Skip to content

User Guide

Sovereign GRC is a security-first governance, risk, and compliance platform. This guide walks through every section of the application with screenshots showing how to use each feature.

Version: 2.0.5 Frameworks supported: SOC 2 Type II, ISO/IEC 27001:2022, CMMC Level 2, NIST Cybersecurity Framework 2.0, HIPAA Security Rule, PCI DSS v4.0.1, GDPR (7 frameworks — see the Frameworks reference for the full control list)

Quick Start Workflow

For a new organization getting started with Sovereign GRC:

  1. Settings — Verify your organization name and configure Trust Center.
  2. Data Sources — Connect your AWS, Azure, or GCP accounts.
  3. Frameworks — Browse available frameworks and understand the controls.
  4. Assessments — Create your first assessment against SOC 2 or ISO 27001.
  5. Assessments > Execute — Run automated checks against your infrastructure.
  6. Findings — Review the results. Filter to fail to see gaps.
  7. Tasks — Create remediation tasks for failing controls.
  8. Evidence — Upload evidence as you remediate findings.
  9. Policies — Create required policy documents.
  10. Reports — Generate your compliance report for auditors.
  11. Calendar — Set up recurring control test schedules.
  12. Risk Monitoring — Configure KRIs for ongoing monitoring.
  13. Vendors — Add and assess your third-party vendors.
  14. Trust Center — Configure and publish your public security portal.

The sidebar is organized into six labeled groups. The Audit group is always visible and cannot be collapsed; the other five groups are collapsible. Risk, Operations, and System start collapsed by default.

Group Page What it does
Audit Dashboard Compliance overview
Audit Assessments Run compliance assessments
Audit Findings Review assessment results
Audit Evidence Upload and manage evidence files
Audit Evidence Requests Request documents from stakeholders
Audit Reports Generate compliance reports
Audit AI Audit AI-assisted audit procedures
Frameworks & Policy Frameworks Browse compliance frameworks
Frameworks & Policy Cross Compliance Map controls across frameworks
Frameworks & Policy Policies Manage policy documents
Frameworks & Policy SOX Compliance Sarbanes-Oxley certifications
Frameworks & Policy ESG Environmental/Social/Governance metrics
Frameworks & Policy Policy Engine OPA policy management
Risk Risk Monitoring Key Risk Indicators
Risk Risk Quantification FAIR analysis
Risk Bow-Tie Analysis Visual risk analysis
Risk Incidents Security incident management
Risk Business Continuity Dependency mapping, SPOF detection, recovery planning
Third-Party Risk Vendors Vendor risk management
Operations Analytics Trend analysis
Operations Calendar Compliance schedule
Operations Tasks Task inbox
Operations Data Sources Cloud provider connections
Operations Infrastructure Steampipe query explorer
System Audit Log Tamper-evident activity log
System System Logs Application logs
System Settings Organization and Trust Center config
System Users Invite and manage organization users
System API Keys API key management
System Admin Settings System-wide configuration
System System Health Component status monitoring

† Hidden by default. Risk Quantification, Bow-Tie Analysis, and Policy Engine ship default-hidden; re-enable them from the sidebar's Customize popover.