference is heavy; point it at a GPU-backed endpoint. * The Qdrant collection and the indexes are **not** created automatically. After the pods are up, run the indexing commands once from the backend pod (`init_qdrant` creates the collection, `index_objects` indexes your existing risk/control/asset records, `index_libraries` indexes the framework libraries): [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/helm-chart#custom-ca-certificates) Custom CA certificates --------------------------------------------------------------------------------------------------------------------------------------------------------- If your pods need to trust an internal CA (for SMTP, SSO, or any outbound TLS service signed by a private authority), provide **just your CA** in a secret. Trust is added on top of the default roots, not replaced, so public CAs keep working: * Backend and Huey (Python): an init container concatenates the system CA bundle with your CA into a shared bundle, and `SSL_CERT_FILE` / `REQUESTS_CA_BUNDLE` point at it. * Frontend (Node): `NODE_EXTRA_CA_CERTS` points at your CA, which Node adds to its built-in roots. The backend init container writes the merged bundle to an `emptyDir`. If you also harden the pod to run as a non-root user (`global.securityContext.runAsNonRoot` / per-component `runAsUser`), set an `fsGroup` so that user can write the volume: [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/helm-chart#network-policy) Network policy ----------------------------------------------------------------------------------------------------------------------------------------- To restrict pod traffic, enable the bundled `NetworkPolicy` and pass your own ingress/egress rules. The policy selects all pods of the release by default, so your rules must also allow the **internal** flows the app relies on: the frontend BFF calls the backend (`PUBLIC_BACKEND_API_URL`) server-side, and the backend reaches Qdrant. Forgetting these blocks the app even though the ingress controller can reach it. Replace `ciso-assistant-release` below with your Helm release name. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/helm-chart#upgrade) Upgrade --------------------------------------------------------------------------------------------------------------------------- Chart upgrades are normally additive: new capabilities ship as new values keys, and existing keys are not removed or renamed within a major chart version, so your current `custom.yaml` keeps working as-is. New features are **opt-in and off by default** — if you don't set their keys, nothing changes in that area. When a breaking change to the values shape is unavoidable, it is released under a new **major chart version** and the required migration steps are documented in the release notes. Read them before upgrading across a major version. The main thing to manage on upgrade is the **application version**. If you did not pin `global.image.tag`, the images move to the chart's `appVersion` on the next `helm upgrade`. Pin the tag to the version you tested and review the [release notes](https://github.com/intuitem/ciso-assistant-community/releases) for the range you're crossing. Database migrations run automatically on backend startup, so no manual schema step is needed. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/helm-chart#uninstall) Uninstall ------------------------------------------------------------------------------------------------------------------------------- PostgreSQL persistent volumes are **not** deleted automatically when using the bundled subchart. Inspect with `kubectl get pvc -n ciso-assistant` and remove manually if you want a clean slate. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/helm-chart#legacy) Legacy ------------------------------------------------------------------------------------------------------------------------- > **Note:** The old Helm repository (`intuitem.github.io/ca-helm-chart`) is no longer maintained. The values shape changed substantially between the legacy `charts/ciso-assistant/` chart and the current `charts/ciso-assistant-next/` chart (`frontendOrigin` → `global.domain`, no `clientName`/`clusterDomain` shorthand, separate ingress block). New installs should use the OCI registry above. [PreviousDeploy on a VPS](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/vps) [NextPost-install setup](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup) Last updated 17 days ago Was this helpful? * [Prerequisites](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/helm-chart#prerequisites) * [Install](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/helm-chart#install) * [Verify](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/helm-chart#verify) * [AI assistant (chat / RAG)](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/helm-chart#ai-assistant-chat-rag) * [Custom CA certificates](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/helm-chart#custom-ca-certificates) * [Network policy](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/helm-chart#network-policy) * [Upgrade](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/helm-chart#upgrade) * [Uninstall](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/helm-chart#uninstall) * [Legacy](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/helm-chart#legacy) Was this helpful? Copy kubectl get pods -n ciso-assistant kubectl get ingress -n ciso-assistant Copy backend: config: chat: enabled: true # sets ENABLE_CHAT on the backend and Huey worker qdrant: enabled: true # deploys the Qdrant subchart and injects QDRANT_URL Copy POD="deploy/ciso-assistant-release-backend" kubectl exec -n ciso-assistant $POD -c backend -- uv run python manage.py init_qdrant kubectl exec -n ciso-assistant $POD -c backend -- uv run python manage.py index_objects kubectl exec -n ciso-assistant $POD -c backend -- uv run python manage.py index_libraries --sync Copy kubectl create secret generic my-ca -n ciso-assistant --from-file=ca.crt=./internal-ca.crt Copy global: extraCerts: enabled: true secretName: my-ca fileName: ca.crt mountPath: /etc/ssl/extra-certs Copy global: securityContext: fsGroup: 1001 Copy networkPolicy: enabled: true policyTypes: - Ingress ingress: # internal traffic between CISO Assistant pods (frontend -> backend, backend -> qdrant) - from: - podSelector: matchLabels: app.kubernetes.io/instance: ciso-assistant-release # the ingress controller reaching the frontend and backend - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: ingress-nginx Copy helm upgrade ciso-assistant-release oci://ghcr.io/intuitem/helm-charts/ce/ciso-assistant \ -f custom.yaml \ -n ciso-assistant Copy helm uninstall ciso-assistant-release -n ciso-assistant --- # Scoring Assistant | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/scoring-assistant.md) . Trouble assessing your risk? Based on the [OWASP Risk Rating Methodology](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology) , the scoring assistant helps you determine the risk level for your scenario. Choose between **technical** or **business** impact and answer the questions. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-de5ee06763a2acddc4ad5b4fc754f1d36e9149ac%252Fscreenshot-2024-03-19-14-15-23.