Home Admin Guide Compliance Module

Admin Guide Compliance Module

Manage compliance policies, documents, and audits. Track acknowledgments, set alerts, and automate regulatory processes with Humadroid’s Compliance module.

By Bartek Hamerliński

• 9 articles

Setting up your Compliance module in Humadroid.

The Compliance tab is available only for paid accounts. If you’re managing frameworks like ISO 27001 or SOC 2, or you need to maintain an audit-ready internal control system, this is your go-to setup. Compliance Settings Overview Risk Categories Define what risks your company tracks – and how they’re grouped. Humadroid comes with a set of system default risk categories. These are grouped by area (e.g., Compliance, Contractual, External) and include: - Clear descriptions of the risk type - Examples of common threats or violations - Tags to help with classification Default risk categories Default compliance risk categories in Humadroid including contractual, legal, and regulatory risks System default risk categories grouped by type: compliance, legal, contractual, and regulatory. Each includes examples to help with classification. You can use these predefined categories out of the box or create your own, aligned with your structure, teams, or departments. 💡 Example: Create a custom “IT Operational Risk” category if you’re tracking system downtimes or vendor SLA breaches separately. Creating a new risk category Form for adding a new custom risk category in Humadroid with name, identifier, parent category, and examples Define your own risk categories with custom identifiers, color codes, and classification examples tailored to your organization. Scoring Methods Decide how you evaluate and prioritize risks. In this section, you manage risk scoring models that help determine the criticality of each risk. Three default methods are available: - Multi-Impact Assessment Uses a weighted formula based on financial, legal, and reputational impact. - Simple 5×5 Risk Matrix A straightforward model using probability × impact. - Weighted Impact Assessment A nuanced model allowing additional types of impact (e.g., operational). Available risk scoring methods List of default risk scoring methods in Humadroid including Multi-Impact Assessment, 5x5 Risk Matrix, and Weighted Impact Assessment. Choose from predefined scoring models like Multi-Impact Assessment or create your own to align with your organization’s risk evaluation framework. Each model comes with editable treatment thresholds (when a risk becomes significant) and customizable weights. You can also create new methods based on your internal evaluation criteria. 📎 Recommended: In our internal compliance, we're using this method with a higher threshold - it allows us to focus on really important risks and leave a track of those of lesser impact. Custom risk scoring method setup Form for creating a new risk scoring method in Humadroid with custom formulas, treatment thresholds, and impact calculations. Build your own risk scoring method using custom thresholds and impact-based formulas. Ideal for tailoring your compliance evaluation to specific frameworks. Employment Types n Humadroid, Employment Types help you enforce compliance by ensuring the right documents are linked to the right roles. Whether it’s full-time staff, contractors, or interns, each type can have specific policies automatically assigned, such as: - Code of Conduct - NDA - Security or Data Protection Policies This ensures that every person acknowledges the right set of documents based on their role, with no manual chasing. 👉 Full guide: Employment Types in Humadroid → Employment types overview Creating a new employment type Form for adding a new employment type in Humadroid with required documents and activation toggle Create a custom employment type and link it to required documents like Code of Conduct or Security Policy. Documents will be auto-assigned to users based on their role. Advanced Asset Management (Assets Settings) Once Compliance is enabled, you’ll also get access to advanced asset tracking features, so let’s break up how to navigate through Assets settings. Lifecycle States Here, you define and manage equipment lifecycle stages from the beginning, from purchasing to disposal. Humadroid provides a set of default states: - Ordered - Received - In Stock - Deployed …and more. You can edit these or create your own. Adding a new lifecycle state, by clicking "Add New State" Form for creating a new asset lifecycle state in Humadroid with name, description, terminal status, and custom fields Add custom asset states to match your internal workflows. Use terminal states to define endpoints like “Retired” or “Disposed”. Lifecycle view with state transitions Asset lifecycle flow diagram in Humadroid showing transitions between states like Ordered, Received, In Stock, Deployed, and Under Repair Visualize asset state transitions using a flow diagram. Customize each state and its valid paths to reflect your real-world lifecycle management. ✏️ Pro tip: Use custom transitions to enforce rules like “you can’t deploy before receiving.” Categories Organize your hardware and equipment into categories like laptops, phones, and monitors. While creating a category, you can: - Choose a parent category - Set default lifecycle duration - Select the depreciation method - Flag items for regular maintenance Asset category list List of asset categories in Humadroid including laptops, cameras, mobile phones, and monitors with depreciation status Categorize company assets for easier tracking and reporting. Each category can include depreciation settings and asset counts. Creating a new asset category Form for creating a new asset category in Humadroid with lifecycle settings, depreciation, maintenance interval, and custom fields. Define asset categories with lifecycle duration, depreciation settings, and maintenance reminders. Add custom fields to track additional metadata. Departments Use this to assign assets to teams or cost centers. See how much hardware is tied to Sales, Marketing, or IT. Department overview with assigned assets Departments view in Humadroid showing Accounting and Engineering with assigned managers and asset counts Assign assets to specific departments and track inventory by team. Locations Track asset distribution across your offices, warehouses, or regions. Asset location structure Asset locations view in Humadroid showing Germany with Berlin and Poland with Poznań as sub-locations Organize assets across geographic locations with sub-location support. Ideal for multi-office inventory visibility and compliance traceability. 📄 Document Management Humadroid also enables centralized document control – a crucial piece for ISO/SOC 2 audits. You can: - Upload and manage internal policies, procedures, controls - Assign ownership and version history - Link documents to risks, assessments, or assets - Request acknowledgment from employees (e.g., policy sign-off) This feature does not require setting up in settings. Under Compliance -> Documents, you can start create your documents as you go. Compliance documents with acknowledgment tracking Document dashboard in Humadroid showing compliance policies with versioning, acknowledgment status, and update dates Manage all compliance documents in one place. Track versions, statuses, acknowledgment progress, and link policies to roles or users.

