Compliance work starts with clarity, and that’s precisely what a Compliance Project in Humadroid gives you.
Whether you're preparing for an audit, aligning with ISO 27001 or SOC 2®, or just mapping internal risks and controls, projects let you structure the entire effort: from frameworks and risks to controls, documents, and assessments.
In this guide, we’ll walk you through:
-
How to create a compliance project
-
How to define its structure
-
How to identify and score risks
-
How to choose the right treatment strategy
-
How to link supporting documentation and controls
✅ Step 1: Create a New Project
Go to Compliance in the left-hand menu and click + Create New > Project. A modal will appear asking for:
-
Name and description
-
Project owner
-
Start and target dates
-
Choose the ISO 27001 or SOC 2 compliance framework if you're preparing for an audit, or use a blank project if you want to create your own structure.
-
Scoring method: This determines how Humadroid calculates risk scores in your projects. Humadroid comes with three predefined Scoring Methods:
-
Multi-Impact Assessment
The default method for combining multiple impact types.
Formula: Risk = Probability × [Financial Impact (×1) + Legal Impact (×1) + Reputational Impact (×1)]
Treatment Threshold: 9
If the calculated score is ≥ 9, the risk must be formally addressed.Tip: Use this when impacts are equally critical and you need a balanced overview
-
Simple 5×5 Risk Matrix
Classic single-dimensional matrix for quick scoring.Formula: Risk = Probability × Overall Impact (×1)
Treatment Threshold: 15
If the calculated score is ≥ 15, the risk must be formally addressed.Tip: Ideal for rapid assessments or when you lack detailed impact breakdowns.
-
Weighted Impact Assessment
Nuanced scoring with emphasis on key impact types.Formula: Risk = Probability × [Financial Impact (×2) + Legal Impact (×1) + Reputational Impact (×1) + Operational Impact (×1)]
Treatment Threshold: 12
If the calculated score is ≥ 12, the risk must be formally addressed.Tip: Apply this to highlight the most business-critical impact (e.g., financial).
-
Our recommendation is to read our detailed description of Scoring Methods 👉 What are risk scoring methods.
🧩 Step 2: Define Sections & Controls (Optional)
🧠 If you selected a framework for ISO 27001 or SOC 2® during project creation, you now have a full set of controls to work through. To understand how to go through these controls, link evidence, and assess them properly, check this dedicated guide:
👉 How to Work Through Compliance Controls in Humadroid
If you didn’t select a predefined framework (such as ISO 27001 or SOC 2®), you can create your own control structure using the Sections & Controls tab. This is especially useful for internal governance, regulatory requirements, or industry-specific frameworks.
Go to the Sections & Controls tab to outline your structure.
-
Add custom sections for key domains
-
Add controls under each section to track specific requirements (e.g., Two-Factor Authentication enabled)
This step is especially useful when working without a predefined standard.
📌 Step 3: Prepare Policies Before Identifying Risks
Before jumping into risk identification, it’s highly recommended to prepare and upload your company’s core policies and guidelines. These documents will serve as the foundation for your compliance strategy and often act as direct evidence for various controls.
To add policies, go to the Documents tab in your project. Here you can upload new files or create them directly in the system. Once published, these documents can be linked to specific controls or compliance sections and used as recurring evidence during assessments.
Remember that you can (and probably will have to ) add new or edit previously created policies along the way, so it's updated.
You can review the list of most commonly required policies and their ISO/SOC 2® control references in this article: Prepare Policies and Guides.
These may include:
-
Information Security Policy
-
Code of Conduct
-
Vendor Risk Management Policy
-
Incident Response Plan
Versioned and acknowledged policies help demonstrate that your controls are not just theoretical but actively enforced and reviewed.
⚠️ Step 4: Add your Risks
Before adding risks, you should identify them first. This involves reviewing your workflows, vendors, tools, and infrastructure to detect areas of potential exposure. (See our full guide: How to Identify Risks in Compliance Projects)
To get started:
-
Go to the Risks tab and click + Add First Risk.
-
Fill in the Risk Information: title, description, category, owner, and next review date.
-
In the Risk Assessment tab, set:
-
Likelihood (chance of happening)
-
Impact (e.g., financial, legal, reputational)
-
Your selected scoring method will calculate the risk score. If it crosses your treatment threshold, the system will flag it for action.
-
In the Treatment & Links tab, decide how to handle the risk:
-
Accept
-
Mitigate (add controls)
-
Transfer (e.g., via insurance)
-
Avoid
-
Other options: Share, Monitor, Investigate
-
You can also link the risk to specific:
-
Controls
-
Documents (like policies, SOPs, audit reports)
To upload supporting materials:
-
Go to Documents in the left menu
-
Add your files and assign them to this project
-
Attach them to relevant risks and controls for traceability
🧠 Best Practice: Start With a Risk Register
During the Planning phase of the project, it's a good idea to map out all known risks early. This gives you:
-
Better visibility into required controls
-
Clarity on compliance scope
-
A living register that can evolve with the project
Each risk is created as Draft and can be moved to Identified, In Treatment, or Closed depending on progress.
📈 Final Result: A Structured, Audit-Ready Project
By this point, you’ve built the foundation of your compliance initiative:
✅ Defined your scope and structure
✅ Identified and scored key risks
✅ Selected treatments
✅ Linked documentation and controls
From here, you can start assigning owners, monitoring progress, and running assessments, all from a centralized compliance dashboard.