User Guide¶
Sovereign GRC is a security-first governance, risk, and compliance platform. This guide walks through every section of the application with screenshots showing how to use each feature.
Version: 2.0.5 Frameworks supported: SOC 2 Type II, ISO/IEC 27001:2022, CMMC Level 2, NIST Cybersecurity Framework 2.0, HIPAA Security Rule, PCI DSS v4.0.1, GDPR (7 frameworks — see the Frameworks reference for the full control list)
Quick Start Workflow¶
For a new organization getting started with Sovereign GRC:
- Settings — Verify your organization name and configure Trust Center.
- Data Sources — Connect your AWS, Azure, or GCP accounts.
- Frameworks — Browse available frameworks and understand the controls.
- Assessments — Create your first assessment against SOC 2 or ISO 27001.
- Assessments > Execute — Run automated checks against your infrastructure.
- Findings — Review the results. Filter to
failto see gaps. - Tasks — Create remediation tasks for failing controls.
- Evidence — Upload evidence as you remediate findings.
- Policies — Create required policy documents.
- Reports — Generate your compliance report for auditors.
- Calendar — Set up recurring control test schedules.
- Risk Monitoring — Configure KRIs for ongoing monitoring.
- Vendors — Add and assess your third-party vendors.
- Trust Center — Configure and publish your public security portal.
Navigation Reference¶
The sidebar is organized into six labeled groups. The Audit group is always visible and cannot be collapsed; the other five groups are collapsible. Risk, Operations, and System start collapsed by default.
| Group | Page | What it does |
|---|---|---|
| Audit | Dashboard | Compliance overview |
| Audit | Assessments | Run compliance assessments |
| Audit | Findings | Review assessment results |
| Audit | Evidence | Upload and manage evidence files |
| Audit | Evidence Requests | Request documents from stakeholders |
| Audit | Reports | Generate compliance reports |
| Audit | AI Audit | AI-assisted audit procedures |
| Frameworks & Policy | Frameworks | Browse compliance frameworks |
| Frameworks & Policy | Cross Compliance | Map controls across frameworks |
| Frameworks & Policy | Policies | Manage policy documents |
| Frameworks & Policy | SOX Compliance | Sarbanes-Oxley certifications |
| Frameworks & Policy | ESG | Environmental/Social/Governance metrics |
| Frameworks & Policy | Policy Engine † | OPA policy management |
| Risk | Risk Monitoring | Key Risk Indicators |
| Risk | Risk Quantification † | FAIR analysis |
| Risk | Bow-Tie Analysis † | Visual risk analysis |
| Risk | Incidents | Security incident management |
| Risk | Business Continuity | Dependency mapping, SPOF detection, recovery planning |
| Third-Party Risk | Vendors | Vendor risk management |
| Operations | Analytics | Trend analysis |
| Operations | Calendar | Compliance schedule |
| Operations | Tasks | Task inbox |
| Operations | Data Sources | Cloud provider connections |
| Operations | Infrastructure | Steampipe query explorer |
| System | Audit Log | Tamper-evident activity log |
| System | System Logs | Application logs |
| System | Settings | Organization and Trust Center config |
| System | Users | Invite and manage organization users |
| System | API Keys | API key management |
| System | Admin Settings | System-wide configuration |
| System | System Health | Component status monitoring |
† Hidden by default. Risk Quantification, Bow-Tie Analysis, and Policy Engine ship default-hidden; re-enable them from the sidebar's Customize popover.