Last updated on Jun 02, 2025

How to Add Assets in Humadroid

Keep your inventory organized, track ownership, and stay audit-ready Whether you’re handing out laptops to new hires or managing licenses and office equipment, the Asset Management Dashboard in Humadroid helps you keep everything in order. This guide walks you through the process of adding new assets and assigning them to the right people, departments, or locations. Step 1: Open the Asset Management Dashboard From the left-hand menu in Humadroid, navigate to Assets. This is where you’ll see your complete inventory, including laptops, monitors, phones, and more. Screenshot of Humadroid's Compliance module showing asset management dashboard with laptops and status filters. This dashboard view in the Humadroid Compliance module shows asset categories, lifecycle states, and assigned departments. Use this dashboard to view, sort, and filter existing assets by location, department, or status. Step 2: Add a New Asset To create a new entry, click the “Add Asset” button in the top right corner. A modal window will appear where you can fill in: - Asset name (e.g., “MacBook Pro 16”) - Manufacturer (e.g., Apple, Lenovo, etc.) - Model (optional but recommended) - Serial number (used to track the specific unit) Form for adding a new asset in Humadroid's Compliance module, including fields for name, serial number, location, and department Use this form to add new assets in Humadroid. Fill in basic details, assign location and department, and link to categories for better tracking. Step 3: Assign Categories, Locations, and Departments It's optional, but recommended. If you want to keep track of where assets belong, like which department is responsible, where the equipment is located, or what type it is, you’ll need to set those options up first. Categories (like Laptops, Licenses, or Furniture), office locations, and departments are not added automatically. You define them in your account settings, so they reflect your company structure. 💡 Not sure where to do that? Check out our step-by-step guide: How to Set Up Your Compliance Module - it walks you through adding all those fields. Once you’ve configured your setup, you’ll be able to assign each asset to: - Category (e.g. Laptops, Projectors, Licenses) - Location (e.g. Warsaw Office, Remote, NYC HQ) - Department (e.g. Sales, Engineering, Ops) This way, every asset will be tied to your real company structure, and it will be much easier to manage during audits or budget planning. Step 4: Set the Asset’s Status Each asset in Humadroid has a lifecycle state. These are customizable in Account settings, but the system offers default states that generally should fit most companies' needs, and it includes statuses like: - Ordered - Received - In Stock - Deployed - In Maintenance - Under repair - Decommisioned Choose one of available states, or customize this in the "assets settings" . This helps you track where assets are in their lifecycle - and keep your audits clean. Dropdown menu in Humadroid for selecting initial asset state, including options like Ordered, Deployed, In Stock, and DisposedChoose the appropriate initial state for your asset from the dropdown menu, options include Ordered, In Stock, Deployed, and more. Step 5: Add Purchase & Warranty Information Want to get ahead of service dates or budget tracking? You can also add: - Purchase price - Purchase date - Warranty expiration - Vendor details This data helps teams track depreciation, service timelines, and procurement costs - especially useful during internal or external audits. If you select "Purchase" in the Acquisition method field, Humadroid will automatically reveal an extra section: Create Purchase Record. Here, you can fill in: - Vendor name (e.g., Apple Store) - Invoice number (e.g., INV-12345) - Payment method - Department that handled the purchase - Purchase order reference (if available) This optional section helps you consolidate purchase data with your asset inventory, so it's all in one place when you need it. Form in Humadroid showing purchase and warranty fields, with vendor, invoice number, and payment method options for new asset entry When "Purchase" is selected as the acquisition method, Humadroid unlocks a detailed purchase record section where you can enter vendor info, payment method, and PO number. ✅ Creation completed Once the asset is saved, you'll land on its Asset Details page. Detailed asset view in Humadroid showing purchase info, current state, lifecycle management, and linked purchase record Once the asset is saved, you'll land on its Asset Details page. The asset detail view summarizes key data like lifecycle state, purchase price, and current value. You can also access quick actions and purchase records here. From here, you can: - View or edit asset information - See current lifecycle state and available transitions - Access purchase history - Schedule maintenance - Attach files or documentation - Assign the asset using Checkout on the right side of the view This view becomes your single source of truth for everything related to the asset, from status to documentation. That’s it! Need help setting up lifecycle states or organizing departments? Head over to the Settings > Assets section or check out our Knowledge Hub for more tutorials.