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=31a616c1&sv=2) Score assistant [PreviousX-rays](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/x-rays) [NextAssignments / respondent mode](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/assignments) Last updated 1 month ago Was this helpful? Was this helpful? --- # Multi-Factor Authentication (MFA) | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/mfa.md) . CISO Assistant supports two second-factor methods, and both can be enrolled on the same account: * **TOTP** — time-based one-time passwords generated by an authenticator app on your phone (Google Authenticator, Microsoft Authenticator, 1Password, Authy, Bitwarden, …). * **Security keys (WebAuthn)** — hardware tokens (YubiKey, Titan, SoloKey, …), platform authenticators (fingerprint readers, Windows Hello, Touch ID, Face ID), and passkeys. Anything that speaks FIDO2 / WebAuthn works. Recovery codes are always issued alongside the chosen method so you can regain access if you lose both your phone and your security key. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/mfa#prerequisites) Prerequisites -------------------------------------------------------------------------------------------------------------- Pick at least one of the following: * A smartphone with an authenticator app installed (for TOTP), **or** * A WebAuthn-capable device — a hardware security key, or a platform authenticator like a fingerprint reader, Windows Hello, Touch ID, or a passkey-capable browser. Plus, of course, access to your account settings on CISO Assistant. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/mfa#enable-totp-authenticator-app) Enable TOTP (authenticator app) ------------------------------------------------------------------------------------------------------------------------------------------------ 1. Sign in to your account and navigate to **My profile**. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-d89154c5c4f4657e1d436ce0a8118d3c6cad9d72%252Fimage%2520%2828%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=356f68c2&sv=2) 1. Select **Settings**. 2. Look for the Security section and click **Enable 2FA**. 3. Set up your authenticator app: * Open the app on your smartphone. * Scan the QR code displayed on screen. * Alternatively, enter the provided secret code manually. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-f15b8fdd0b6b2a95736e0674de17f728f3d21198%252Fimage%2520%2831%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=f62bd439&sv=2) 4. Enter the 6-digit verification code shown in your authenticator app. 5. Click **Enable 2FA** to complete the setup. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/mfa#enable-a-security-key-webauthn) Enable a security key (WebAuthn) -------------------------------------------------------------------------------------------------------------------------------------------------- 1. Sign in and navigate to **My profile → Settings**. 2. In the Security section, choose to enrol a security key. 3. When the browser prompts you, present the authenticator: * **Hardware key** — insert it and tap when it blinks. * **Platform authenticator** — confirm via fingerprint, face recognition, or device PIN. * **Passkey** — pick the existing passkey from your password manager. 4. Give the credential a recognisable name (e.g. "YubiKey blue", "MacBook Touch ID") so you can identify it later if you enrol several. You can enrol multiple credentials on the same account — common patterns are a hardware key as the primary and a phone/passkey as the backup, or one key kept at the office and another at home. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/mfa#important-save-your-recovery-codes) Important: save your recovery codes --------------------------------------------------------------------------------------------------------------------------------------------------------- After enabling MFA, you'll receive a set of recovery codes. These codes are crucial for regaining access to your account if you: * Lose your phone or security key * Uninstall your authenticator app * Cannot reach any of your enrolled second factors **Security Warning**: * Store your recovery codes in a secure location, separate from your password * Each recovery code can only be used once * Never share your recovery codes with anyone * Consider storing a copy both digitally (in a password manager) and physically (printed in a secure location) ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-91cf64cc3b864c29ad0d8131eeedb81d273bae1f%252Fimage%2520%2832%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=5951d81a&sv=2) [](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/mfa#admin-recovery-disabling-another-users-mfa) Admin recovery: disabling another user's MFA -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- If a user has lost access to every enrolled second factor (phone wiped, hardware key lost) **and** has no recovery codes left, an administrator can disable their MFA from the user's edit page: 1. Sign in as an administrator and navigate to **Organization → Users**. 2. Open the affected user and click **Edit**. In the security section of the edit page, click **disable their MFA**. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-2dfa36bfd184802582194bae1a04e94d6bdf8de8%252Fmfa-in-settings.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=ad4c2cc6&sv=2) The "Disable MFA" link on a user's edit page (visible only to admins, when the target user has MFA enabled). 1. On the confirmation page, type the confirmation word shown on screen (the localized word for "yes") and submit. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-2c057105bec44af21b4d4ebaf6cafb83a0f0bb33%252Fmfa-disable-confirmation.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=b70c0e7b&sv=2) The confirmation page requires typing the localized confirmation word shown on screen before MFA can be disabled. All of the user's MFA authenticators (TOTP, WebAuthn credentials, recovery codes) are removed. The user will need to enable MFA again on their next login. **Audit notes:** * Every admin MFA disable is logged on the backend (admin id/email, target id/email, number of authenticators removed). * The link is hidden on your own edit page — to disable your own MFA, use the standard MFA settings page on **My profile → Settings**. * Only users in the built-in Global - administrator group can disable another user's MFA. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/mfa#logging-in-with-mfa) Logging in with MFA -------------------------------------------------------------------------------------------------------------------------- When MFA is enabled, the login flow asks for a second factor after the password. If you've enrolled both a security key and TOTP, the platform prefers the security key prompt by default and offers a "use authenticator app instead" link as a fallback. Either method completes the sign-in. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/mfa#next-steps) Next steps -------------------------------------------------------------------------------------------------------- * Test your MFA setup by logging out and back in. * If you enrolled a hardware key, **enrol a backup** (a second key, a passkey, or TOTP) — losing the only one is the most common lockout scenario. * Reach out for support if you encounter any issues during setup. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/mfa#enforce-mfa-for-all-users) Enforce MFA for all users -------------------------------------------------------------------------------------------------------------------------------------- Starting v3.13.0 you can enforce MFA for all users by enabling this flag. Users will see a persistent redirect to the MFA configuration page until enrolment is done. The feature doesn't interfere with SSO as long as the user doesn't have both a local account and an SSO one. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-abee3d103509ac87f9c640be7b6833e96ff972a1%252Fimage%2520%2881%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=2dbc2ba4&sv=2) [PreviousKeycloak](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/sso/identity-providers/keycloak) [NextLibraries](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/libraries) Last updated 12 days ago Was this helpful? * [Prerequisites](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/mfa#prerequisites) * [Enable TOTP (authenticator app)](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/mfa#enable-totp-authenticator-app) * [Enable a security key (WebAuthn)](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/mfa#enable-a-security-key-webauthn) * [Important: save your recovery codes](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/mfa#important-save-your-recovery-codes) * [Admin recovery: disabling another user's MFA](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/mfa#admin-recovery-disabling-another-users-mfa) * [Logging in with MFA](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/mfa#logging-in-with-mfa) * [Next steps](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/mfa#next-steps) * [Enforce MFA for all users](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/mfa#enforce-mfa-for-all-users) Was this helpful? --- # Documents | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/guides/documents.md) . [Authoring documents](https://intuitem.gitbook.io/ciso-assistant/product-docs/guides/documents/authoring-documents) [Document templates](https://intuitem.gitbook.io/ciso-assistant/product-docs/guides/documents/document-templates) [PreviousManaging a responsibility matrix](https://intuitem.gitbook.io/ciso-assistant/product-docs/guides/programme-management/responsibility-matrix) [NextAuthoring documents](https://intuitem.gitbook.io/ciso-assistant/product-docs/guides/documents/authoring-documents) Last updated 23 minutes ago Was this helpful? Was this helpful? --- # Setting up mailer | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/mailer.md) . ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/mailer#environment-variables) Environment variables Copy EMAIL_HOST=smtp.example.com EMAIL_PORT=465 EMAIL_HOST_USER=noreply@example.com EMAIL_HOST_PASSWORD= DEFAULT_FROM_EMAIL=noreply@example.com # Pick ONE of the two (not both): EMAIL_USE_SSL=True # SMTPS (typically port 465) EMAIL_USE_TLS=False # or EMAIL_USE_SSL=False EMAIL_USE_TLS=True # STARTTLS (typically port 587) For local development you can run [MailHog](https://github.com/mailhog/MailHog) and point `EMAIL_HOST` at it with both flags set to `False`. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/mailer#tls-certificate-requirements-3.16) TLS certificate requirements (3.16+) Since 3.16, the backend image runs **rootless** and **read-only**, and ships with a recent Python/OpenSSL stack that enables strict X.509 verification (`VERIFY_X509_STRICT` + `VERIFY_X509_PARTIAL_CHAIN`). This has two consequences: 1. The old recipe of running `update-ca-certificates` from `command:` in `docker-compose.yaml` **no longer works** — it requires root and write access to `/etc/ssl/certs/`, both denied by the new container. See the deprecated section below if you are still on an older image. 2. Every certificate in the chain presented by your SMTP server must satisfy the strict checks. A single non-compliant intermediate will fail the whole verification. Your SMTP server certificate **and every certificate in its chain** must include: * **BasicConstraints** — `CA:FALSE` on the leaf, `CA:TRUE` on intermediates and root * **KeyUsage** — at minimum `digitalSignature, keyEncipherment` on the leaf * **Authority Key Identifier (AKI)** — on every cert in the chain, not only the leaf * a complete `fullchain` (leaf + intermediates), served in order by the SMTP server If you get an error like: regenerate the offending certificate with the missing extension. Inspect a cert with: ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/mailer#trusting-a-private-self-signed-ca) Trusting a private / self-signed CA You cannot modify the system trust store at runtime anymore. Instead, mount a PEM file containing the CA(s) to trust and point OpenSSL at it via `SSL_CERT_FILE`: How it works: * Django's mailer goes through `smtplib`, which builds its TLS context with `ssl.create_default_context()`. * That function asks OpenSSL to load its default trust store. * When `SSL_CERT_FILE` is set, OpenSSL uses **that file instead** of the system bundle (`/etc/ssl/certs/ca-certificates.crt`). Requirements for the bundle file: * A **single PEM file**, concatenating your root CA and any intermediates needed to validate the SMTP server's chain. * Each cert in the bundle must itself satisfy the strict X.509 checks listed above (BasicConstraints, KeyUsage, AKI). `REQUESTS_CA_BUNDLE` is only honored by the `requests`/`urllib3` libraries (used by outbound HTTP calls such as OIDC/SAML metadata fetch). It has **no effect on SMTP**, so you don't need to set it for the mailer. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/mailer#verifying-the-setup) Verifying the setup From the backend container: A clean `(250, b'2.0.0 OK')` means TLS and trust are correctly configured. Any `SSL: CERTIFICATE_VERIFY_FAILED` will name the missing extension or the failing cert. You can also trigger a password reset from the UI and watch the backend logs — failures are logged at `iam.models` with `email_host`, `email_port`, and the underlying SSL error. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/mailer#deprecated-rescue-mailer) Deprecated: rescue mailer The `EMAIL_*_RESCUE` variables (a secondary mailer used as fallback) are deprecated and will be removed in a future release. They are not a workaround for TLS issues — fix the certificate instead. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/mailer#deprecated-update-ca-certificates-recipe-pre-3.16) Deprecated: `update-ca-certificates` recipe (pre-3.16) This section is kept for users still on backend images older than 3.16. **Do not use it on 3.16+** — the recipe silently fails on the rootless/read-only container. Use the CA bundle method instead. Older versions ran the container as root with a writable filesystem, which allowed mounting a CA at runtime and refreshing the trust store from `command:`: When upgrading to 3.16+, remove the `command:` override and switch to the CA bundle method above. [PreviousSetting up S3](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/s3) [NextPrometheus metrics](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/prometheus-metrics) Last updated 1 month ago Was this helpful? * [Environment variables](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/mailer#environment-variables) * [TLS certificate requirements (3.16+)](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/mailer#tls-certificate-requirements-3.16) * [Trusting a private / self-signed CA](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/mailer#trusting-a-private-self-signed-ca) * [Verifying the setup](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/mailer#verifying-the-setup) * [Deprecated: rescue mailer](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/mailer#deprecated-rescue-mailer) * [Deprecated: update-ca-certificates recipe (pre-3.16)](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/mailer#deprecated-update-ca-certificates-recipe-pre-3.16) Was this helpful? Copy [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1081) Copy openssl x509 -in cert.pem -noout -text | grep -A1 "Authority Key Identifier\|Basic Constraints\|Key Usage" Copy services: backend: image: ghcr.io/intuitem/ciso-assistant-community/backend:3.16.1 environment: - EMAIL_HOST=smtp.example.com - EMAIL_PORT=465 - EMAIL_USE_SSL=True - EMAIL_USE_TLS=False - SSL_CERT_FILE=/certs/ca-bundle.pem volumes: - ./ca-bundle.pem:/certs/ca-bundle.pem:ro Copy python -c "import smtplib, ssl; \ ctx = ssl.create_default_context(); \ s = smtplib.SMTP_SSL('smtp.example.com', 465, context=ctx); \ print(s.noop()); s.quit()" Copy services: backend: image: ghcr.io/intuitem/ciso-assistant-community/backend: environment: - EMAIL_HOST=smtp.example.com - EMAIL_PORT=465 - EMAIL_USE_SSL=True - SSL_CERT_FILE=/etc/ssl/certs/smtp.example.com.pem volumes: - ./smtp-fullchain.crt:/etc/ssl/certs/smtp.example.com.pem:ro command: | sh -c 'update-ca-certificates && ' --- # Vulnerability SLA policy | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/vulnerability-sla.md) . The Vulnerability SLA policy defines, by severity, how many days a vulnerability is allowed to remain open before it breaches the organisation's service-level agreement. The platform uses this policy to compute remediation deadlines, surface overdue vulnerabilities, and feed SLA dashboards. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/vulnerability-sla#anchor) Anchor ----------------------------------------------------------------------------------------------------------------------- * **SLA anchor** — the date used as `day 0` when computing the deadline. Two options: * `detected_at` — the date the vulnerability was first recorded in CISO Assistant (default). * `published_date` — the date the vulnerability was publicly disclosed (relevant when working from CVE feeds). The choice matters: `published_date` tightens deadlines for vulnerabilities that were known publicly before you imported them; `detected_at` gives a fresh clock starting from import. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/vulnerability-sla#deadlines-by-severity) Deadlines by severity ----------------------------------------------------------------------------------------------------------------------------------------------------- For each severity level, set the number of days allowed to remediate. Leave a field empty (null) to mean _no policy at this severity_. * **Critical** — typically the tightest (e.g. 7-14 days). * **High** — typically 30 days. * **Medium** — typically 60-90 days. * **Low** — typically 180+ days, or unset. * **Info** — usually unset; informational entries aren't on a clock. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/vulnerability-sla#behaviour) Behaviour ----------------------------------------------------------------------------------------------------------------------------- * Vulnerabilities whose `anchor_date + deadline_days` is in the past are flagged as **SLA breached**. * Severity is read from the vulnerability record itself; the policy is a lookup, not a per-vulnerability field. * Changes to the policy apply going forward _and_ retroactively recompute the breach status of existing vulnerabilities. [PreviousFeature flags](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/feature-flags) [NextSecurity intelligence feeds](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/sec-intel-feeds) Last updated 1 month ago Was this helpful? * [Anchor](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/vulnerability-sla#anchor) * [Deadlines by severity](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/vulnerability-sla#deadlines-by-severity) * [Behaviour](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/vulnerability-sla#behaviour) Was this helpful? --- # Getting started | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/guides/getting-started.md) . [Initial setup](https://intuitem.gitbook.io/ciso-assistant/product-docs/guides/getting-started/initial-setup) [Creating your first perimeter](https://intuitem.gitbook.io/ciso-assistant/product-docs/guides/getting-started/first-perimeter) [Creating your first audit](https://intuitem.gitbook.io/ciso-assistant/product-docs/guides/getting-started/first-audit) [Creating your first risk assessment](https://intuitem.gitbook.io/ciso-assistant/product-docs/guides/getting-started/first-risk-assessment) [PreviousGeneral tips](https://intuitem.gitbook.io/ciso-assistant/product-docs/guides/general-tips) [NextInitial setup](https://intuitem.gitbook.io/ciso-assistant/product-docs/guides/getting-started/initial-setup) Last updated 1 month ago Was this helpful? Was this helpful? --- # Kanban mode | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/kanban-mode.md) . **Kanban mode** lays out the applied controls as a status board — one column per status, one row (swimlane) per domain. It's the view to reach for when you're driving execution: moving controls forward visually and spotting which domain is sitting on the most "in progress" work. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/kanban-mode#where-to-find-it) Where to find it ----------------------------------------------------------------------------------------------------------------------- Open the controls table (`/applied-controls`) and click the **table-columns icon** in the toolbar, next to the flash-mode and analytics buttons. The active table filters are carried over. Kanban mode is currently only available for applied controls. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/kanban-mode#layout) Layout --------------------------------------------------------------------------------------------------- * **Columns** — one per status: `--` (unset), To do, In progress, On hold, Active, Degraded, Deprecated. The column header shows a running count of controls in that status across all swimlanes. * **Swimlanes** — one per domain. Each swimlane can be collapsed or expanded; the swimlane header shows the per-domain count. * **Cards** — one per control. Each card shows name, priority badge (P1–P4 with colour), owner initials, and ETA (highlighted red when overdue, except for `active` or `deprecated` controls which are never flagged overdue). * **Compact mode** — a toggle in the page header reduces card detail to fit more controls on screen. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/kanban-mode#moving-cards) Moving cards --------------------------------------------------------------------------------------------------------------- Drag a card to a different **status column** to update its status — the change is saved immediately. Drag a card to a different **swimlane** to reassign its domain. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/kanban-mode#other-view-modes-for-applied-controls) Other view modes for applied controls ----------------------------------------------------------------------------------------------------------------------------------------------------------------- * [**Applied controls analytics**](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/applied-controls-analytics) — chart-pie dashboard with counts, cost, ETA buckets, and top owners. * [**Flash mode**](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/flash-mode) — flashcards for rapid posture establishment. All three share the same filter passthrough from the table. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/kanban-mode#related) Related ----------------------------------------------------------------------------------------------------- * [Applied controls](https://intuitem.gitbook.io/ciso-assistant/product-docs/concepts/operations/applied-controls) * [Sync to actions](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/sync-to-actions) — how controls flow into the action plan from assessments [PreviousFlash mode](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/flash-mode) [NextApplied controls analytics](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/applied-controls-analytics) Last updated 1 month ago Was this helpful? * [Where to find it](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/kanban-mode#where-to-find-it) * [Layout](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/kanban-mode#layout) * [Moving cards](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/kanban-mode#moving-cards) * [Other view modes for applied controls](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/kanban-mode#other-view-modes-for-applied-controls) * [Related](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/kanban-mode#related) Was this helpful? --- # Branding | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/branding.md) . Available on the PRO plan. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/branding#branding) Branding ------------------------------------------------------------------------------------------------------------------ Branding settings let you replace the default CISO Assistant visuals with your organisation's identity — useful when the platform is deployed for end-customers, when a parent company hosts multiple subsidiaries, or simply to align the UI with internal design guidelines. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/branding#settings) Settings * **Client name** — the display name used in headings and email signatures. * **Logo** — replaces the default product logo in the header. Accepted formats: `.png`, `.jpeg`, `.jpg`, `.webp`, `.svg`. * **Favicon** — replaces the browser-tab icon. Accepted formats: `.ico`, `.png`, `.jpeg`, `.jpg`, `.webp`, `.svg`. * **Show images to unauthenticated users** — when on (default), the logo and favicon are visible on the login screen and other pre-authentication pages. Turn off to keep branding gated behind authentication. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/branding#operational-notes) Operational notes * Logo and favicon are stored as files inside the instance, not as external URLs. Upload them through the Settings UI rather than editing the database directly. * The platform serves a content-hash header alongside each image so browser caches stay coherent when the file is replaced. [PreviousAllowed IP whitelist](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/infra-config-allowed-ip) [NextCustom templates](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/custom-templates) Last updated 1 month ago Was this helpful? * [Branding](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/branding#branding) * [Settings](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/branding#settings) * [Operational notes](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/branding#operational-notes) Was this helpful? --- # Structured logging | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/structured-logging.md) . [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/structured-logging#overview) Overview ------------------------------------------------------------------------------------------------------------------------------------- The three runtime processes each write their operational logs to standard output, where your container runtime or log shipper collects them: * **Backend** (Django API) * **Worker** (the Huey background task process) * **Frontend** (the SvelteKit server-side process) By default the output is a human-readable, colourised format meant for reading in a terminal. That format is convenient locally but awkward to parse in a log pipeline. Setting a single environment variable switches every stream to **one JSON object per line** (newline-delimited JSON), which SIEMs parse natively. This page is about the **operational log streams** (requests, errors, background-task activity, authentication events). It is distinct from the in-app [Audit log](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/audit-log) , which records who changed which object and is read inside the application. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/structured-logging#enabling-json-logs) Enabling JSON logs --------------------------------------------------------------------------------------------------------------------------------------------------------- Set the following on the **backend**, **worker**, and **frontend** containers: Copy LOG_FORMAT=json # default: plain The backend and the Huey worker share the same logging configuration, so this one variable covers both. Setting it on the frontend container routes the SvelteKit server process — authentication events, request errors — through the same JSON shape. The log level also applies to all three streams and defaults to `INFO`, which captures request-level events. Adjust it if you need more or less detail: Copy LOG_LEVEL=INFO # default: INFO. Options: DEBUG, INFO, WARNING, ERROR, CRITICAL Set `LOG_FORMAT=json` on **all three** containers. If only some are switched, your pipeline receives a mix of JSON and plain-text lines and parsing breaks for the plain ones. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/structured-logging#what-the-records-look-like) What the records look like ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- A backend request log line (formatted here for readability — on the wire it is a single line): A frontend authentication event: ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/structured-logging#common-fields) Common fields Field Description `timestamp` ISO-8601 UTC timestamp `level` `debug`, `info`, `warning`, `error`, `critical` `logger` Source logger (`frontend` for the SvelteKit process; a Python module path on the backend) `event` The log message `request_id` Correlation id shared by all backend log lines from one request `user_id` Authenticated user id, when the request is authenticated `ip` Client IP address Sensitive OAuth2 query parameters (`code`, `token`, `id_token`, `access_token`) are redacted from logged request URLs. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/structured-logging#optional-also-write-the-backend-log-to-a-file) Optional: also write the backend log to a file ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- In addition to standard output, the backend can mirror its logs to a file. Set `LOG_OUTFILE` to the destination path; the file is always written in JSON, regardless of `LOG_FORMAT`. Leave it empty (the default) to log to stdout only. This is useful when a log shipper tails a file rather than the container's stdout. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/structured-logging#shipping-to-a-siem) Shipping to a SIEM --------------------------------------------------------------------------------------------------------------------------------------------------------- Once `LOG_FORMAT=json` is set, point your collector at each container's stdout (or the file above). Because the lines are newline-delimited JSON, Microsoft Sentinel, Azure Data Explorer, Splunk and Elastic all parse them without a custom grok/regex parser — each JSON key becomes a queryable field. Use `request_id` to correlate all backend lines belonging to a single request, and `logger` to separate the frontend stream from the backend stream. [PreviousPrometheus metrics](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/prometheus-metrics) [NextMaintenance](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/maintenance) Last updated 26 days ago Was this helpful? * [Overview](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/structured-logging#overview) * [Enabling JSON logs](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/structured-logging#enabling-json-logs) * [What the records look like](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/structured-logging#what-the-records-look-like) * [Common fields](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/structured-logging#common-fields) * [Optional: also write the backend log to a file](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/structured-logging#optional-also-write-the-backend-log-to-a-file) * [Shipping to a SIEM](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/structured-logging#shipping-to-a-siem) Was this helpful? Copy { "request": "GET /api/folders/", "code": 200, "request_id": "0d6f1c4e-2a8b-4e1f-9c3a-7b2e5f0a1d44", "user_id": 1, "ip": "10.0.2.15", "ciso_assistant_url": "https://ciso.example.com", "event": "request_finished", "timestamp": "2026-06-12T09:21:33.123456Z", "level": "info", "logger": "django_structlog.middlewares.request" } Copy { "timestamp": "2026-06-12T09:21:34.001Z", "level": "warning", "logger": "frontend", "event": "Login failed", "status": 400 } Copy LOG_OUTFILE=/var/log/ciso-assistant/backend.log --- # Local | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/local.md) . The recommended pattern for local deployment is to use **Docker Compose**. Check the Readme file on the CISO Assistant repo for the latest instructions. The compose file will manage three containers and set the required variables: * Front * Back * Caddy (proxy) * Make sure to have a recent version of Docker installed * On a Linux distro with a server flavor, make sure to remove older versions and install the latest one using the proper Docker repos to avoid twisted setups. Check out the instructions at [https://docs.docker.com/engine/install/ubuntu/](https://docs.docker.com/engine/install/ubuntu/) * On Windows, Docker Desktop+WSL is recommended * On MacOS, Docker Desktop covers the requirements ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/local#using-prebuilt-images) Using prebuilt images Run: Copy ./docker-compose.sh It will clean up previous images and get the latest stable release. Once the images are downloaded and migration triggered, you should see a prompt asking you to set the first superuser. Follow the instructions to set it, and you should be ready. In case you are running on an unsupported architecture, you can open a GitHub issue so that we add its support or use the next steps to build the images locally. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/local#re-building-the-images-locally) Re-building the images locally Alternatively, if the previous configuration didn't succeed, run: ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/local#ssl-warning) SSL Warning Given that Caddy is using a `self-signed certificate`, your browser will mention a warning that you can accept and continue. [PreviousDeployment methods](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods) [NextDocker rootless configuration](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/docker-rootless) Last updated 1 month ago Was this helpful? * [Using prebuilt images](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/local#using-prebuilt-images) * [Re-building the images locally](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/local#re-building-the-images-locally) * [SSL Warning](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/deployment-methods/local#ssl-warning) Was this helpful? Copy ./docker-compose-build.sh --- # Security intelligence feeds | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/sec-intel-feeds.md) . CISO Assistant can optionally enrich its vulnerability and security-advisory catalogues by polling external threat-intelligence feeds. These switches control which feeds are active and how the platform reaches them. All feeds are **off by default** — they make outbound network calls, so opt in deliberately. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/sec-intel-feeds#available-feeds) Available feeds --------------------------------------------------------------------------------------------------------------------------------------- * **KEV feed** (`kev_feed_enabled`) — CISA's [Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) list. Tags vulnerabilities that are confirmed to be exploited in the wild so they can be prioritised. * **EPSS feed** (`epss_feed_enabled`) — FIRST's [Exploit Prediction Scoring System](https://www.first.org/epss/) . Attaches a probabilistic exploitation score to each CVE, useful for prioritisation alongside CVSS severity. * **NVD enrichment** (`nvd_enrich_enabled`) — pulls extra metadata from the [NIST National Vulnerability Database](https://nvd.nist.gov/) (CWE mappings, affected configurations, references). [](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/sec-intel-feeds#network) Network ----------------------------------------------------------------------------------------------------------------------- * **Network timeout** (`network_timeout`) — seconds to wait before giving up on a feed call. Default `30`, range `5`\-`120`. Tune up if you're behind a slow egress proxy; tune down if you want feed failures to surface quickly rather than block other work. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/sec-intel-feeds#operational-notes) Operational notes ------------------------------------------------------------------------------------------------------------------------------------------- * Enabling a feed doesn't backfill the entire history — feeds are consulted from the moment they're enabled. To enrich historical entries, look for a "refresh" action on the relevant catalog (depends on the feed). * Feed calls happen in background jobs (Huey workers), so toggling a feed doesn't block the request that saves the settings. * Outbound HTTPS access to the feed endpoints is required. The platform doesn't ship with mirrored data. [PreviousVulnerability SLA policy](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/vulnerability-sla) [NextAllowed IP whitelist](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/infra-config-allowed-ip) Last updated 1 month ago Was this helpful? * [Available feeds](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/sec-intel-feeds#available-feeds) * [Network](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/sec-intel-feeds#network) * [Operational notes](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/sec-intel-feeds#operational-notes) Was this helpful? --- # Managing secrets | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/managing-secrets.md) . ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/managing-secrets#id-1.-the-.env-file) 1\. The `.env` File Docker Compose automatically loads variables from a `.env` file located next to `docker-compose.yml`. This is the recommended approach for all secrets. #### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/managing-secrets#create-the-.env-file) Create the `.env` file Copy # .env # ── Postgres ─────────────────────────── POSTGRES_NAME=ciso_assistant POSTGRES_USER=ciso_assistant POSTGRES_PASSWORD=change-me-to-something-strong # ── Django / Backend ─────────────────── DJANGO_DEBUG=False CISO_ASSISTANT_URL=https://localhost:8443 ALLOWED_HOSTS=backend,localhost CISO_SUPERUSER_EMAIL=admin@example.com # ── Mailer ───────────────────────────── EMAIL_HOST=smtp.example.com EMAIL_PORT=587 EMAIL_USE_TLS=True EMAIL_HOST_USER=notifications@example.com EMAIL_HOST_PASSWORD=smtp-secret-password DEFAULT_FROM_EMAIL=ciso-assistant@example.com # ── Rescue Mailer (optional) ────────── # EMAIL_HOST_RESCUE=smtp2.example.com # EMAIL_PORT_RESCUE=587 # EMAIL_HOST_USER_RESCUE=rescue@example.com # EMAIL_HOST_PASSWORD_RESCUE=rescue-secret # EMAIL_USE_TLS_RESCUE=True # ── S3 Storage (optional) ───────────── # USE_S3=True # AWS_ACCESS_KEY_ID=AKIA... # AWS_SECRET_ACCESS_KEY=wJal... # AWS_STORAGE_BUCKET_NAME=my-bucket # AWS_S3_ENDPOINT_URL=https://s3.eu-west-1.amazonaws.com #### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/managing-secrets#reference-variables-in-docker-compose.yml) Reference variables in `docker-compose.yml` Replace every hardcoded value with a `${VARIABLE}` reference: > **Tip — DRY with YAML anchors:** Since `backend` and `huey` share most variables, you can use extension fields to avoid repetition: #### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/managing-secrets#protect-the-file) Protect the file * * * ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/managing-secrets#id-2.-per-environment-compose-overrides) 2\. Per-Environment Compose Overrides Use override files to separate dev and production configurations without touching the base file: Each environment can point to its own `.env` file: This lets you commit safe dev defaults while keeping production secrets in a separate file. [PreviousCustom certificates](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/custom-certificates) [NextSetting up S3](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/s3) Last updated 1 month ago Was this helpful? * [1\. The .env File](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/managing-secrets#id-1.-the-.env-file) * [2\. Per-Environment Compose Overrides](https://intuitem.gitbook.io/ciso-assistant/product-docs/installation/post-install-setup/managing-secrets#id-2.-per-environment-compose-overrides) Was this helpful? Copy services: backend: container_name: backend build: context: ./backend dockerfile: Dockerfile restart: always depends_on: - postgres environment: - ALLOWED_HOSTS=${ALLOWED_HOSTS} - CISO_ASSISTANT_URL=${CISO_ASSISTANT_URL} - DJANGO_DEBUG=${DJANGO_DEBUG} - POSTGRES_NAME=${POSTGRES_NAME} - POSTGRES_USER=${POSTGRES_USER} - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} - DB_HOST=postgres - EMAIL_HOST=${EMAIL_HOST} - EMAIL_PORT=${EMAIL_PORT} - EMAIL_USE_TLS=${EMAIL_USE_TLS} - EMAIL_HOST_USER=${EMAIL_HOST_USER} - EMAIL_HOST_PASSWORD=${EMAIL_HOST_PASSWORD} - DEFAULT_FROM_EMAIL=${DEFAULT_FROM_EMAIL} - CISO_SUPERUSER_EMAIL=${CISO_SUPERUSER_EMAIL} volumes: - ./db:/code/db huey: container_name: huey build: context: ./backend dockerfile: Dockerfile depends_on: - backend restart: always environment: - ALLOWED_HOSTS=${ALLOWED_HOSTS} - CISO_ASSISTANT_URL=${CISO_ASSISTANT_URL} - DJANGO_DEBUG=False - POSTGRES_NAME=${POSTGRES_NAME} - POSTGRES_USER=${POSTGRES_USER} - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} - DB_HOST=postgres volumes: - ./db:/code/db entrypoint: - /bin/sh - -c - | uv run python manage.py run_huey -w 2 --scheduler-interval 60 frontend: container_name: frontend environment: - PUBLIC_BACKEND_API_URL=http://backend:8000/api - PROTOCOL_HEADER=x-forwarded-proto - HOST_HEADER=x-forwarded-host build: context: ./frontend dockerfile: Dockerfile depends_on: - backend postgres: container_name: postgres image: postgres:16 restart: always environment: POSTGRES_DB: ${POSTGRES_NAME} POSTGRES_USER: ${POSTGRES_USER} POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} volumes: - ./db/pg:/var/lib/postgresql/data caddy: container_name: caddy image: caddy:2.10.0 restart: unless-stopped ports: - 8443:8443 command: - caddy - reverse-proxy - --from - https://localhost:8443 - --to - frontend:3000 volumes: - ./db:/data Copy x-common-env: &common-env ALLOWED_HOSTS: ${ALLOWED_HOSTS} CISO_ASSISTANT_URL: ${CISO_ASSISTANT_URL} POSTGRES_NAME: ${POSTGRES_NAME} POSTGRES_USER: ${POSTGRES_USER} POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} DB_HOST: postgres services: backend: environment: <<: *common-env DJANGO_DEBUG: ${DJANGO_DEBUG} EMAIL_HOST: ${EMAIL_HOST} # ... other backend-specific vars huey: environment: <<: *common-env DJANGO_DEBUG: "False" Copy chmod 600 .env Copy docker-compose.yml # base (references ${VARIABLES}, no secrets) docker-compose.override.yml # local dev defaults (loaded automatically) docker-compose.prod.yml # production overrides (git-ignored) Copy # Dev — override is loaded automatically docker compose up # Production docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d Copy docker compose --env-file .env.prod -f docker-compose.yml -f docker-compose.prod.yml up -d --- # Assignments / respondent mode | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/assignments.md) . This feature is intended for organisations who wish to rely on a single audit where multiple users or teams will collaborate by responding to their specific sections (one or multiple requirements). The feature flag can be enabled from Extra/Settings/Feature flags: ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-88211e2ad478a5eab36fa305f15f0c5b3e6c6072%252Fimage%2520%2880%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=246abe67&sv=2) Once the feature flag is enabled, the design is