User Guide¶
Sovereign GRC is a security-first governance, risk, and compliance platform. This guide walks through every section of the application with screenshots showing how to use each feature.
Version: 2.0.0 Frameworks supported: SOC 2 Type II, ISO/IEC 27001:2022, CMMC Level 2
Quick Start Workflow¶
For a new organization getting started with Sovereign GRC:
- Settings — Verify your organization name and configure Trust Center.
- Data Sources — Connect your AWS, Azure, or GCP accounts.
- Frameworks — Browse available frameworks and understand the controls.
- Assessments — Create your first assessment against SOC 2 or ISO 27001.
- Assessments > Execute — Run automated checks against your infrastructure.
- Findings — Review the results. Filter to
failto see gaps. - Tasks — Create remediation tasks for failing controls.
- Evidence — Upload evidence as you remediate findings.
- Policies — Create required policy documents.
- Reports — Generate your compliance report for auditors.
- Calendar — Set up recurring control test schedules.
- Risk Monitoring — Configure KRIs for ongoing monitoring.
- Vendors — Add and assess your third-party vendors.
- Trust Center — Configure and publish your public security portal.
Navigation Reference¶
Sidebar — Main Navigation¶
| Section | Page | What it does |
|---|---|---|
| Core | Dashboard | Compliance overview |
| Core | Assessments | Run compliance assessments |
| Core | Findings | Review assessment results |
| Core | Evidence | Upload and manage evidence files |
| Core | Evidence Requests | Request documents from stakeholders |
| Core | Reports | Generate compliance reports |
| Core | Frameworks | Browse compliance frameworks |
| Standards | Cross Compliance | Map controls across frameworks |
| Standards | Policies | Manage policy documents |
| Standards | SOX Compliance | Sarbanes-Oxley certifications |
| Standards | ESG | Environmental/Social/Governance metrics |
| Third Party | Vendors | Vendor risk management |
| Operations | Incidents | Security incident management |
| Risk | Risk Monitoring | Key Risk Indicators |
| Risk | Risk Quantification | FAIR analysis |
| Risk | Bow-Tie Analysis | Visual risk analysis |
| Analytics | Compliance Analytics | Trend analysis |
| Analytics | AI Audit | AI-assisted audit procedures |
| Infrastructure | Data Sources | Cloud provider connections |
| Infrastructure | Infrastructure | Steampipe query explorer |
| Infrastructure | Policy Engine | OPA policy management |
| Planning | Calendar | Compliance schedule |
| Planning | Tasks | Task inbox |
| Audit | Audit Log | Tamper-evident activity log |
| Audit | System Logs | Application logs |
Sidebar — Settings Section¶
| Page | What it does |
|---|---|
| Settings | Organization and Trust Center config |
| API Keys | API key management |
| Admin | System-wide configuration |
| System Health | Component status monitoring |