Last updated on May 27, 2025

First Project in Compliance

Compliance work starts with clarity, and that’s precisely what a Compliance Project in Humadroid gives you. Whether you're preparing for an audit, aligning with ISO 27001 or SOC 2®, or just mapping internal risks and controls, projects let you structure the entire effort: from frameworks and risks to controls, documents, and assessments. In this guide, we’ll walk you through: - How to create a compliance project - How to define its structure - How to identify and score risks - How to choose the right treatment strategy - How to link supporting documentation and controls ✅ Step 1: Create a New Project Go to Compliance in the left-hand menu and click + Create New > Project. A modal will appear asking for: - Name and description - Project owner - Start and target dates - Choose the ISO 27001 or SOC 2 compliance framework if you're preparing for an audit, or use a blank project if you want to create your own structure. - Scoring method: This determines how Humadroid calculates risk scores in your projects. Humadroid comes with three predefined Scoring Methods: - Multi-Impact Assessment The default method for combining multiple impact types. Formula: Risk = Probability × [Financial Impact (×1) + Legal Impact (×1) + Reputational Impact (×1)] Treatment Threshold: 9 If the calculated score is ≥ 9, the risk must be formally addressed. Tip: Use this when impacts are equally critical and you need a balanced overview - Simple 5×5 Risk Matrix Classic single-dimensional matrix for quick scoring. Formula: Risk = Probability × Overall Impact (×1) Treatment Threshold: 15 If the calculated score is ≥ 15, the risk must be formally addressed. Tip: Ideal for rapid assessments or when you lack detailed impact breakdowns. - Weighted Impact Assessment Nuanced scoring with emphasis on key impact types. Formula: Risk = Probability × [Financial Impact (×2) + Legal Impact (×1) + Reputational Impact (×1) + Operational Impact (×1)] Treatment Threshold: 12 If the calculated score is ≥ 12, the risk must be formally addressed. Tip: Apply this to highlight the most business-critical impact (e.g., financial). Our recommendation is to read our detailed description of Scoring Methods 👉 What are risk scoring methods. 🧩 Step 2: Define Sections & Controls (Optional) 🧠 If you selected a framework for ISO 27001 or SOC 2® during project creation, you now have a full set of controls to work through. To understand how to go through these controls, link evidence, and assess them properly, check this dedicated guide: 👉 How to Work Through Compliance Controls in Humadroid If you didn’t select a predefined framework (such as ISO 27001 or SOC 2®), you can create your own control structure using the Sections & Controls tab. This is especially useful for internal governance, regulatory requirements, or industry-specific frameworks. Go to the Sections & Controls tab to outline your structure. - Add custom sections for key domains - Add controls under each section to track specific requirements (e.g., Two-Factor Authentication enabled) This step is especially useful when working without a predefined standard. 📌 Step 3: Prepare Policies Before Identifying Risks Before jumping into risk identification, it’s highly recommended to prepare and upload your company’s core policies and guidelines. These documents will serve as the foundation for your compliance strategy and often act as direct evidence for various controls. To add policies, go to the Documents tab in your project. Here you can upload new files or create them directly in the system. Once published, these documents can be linked to specific controls or compliance sections and used as recurring evidence during assessments. Remember that you can (and probably will have to ) add new or edit previously created policies along the way, so it's updated. You can review the list of most commonly required policies and their ISO/SOC 2® control references in this article: Prepare Policies and Guides. These may include: - Information Security Policy - Code of Conduct - Vendor Risk Management Policy - Incident Response Plan Versioned and acknowledged policies help demonstrate that your controls are not just theoretical but actively enforced and reviewed. ⚠️ Step 4: Add your Risks Before adding risks, you should identify them first. This involves reviewing your workflows, vendors, tools, and infrastructure to detect areas of potential exposure. (See our full guide: How to Identify Risks in Compliance Projects) To get started: 1. Go to the Risks tab and click + Add First Risk. 2. Fill in the Risk Information: title, description, category, owner, and next review date. 3. In the Risk Assessment tab, set: - Likelihood (chance of happening) - Impact (e.g., financial, legal, reputational) Your selected scoring method will calculate the risk score. If it crosses your treatment threshold, the system will flag it for action. 4. In the Treatment & Links tab, decide how to handle the risk: - Accept - Mitigate (add controls) - Transfer (e.g., via insurance) - Avoid - Other options: Share, Monitor, Investigate You can also link the risk to specific: - Controls - Documents (like policies, SOPs, audit reports) To upload supporting materials: - Go to Documents in the left menu - Add your files and assign them to this project - Attach them to relevant risks and controls for traceability 🧠 Best Practice: Start With a Risk Register During the Planning phase of the project, it's a good idea to map out all known risks early. This gives you: - Better visibility into required controls - Clarity on compliance scope - A living register that can evolve with the project Each risk is created as Draft and can be moved to Identified, In Treatment, or Closed depending on progress. 📈 Final Result: A Structured, Audit-Ready Project By this point, you’ve built the foundation of your compliance initiative: ✅ Defined your scope and structure ✅ Identified and scored key risks ✅ Selected treatments ✅ Linked documentation and controls From here, you can start assigning owners, monitoring progress, and running assessments, all from a centralized compliance dashboard.

