The GRC platform for people who sit the audit

Governance, risk, and compliance your auditors actually trust.

Set policy, manage risk, and prove compliance from one connected model. Map a control once and satisfy every framework — and see the gaps before your auditor does. Built for ISO 27001, NIST CSF 2.0, and SOC 2, not for vendor checkboxes.

Book a walkthrough See the risk model →

ISO 27001 certified·SOC 2 Type II·Used by 340+ compliance teams

GRC postureLive

Governance

96%

policies current

Risk

critical gaps

Compliance

82%

control coverage

Risk × Control coverage

A.5

A.6

A.7

A.8

A.9

A.10

R-001

R-002

R-003

R-004

R-005

R-006

1 CRITICAL GAP2 HIGH· review by Friday

Trusted to run the register atNorthwind BankMeridian HealthAtlas LogisticsQFC HoldingsHalcyon Energy

01 — How it works

Software is a third of the job. We do the other two.

People, process, and technology. Most platforms ship the technology and leave you the other two. We make all three measurable inside one platform — so the methodology is the product, not a slide.

People

Roles, not seats

Six GRC roles out of the box — risk manager, control owner, auditor, compliance officer. Permissions map to how your team divides the work.

grc_admin · risk_manager · auditor · +3

Process

The assessment runs itself

Planned and event-driven assessments with capacity-aware annual planning. Evidence requests, reminders, and sign-off without the spreadsheet relay.

plan → engagement → evidence → sign-off

Technology

One model, every framework

Map a control once; satisfy ISO 27001, NIST CSF 2.0, and SOC 2 together. Change a control, watch coverage recompute across all of them.

200+ risks · 30+ controls · live mappings

02 — The platform

One platform, eight disciplines.

Governance, risk, and compliance most tools split across separate modules — unified under one connected model, so a policy sets a control, a control closes a risk, and the same evidence feeds the audit.

Risk

Inherent and residual scoring, heatmaps, treatment plans.

R-001 … R-240

Compliance

Map one control to every framework it satisfies, at once.

ISO · NIST · SOC 2

Audit

Engagements, working papers, findings, and follow-up.

planned + event-driven

Incident

Capture, triage, and link incidents to the risks they prove.

SEV-1 … SEV-4

Insurance

Tie coverage to residual risk so the gap is the policy line.

cover ↔ residual

Asset

The register of what you are actually protecting, scored.

CIA-rated

Contract

Obligations and DPAs surfaced as controls, with renewals.

DPA · SLA · renewal

Process

The workflows that carry it all, owned and measurable.

owned · timed

03 — Why teams switch

The reasons people leave their old GRC tool.

✓ISO 27001 certified — we live by the standard we sell

✓200+ risks and 30+ controls preloaded — not an empty database

✓One control, every framework — map once, satisfy all

✓Unlimited users — auditors and owners do not cost extra

✓True multi-tenant isolation — every org keeps its own data

✓SSO and role-based access — six GRC roles out of the box

✓340+ implementations — the method is proven, not theoretical

✓Browser-based SaaS — nothing to install, audit-ready day one

04 — The product, not a screenshot

Not a screenshot — the working GRC console.

app.auditgrc.com/risks

Acme Corp / ISO 27001:2022

Risk register

+ New risk

Policies current

96%

▲ 2 due for review

Open risks

68 · 3 crit

▲ 4 this week

Control coverage

82%

▲ 6% MoM

Audit-ready

94%

▲ on track

ID	Risk	Severity	Mapped control	Effectiveness	Owner
R-042	Unencrypted PII in legacy data lake	CRITICAL	ISO-A.8.24	41%	S. Okafor
R-017	No MFA on privileged admin accounts	HIGH	ISO-A.5.17	63%	M. Chen
R-091	Vendor offboarding lacks access revocation	HIGH	ISO-A.5.19	58%	J. Patel
R-008	Incident response plan untested in 14 mo	MEDIUM	ISO-A.5.24	71%	R. Adeyemi
R-103	Backup restore not verified quarterly	MEDIUM	ISO-A.8.13	77%	L. Novak
R-055	Physical media disposal logging gaps	LOW	ISO-A.7.10	88%	D. Rossi

05 — Thinking on GRC

We write about this in public.

Field notes from people who have sat on both sides of the audit table — methodology, opinions, and practical framework crosswalks.

Methodology

Your risk register is a graveyard. Here is why.

If nobody reads it between audits, it is not a control — it is a liability. Three ways to make the register a living document.

7 min read · by S. Visser

Opinion

Stop buying GRC tools by the checkbox.

Feature-grid procurement is how you end up with eleven modules and no coverage. Buy the model, not the menu.

5 min read · by M. Chen

Framework

NIST CSF 2.0 and ISO 27001, mapped once.

The overlap is bigger than vendors admit. A practical crosswalk you can run in an afternoon.

9 min read · by J. Patel

See your GRC posture in 30 minutes.

No deck. We load a framework, map a control to a policy and a risk live, and show you the gaps. Free, no obligation.

Book a walkthrough See pricing