as follows: * an analyst (or higher role) starts an audit * through the assignment management, we assign a group of requirements to one or multiple users or teams * the assignments can be made to a user or a team, over one or multiple requirements ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-ce15040056e4212095143a8dd3c6586503e30751%252Fimage%2520%281%29.png%3Falt%3Dmedia&width=300&dpr=3&quality=100&sign=ecdd10a9&sv=2) ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-9a7bfabb19cb0787ffe349895d044c43f9fb56d4%252Fimage%2520%282%29%2520%281%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=325e84ff&sv=2) * the assignees need just the `respondent` role on the domain to interact with their assigned sections, and they can do that directly from the respondent view ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-fd85ba17b44f7c25dad81ae3e697f8e60be26fc2%252Fimage%2520%281%29%2520%281%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=cbaf5008&sv=2) * when `respondent` users sign it, they get automatically redirected to the dedicated page. Users can find it later on the side nav bar ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-493b2e0d5688599f536eb2cf6e56fede9531127a%252Fimage%2520%283%29%2520%281%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=242bb22e&sv=2) * Users will see their assigned sections of all the audits organised by domains and they can interact with it by answering the compliance status, attaching applied controls or evidences directly. * Keep in mind that `respondent` can create, pick or update applied controls or evidences of the domains, to encourage reusability. ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-3128ff0abb6d5c4afd1d4bedafb2d9aa656690a3%252Fimage%2520%2879%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=169ea62c&sv=2) ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/assignments#workflow) Workflow The intereaction between the auditor and respondents follows these steps: ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-58b419b4128e66d809726db0d9d1e2c6a1edb038%252Fimage%2520%281%29%2520%282%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=b661a24a&sv=2) The default state is `draft` and you can set them and send feedbacks individually: ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-2ad625dd36e13481b70e7159cfcde6d6e8f19bc0%252Fimage%2520%282%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=34e283f2&sv=2) For review, if the auditors don't have the permissions to update the requirements compliance result, which will be the general case to keep consistent inputs from the respondent side, they can interact with comments on each one: ![](https://intuitem.gitbook.io/ciso-assistant/~gitbook/image?url=https%3A%2F%2F629777851-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FCqFeU3oPCgDWkkR386NK%252Fuploads%252Fgit-blob-3954f76547bcb5aef00475289133f040d826601d%252Fimage%2520%283%29.png%3Falt%3Dmedia&width=768&dpr=3&quality=100&sign=94f55c14&sv=2) [PreviousScoring Assistant](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/scoring-assistant) [NextComments](https://intuitem.gitbook.io/ciso-assistant/product-docs/features/comments) Last updated 1 month ago Was this helpful? Was this helpful? --- # Custom templates | Product Docs | CISO Assistant For the complete documentation index, see [llms.txt](https://intuitem.gitbook.io/ciso-assistant/llms.txt) . This page is also available as [Markdown](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/custom-templates.md) . Available on the PRO plan. [](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/custom-templates#custom-templates) Custom templates ------------------------------------------------------------------------------------------------------------------------------------------ Custom templates let you replace the default content CISO Assistant uses for outbound emails and for document exports. **Administrators only.** Creating, editing and deleting custom templates is restricted to users with the **Administrator** role. Templates control the wording of system emails and the body of exported documents, so a malicious or careless template could mislead recipients (e.g. a forged password-reset email) or embed inappropriate content in official exports. Word templates carry additional risk: * **Template injection** — `.docx` templates are rendered with a Jinja2-based engine. A crafted template can contain expressions that are evaluated on the server, which an attacker could abuse to read data or run unintended logic during export (server-side template injection). * **Malicious macros** — `.docx` files can embed VBA macros that execute on the machine of whoever opens the exported document. A booby-trapped template effectively ships malware to every report recipient. Document layout templates carry the same **template injection** consideration: `.html` templates are rendered server-side with Django's template engine before the PDF is produced, so a crafted template could evaluate unintended expressions. Keep this permission limited to trusted administrators, only upload templates from sources you control, and review any template before activating it. Three template types live under this setting: * **Email templates** — the body and subject of system-generated emails (notifications, invitations, password reset, …). * **Word templates** — `.docx` files used as the visual skin for document exports (audit reports, risk-treatment plans, BIA outputs). * **Document layout templates** — `.html` files that control the PDF layout of managed documents (cover page, header/footer, branding). ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/custom-templates#template-key-and-language) Template key and language Every template is identified by two fields: * **Template key** — a stable identifier for what the template represents (e.g. `audit_completion_notification`, `audit_report_export`). The platform looks up the active template by key when the relevant action fires. * **Language** — the locale the template applies to. The platform falls back to the instance's default language if no template for the user's locale is present. A template is only used when its `is_active` flag is on, which lets you stage a draft alongside the live version and flip the switch when ready. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/custom-templates#email-templates) Email templates Each email template carries a **subject** and a **body**. Body content supports the same templating variables as the default emails — use the in-app preview to inspect the variables available for a given key. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/custom-templates#word-templates) Word templates Each Word template is an uploaded `.docx` file containing styled placeholders. The platform substitutes the dynamic content (assessment data, scores, evidence list) when generating the export. ### [](https://intuitem.gitbook.io/ciso-assistant/product-docs/configuration/settings/custom-templates#document-layout-templates) Document layout templates Document layout templates control how a managed document is rendered to PDF — on **Export PDF** and when a document is published. Each is an uploaded `.html` file (Django template syntax, with CSS in a `