Last updated on Jun 04, 2025

Employment Types in Humadroid

In Humadroid, Employment Types are used to classify different forms of work relationships in your company, from full-time employees to contractors and interns. You’ll find them under: Settings → Compliance → Employment Types 🔐 Employment Types + Required Documents: A Smart Compliance Match Define and manage employment types with role-specific document requirements. Link critical policies directly to executive or contractor positions for better audit control. When you create or edit an employment type, you can assign required documents to it, for example: - Employment contract or B2B agreement - Employee Code of Conduct - NDA (Non-Disclosure Agreement) - GDPR/Data Protection Policy - Internal Security Policy This means every new hire assigned to that employment type will automatically be expected to review and acknowledge the right documents, and no manual steps are needed. 📂 Where Do the Documents Come From? The documents must have been previously created and published in the Documents section of the Compliance module. Once live, they become available for selection when editing employment types. 💡 Remember: To assign documents to Employment Type, once you create a document, you need to publish it, and only then will you have this document as an option while creating or editing Employment Type. ✅ What This Enables: - 📋 Automated onboarding – No need to remember which doc goes to whom. It’s set once by employment type. - 🔎 Visibility – You can track who has acknowledged which documents and follow up as needed. - 📉 Fewer errors – Admins don’t have to manually assign individual policies to each new hire, it's automatically assigned to employment types. 🔄 Updating a Document: Versioning & Notifications When you create a new version of a document (using the “Create New Version” button), you override the old version, and once you publish the new version, it becomes a valid version. Once published: - ✅ All assigned users are automatically notified that a new version is available - ✅ The previous acknowledgments are reset, users must confirm they’ve reviewed the updated content - ✅ You get real-time visibility into who has (or hasn’t) acknowledged the new version This ensures that no outdated procedures remain in circulation, and that compliance tracking stays up to date, especially critical for policies like security, incident response, or business continuity. 💡 Remember: a new version must be explicitly published to take effect. Only then will it replace the previous version in your policy set. 🔧 Use Case Example: Let’s say a new developer joins on a B2B contract. You assign them the “Contractor” employment type, which already has these documents linked: - NDA - Security Policy - Data Handling SOP They’ll receive only the policies relevant to their role, no irrelevant HR materials like benefit guides or paid leave policies.

Last updated on May 26, 2025

How Document Acknowledgment Works in Humadroid

In Humadroid, documents like NDAs, security policies, or internal procedures can be assigned to users, with the expectation that they confirm they've read and accepted them. This process is called Acknowledgment, and it's critical for audit readiness, legal protection, and internal accountability. How to Create a Document (and What to Include) To create a new document, go to “Documents” in the left-hand navigation panel. A good compliance library starts with well-defined internal policies, which are formal documents that outline expectations, reduce ambiguity, and support audit readiness. When creating a document in Humadroid, it’s a good idea to start with policies such as: - Acceptable Use Policy - Information Security Policy - Code of Conduct - Data Protection / GDPR Policy - Confidentiality or NDA Policy - Remote Work & Device Policy - Business Continuity or Risk Management Policy Step 1: Fill in the Document Details Let’s walk through creating your first document, in this case, an Information Security Policy. Enter the required information: - Title - Description - Document content (rich text or file) - Category (e.g., Security, Legal, HR) - Acknowledgment type: - Explicit acknowledgment - Simple acknowledgment - Read only - No Acknowledgment Once everything is filled in, click “Create Document” at the bottom of the modal. You’ll be redirected to the main view of your newly created document. Step 2: Publish the Document On top of this view, you can see the type of document it's, "Policy", and that it's "Editable", indicating it has not been published yet, as well as the version number (we'll cover versioning later in the post). If all the details look correct, it’s time to publish the document. 💡 If you already have an active Compliance Project, you can now link this document to a relevant control. If not, check out our guide on how to create your first compliance project. Step 3: Assign Users Once published, the document becomes visible to assigned users and available in dashboards and reports. Once the document is published, it's time to assign users. Picked users will get a notification in Humadroid to read and accept the document. It depends on what type of Acknowledgment you chose while you created this document. You can select one by one or make a demand request to everyone. Step 4: Track Acknowledgments Once you assign users, the Acknowledgment Status will update to reflect the acknowledgment progress. 💡 Only published documents can be assigned to users or linked to Employment Types. Once published, they become visible in dashboards and reports. Step 5: Update the Document, Create a New Version Sometimes you’ll need to update an existing policy, for example, to reflect new regulations, internal changes, or updated responsibilities. To do this, open the document you want to update and click “Create New Version.” After editing the content, click “Update Document.” You’ll now see the new version listed in the Documents module, marked as a draft or editable. ⚠️ Important: This updated version does not take effect until you publish it the same way, you did this while creating first version. Once published: - It becomes the active version - All previously assigned users are notified about the new version - Their acknowledgment status is reset - You’ll be able to track who has confirmed the new version, just like with the original one This ensures your policies stay up to date, traceable, and fully acknowledged across your organization.

Last updated on May 27, 2025

What Are Risk Scoring Methods and How to Define Them in Humadroid

What Is a Risk Scoring Method? A Risk Scoring Method is a formula used to calculate how serious a risk is based on two main components: 1. Probability – How likely the risk is to happen 2. Impact – How serious the consequences are if it does happen In Humadroid, scoring methods can be configured to consider one or multiple types of effects (e.g. financial, legal, reputational) with different weightings. Risk Scoring Methods play a key role in identifying and evaluating risks in compliance projects. With them, you can understand the level of exposure each risk creates, from financial, legal, operational, or any other risk you identify in your organization. They allow you to answer an essential question: What would happen if this risk materialized? Using these scoring models ensures that all risks are measured in a consistent, comparable way. Once the score is calculated, you can clearly decide which risks require action (treatment) and which can be monitored. 🧠 Why Use Risk Scoring Methods? ✅ Identify high-impact risks early in projects ✅ Evaluate risks across dimensions: financial, legal, reputational, or any other you identify. ✅ Standardize scoring to ensure fair prioritization ✅ Improve visibility on dashboards and reports With structured scoring, decisions become more data-driven and defensible. 📊 Default Methods in Humadroid Humadroid includes three built-in scoring methods: 1. Multi-Impact Assessment (Default) - Formula: probability * SUM(impacts) - Impacts: Financial (x1), Legal (x1), Reputational (x1) - Threshold: Score ≥ 9 requires treatment This method evaluates risk by multiplying its probability by the sum of its individual impact types. 2. Simple 5x5 Risk Matrix - Formula: probability * impact - Impact: Single dimension, e.g., "Overall Impact" - Threshold: Score ≥ 15 requires treatment Suitable for straightforward use cases without multiple dimensions. 3. Weighted Impact Assessment - Formula: probability * SUM(impacts) - Weights: Financial (x2), Legal (x1), Reputational (x1), Operational (x1) - Threshold: Score ≥ 12 requires treatment This method places extra emphasis on the financial impact. ⚙️ How to Create or Edit a Scoring Method 💡 Remember: If you're not a Compliance Officer or did not work with Risk Scoring Methods before, we rocommend using default methods. To create or customize a scoring method, go to: Settings > Compliance > Scoring Methods > New Scoring Method Step 1: Define Basic Info - Name: Give your method a descriptive name - Description: (Optional) Clarify its intended use - Treatment Threshold: Minimum score that requires mitigation Step 2: Set Formula Formulas can use the following elements: - probability - SUM(impacts) - MAX(impacts) - AVG(impacts) - Specific impacts by identifier depending on what you added (e.g., financial) Examples: - probability * MAX(impacts) - probability * (financial * 2 + reputational) - (probability + MAX(impacts)) / 2 Step 3: Add Impact Types You define which kinds of impact matter for your organization. Each can be customized with its own: - Name (e.g., "Financial Impact") - Identifier used in formulas (e.g., financial) - Weight (e.g., 1 or 2) - Impact Levels (you can create your own as you go, but we recommend using the default): - Label: Minimal, Minor, Moderate, Major, Severe - Value: Numeric scale (1–5) - Description: Define the scope of impact Example: Financial Impact - Minimal (1): <$10,000 - Minor (2): $10K–$100K - Moderate (3): $100K–$1M - Major (4): $1M–$10M - Severe (5): >$10M Step 4: Set Probability Levels These describe the likelihood of a risk occurring. Each level has a numeric value. 🔄 Tips and Best Practices - Use weights to emphasize certain risk types (e.g., financial impact in regulated industries) - Keep probability and impact levels consistent across methods for easier comparison - Test your formula with a few risks before going live - Set one scoring method as the default to apply it automatically to new risksf thi

Last updated on Jun 04, 2025

How to Work Through Compliance Controls in Humadroid (ISO 27001 & SOC 2)

When running a compliance project in Humadroid, you'll eventually reach the most critical part: working through individual controls. These controls are the foundation of any compliance framework. Whether you're using ISO 27001 or SOC 2, or just undertaking an internal company's compliance project, the approach is similar, but the expectations and documentation may vary. Before diving in and working on the controls one by one, we recommend taking time to review the full control set. This will provide you with a high-level understanding of what is expected, how different controls interconnect, and where your organization's potential gaps may lie. With that overview, addressing each control becomes more contextual and meaningful. 🔄 As you go through each control, you’ll also be able to better understand which of your identified risks align with specific controls. When adding risks to your project, you can easily link them to corresponding controls, creating a more connected and actionable compliance strategy. What Are Controls? Controls, sometimes called “control points,” are specific safeguards, procedures, or activities that an organization implements to mitigate risks to its information assets. In the realm of information security, a control can be technical (e.g., firewall rules), procedural (e.g., incident response procedures), or organizational (e.g., security policies). Purpose of Controls - Risk Mitigation: Controls aim to reduce the likelihood or impact of threats (e.g., unauthorized access, data leakage, service disruption). - Compliance: Many regulations and standards, like ISO 27001 and SOC 2, mandate that organizations demonstrate specific controls are in place (see below) - Governance and Assurance: Controls establish clear practices and documentation so that internal teams, external auditors, and stakeholders can verify that information security is managed systematically. Relationship Between Policies, Standards, and Controls - Policies/Standards: Define high-level objectives and rules (e.g., “We must encrypt data at rest”). - Controls: Translate those objectives into specific actions or mechanisms (e.g., “Use AES-256 encryption for all database backups”). - Procedures/Guidelines: Provide step-by-step instructions for implementing controls (e.g., “Run pg_dump with the –encrypt flag”). 🔐 ISO 27001: Understanding and Completing Controls ISO 27001 is centered around the concept of Annex A Controls, which support the organization's broader Information Security Management System (ISMS). These controls are grouped into four key sections introduced in ISO/IEC 27001:2022: - A.5 Organizational Controls – Governance, policies, roles, and responsibilities - A.6 People Controls – Background checks, awareness training, disciplinary processes - A.7 Physical Controls – Physical access, equipment security, secure disposal - A.8 Technological Controls – Access management, encryption, backups, monitoring We recommend starting with a full overview of these sections. Understanding the structure will help you recognize how individual controls interrelate. 📄 Example – A.6.4: Disciplinary Process What it requires: A formal disciplinary process must exist to take corrective action in case of information security breaches. Your evidence might include: - A disciplinary policy document outlining procedures - HR guidelines describing escalation steps - Historical log or summary of enforcement actions taken ✅ What’s Expected of You - Review the control’s objective and understand its intent - Assign ownership of the control (recommended for distributed accountability) - Implement controls by adding evidence of how it works in your organization - Upload supporting documentation (e.g., access logs, policies, asset registers) 🔄 Required vs Optional ISO 27001 controls aren’t optional. While organizations may justify exclusions in the Statement of Applicability (SoA), any exclusion must be reasoned and documented. 🔐 SOC 2: Understanding and Completing Controls SOC 2 is structured around the Trust Services Criteria (TSC), which include Security, Availability, Confidentiality, Processing Integrity, and Privacy. The TSC is the official source of information for SOC 2 and should be thoroughly read by anyone preparing for a SOC 2 audit. Check the full Trust Service Criteria document Familiarizing yourself with these categories in advance will help you understand the scope of your audit and ensure comprehensive coverage. - Security (Common Criteria) – Required for all audits - Availability – If you promise high uptime or SLAs - Confidentiality – If you manage confidential client data - Processing Integrity – For transaction accuracy and completeness - Privacy – If you process personally identifiable information (PII) Again, reviewing all categories before starting helps you understand what’s in scope. 📄 Example of understanding a control point – CC6.3: Authentication - What it requires: Systems require authentication using strong credentials - Your evidence might include: - Password policy - MFA settings screenshots - Admin account provisioning checklist 🔄 Required vs Optional All controls under the Security category (the Common Criteria) are mandatory. Other TSC categories (Availability, Confidentiality, etc.) are only required if they’re in scope. For instance, if you don’t process sensitive personal data, Privacy controls may not apply. 🧰 What Humadroid Provides for Both Frameworks Regardless of whether you select ISO 27001 or SOC 2, Humadroid provides a standardized control workspace. Each control in your chosen framework includes: - Control title and description - Area to describe the implementation - Space to attach related evidence - Linking to supporting documents - History tracking of assessments - Control ownership and review reminders - Assessment history This consistent interface simplifies the process and helps your team stay aligned during compliance preparation. 🧠 Best Practices When Working Through Controls - Don’t leave descriptions blank - even if you upload a file - Use versioned documents from your Compliance > Documents section - Assign owners to controls so you can track accountability - Set review dates to stay audit-ready throughout the year - Be honest about partial implementations - these are helpful in tracking progress By understanding what each control requires and preparing the necessary documentation, you can make audit preparation faster and reduce compliance risk.

Last updated on Jun 04, 2025

How to Identify Risks in Compliance Projects

Identifying risks is one of the first and most crucial steps when building your compliance project in Humadroid. Done right, it lays the foundation for all your future mitigation efforts, reporting, and governance tracking. Below, we’ll walk you through how to approach risk identification with clarity, structure, and business context. 🧠 What Is Risk Identification? Risk identification is the process of uncovering events or conditions that could negatively affect your organization’s ability to achieve its objectives. In compliance, risks are often linked to: - Legal obligations (e.g., data privacy laws) - Regulatory frameworks (e.g., ISO 27001, SOC 2) - Internal policies (e.g., code of conduct, security protocols) - Operational procedures (e.g., vendor onboarding, remote work) This step is about discovery, not judgment. You don’t have to decide yet how significant or likely a risk is, just that it exists. 🔍 Where to Look for Risks The sources you use to identify risks will depend heavily on your organization’s specific context, the industry in which you operate, the regulations that apply, and how your internal processes work. Below are several common starting points to help you get going: 1. Framework Requirements: Start with the framework you’ve selected (e.g., ISO 27001, HIPAA, SOC 2). Look at its core requirements and ask: “What could cause us to fail here?” Example (SOC 2 - Security): The principle requires access controls. If your company lacks multi-factor authentication (MFA) for admin users, that’s a potential compliance risk. * 2. Business Processes: Map workflows in HR, finance, operations, and IT. Identify weak points, manual steps, or gaps in documentation. Example: In HR onboarding, if there is no checklist to ensure background checks are done, that’s an operational and legal risk. 3. Previous Incidents: Review past issues like data breaches, audit failures, and support escalations. Example: If a past audit flagged a lack of formal vendor risk assessments, make this a formalized risk to track. 4. External Factors: Look at legal changes, economic shifts, political risks, or vendor instability. Example: New GDPR regulations may expose your organization to penalties if your privacy notices are not up to date. 5. Stakeholder Interviews: Ask team leads in IT, legal, HR, and operations about their concerns. Example: A legal manager might express concern about the lack of training logs for employees. That can be logged as a compliance documentation risk. ⏱️ Timeline & Tips Risk identification for your first project can take anywhere from a few hours to a few days, depending on the size of your organization. ✅ Don’t aim for perfection, aim for coverage ✅ Involve cross-functional teams ✅ Revisit your risks quarterly or after any significant incident or audit 🛠️ How to Add Risks in Humadroid Go to the Compliance section on the left -> Pick the project you want to add Risks -> Go to the "Risks" tab -> click "Add Risk" 1. Enter a Title and Description that reflect your organization’s exposures. 2. Select Risk Category, assign an Owner, and set a Next Review Date so nothing slips through 3. On the Risk Assessment tab, you’ll see the predefined impact categories, based on the Scoring Method you selected earlier. Enter the Likelihood and Potential Impact values in each category, and Humadroid will calculate the risk score. 4. Select a Treatment Strategy (Accept, Mitigate, Transfer, or Avoid) and link any relevant controls or documents for complete traceability. 💡 Note: If the Risk Score Summary is at or above the level of the Treatment Threshold of the picked Scoring Method, then you won't be able to Accept the Risk. You will need to take action on it, as it's too high-risk to accept and move on. Examples of Common Risks: - Lack of MFA for Admin Access Admin users are not required to use multi-factor authentication, increasing the likelihood of unauthorized access. This is a common issue flagged under SOC 2's Security principle, which requires strong access controls. - No documented vendor assessment process Vendors are onboarded on an ad hoc basis without consistent risk assessments. This creates blind spots and is often highlighted in third-party risk management reviews (ISO 27001 A.15). - Outdated privacy policy Your public-facing privacy policy hasn’t been updated despite recent regulatory changes like GDPR rulings or CPRA amendments. This leaves you exposed to potential legal penalties. - Excessive admin rights More employees than necessary have unrestricted access to internal systems. This violates the principle of least privilege and increases the risk surface area in case of an insider threat. - No defined incident response plan Your organization has no written and approved process for handling security incidents. This gap would be flagged during audits and leaves you unprepared in a crisis. Each of these risks connects to a real-world weakness that could compromise your compliance posture, and each one can be turned into a documented, trackable item in your Humadroid project. These examples show how real-world weaknesses translate into clearly trackable risks. 🧩 Link Risks to Other Compliance Components Risks can later be linked to: - Controls (preventive measures you take) - Documents/Policies (e.g., Incident Response Policy) Linking Risks with controls, or documents, allows you to have a full picture and understanding of your project. 📘 Learn more: What are Scoring Methods and how to define them By identifying risks with care and structure, you set up a compliance posture that’s proactive, auditable, and ready for change.

Last updated on Jun 04, 2025

How to Prepare Appropriate Policies and Guides for Your Compliance Project

Creating, organizing, and maintaining the right policies and guides is a core part of every successful compliance program. Whether you're working toward ISO 27001, SOC 2, or any other framework, clear documentation is the foundation for both internal alignment and external audit readiness. This guide walks you through the process of preparing appropriate compliance documentation and links your efforts to other parts of your compliance project in Humadroid. Why Policies and Guides Matter The company's Policies are the backbone of your compliance culture. They shape behavior, formalize expectations, and serve as reliable sources of truth in day-to-day operations, employee awareness and behaviour, and what's really important - audits. - They prove your intent and establish a formal record that specific requirements and processes are in place. - Internally, they align teams, making sure employees understand their roles, boundaries, and responsibilities. - As living documents, they evolve with your organization, responding to changes in regulation, structure, and operations. A well-maintained policy demonstrates control in action. In fact, an accepted and versioned policy, visible in the employee acknowledgment log, can itself serve as evidence of compliance for many controls. What Types of Documents to Prepare The kinds of policies you should create will vary depending on your organization’s size, industry, and the compliance framework you're pursuing. Still, there are foundational documents that most companies, especially those targeting ISO 27001 or SOC 2, are expected to maintain. Start by thinking of your business areas: how you handle data, how people behave in your company, how you work with vendors, how you respond to risks, and how you protect user privacy. Each of these areas should be covered by specific, clear, and up-to-date policies. 🔐 Security & IT - Information Security Policy – outlines your general approach to securing information systems. - Access Control Policy – defines how access is granted, revoked, and audited. - Encryption Policy – shows your methods for encrypting data at rest and in transit. - Password Policy – enforces password complexity, rotation, and storage guidelines. 👥 HR & People - Code of Conduct – sets the tone for ethical behavior and company values. - Disciplinary Policy – explains how violations of rules or misconduct are handled. - Background Check Policy – documents your process for pre-employment checks. - Security Awareness Guide – trains employees on phishing, social engineering, and data handling. 🤝 Vendor & Third-Party Management - Vendor Risk Management Policy – shows how vendors are selected and monitored. - Data Processing Agreement Guidelines – defines expectations around data processing and privacy. - Third-Party Access Policy – explains how external users or systems gain access to your environment. 🚨 Incident & Risk Management - Risk Management Policy – defines your process for identifying and managing risks. - Incident Response Plan – outlines how the company detects, escalates, and responds to security incidents. - Business Continuity Plan – prepares your business for disasters or major disruptions. 🔏 Data Protection & Privacy - Privacy Policy – documents how you collect, use, and store personal data. - Data Classification Policy – categorizes information to apply appropriate controls. - Data Retention Policy – defines how long data is stored and how it’s deleted or archived. ✍️ Best Practices for Creating Compliance Policies Creating effective policies is about clarity, accountability, and relevance. Instead of overwhelming employees with long, unreadable documents, aim for concise and usable guides. It doesn't have to be written with corporate language. It needs to be unnderstandable for your employees, and relevant to your orgzanization. Start by making sure each policy has a clear purpose and is practical to implement. Lengthy 60-page policies are rarely read, let alone followed. Use plain language and concrete actions. For example, instead of saying "Users must behave securely," define what "secure behavior" actually means in the context of your organization. Every policy should also have an owner, someone responsible for its creation, maintenance, and review. This could be your CISO for security policies or your HR Manager for employee guidelines. Regular reviews are crucial. Schedule annual audits of your policy documents, or update them whenever critical business processes change. Humadroid helps by tracking versions, allowing you to publish new iterations and prompt fresh employee acknowledgment. 📝 How to Add Policies in Humadroid To add a policy as part of your compliance project, navigate to the Documents tab. From here, you can create a new document(policy). You’ll be able to: - Add a clear title and brief description - Choose the document type (e.g., Policy, Procedure, Guide) for easier management and filtering - Specify if the document requires employee acknowledgment Humadroid supports three types of acknowledgments: - Explicit Acknowledgment Required – Employees must read and accept the policy with their name - Simple Accept/Reject - - Read Only – Employees are informed but not required to confirm acceptance These settings ensure that employees are informed of expectations and can be held accountable. Acknowledged documents become part of your compliance record, allowing you to easily present them to any auditor. ➡️ Once published, documents can be linked to specific controls or compliance sections and used as recurring evidence during assessments.

Last updated on Jun 04, 2025