Once you have all of the questions and questionnaire templates (formerly question lists) you need in Isora GRC, you can start to create assessments. Currently, Isora GRC supports three different assessment methodologies targeting different types of entities. They are unit (formerly organizational), application (formerly app), and third-party vendor product (formerly vendor).
Unit Assessments
A unit assessment can be thought of as a bunch of questions along with a list of organizational entities (units) that the assessment is targeting. For each unit included, a survey will be created. Then responsible users within the unit fill out the surveys. When all surveys of an assessment have been completed and signed off appropriately, then the entire assessment is complete.
The following diagrams illustrate many of the aspects of unit assessments and question objects and how they come together to produce surveys for the users.
Diagram- Old UI Terminology
Org Unit Assessment Object Relationships
Diagram- New UI Terminology
Application Assessments
For application assessments, you can only choose one application to assess in a given assessment. So there is also only one survey produced, which simply consists of the questions in the questionnaire template you use when you create the assessment, and an overall classification of the application based on the data it has access to. Application assessments can be created from the Settings page by a superuser, or from the Assessments page by an Assessment Manager (for the unit that owns the application).
The following diagrams illustrate the relationships between various objects involved with application assessment.
Diagram- Old UI Terminology
App Assessment Question Object Relationships
Diagram- New UI Terminology
Third-Party Vendor Product Assessments
These assessments are targeted toward third-party vendor products in inventory. Any Isora GRC user with a vendor requester role or higher in a unit can work with third-party vendor product assessment. By default, these assessments are visible to everyone, but you can make them private so that only members of the same org unit that created the assessment can see them. It’s also possible to share these types of assessments with other instances of Isora GRC.
To create one, you need a target, which is a specific third-party vendor product, and a questionnaire template targeting vendors. There is just one survey, and it’s usually filled out by means of an external link provided to the vendor representative. The vendor rep does not need to log into Isora GRC to access the link. Alternatively, a local Isora GRC user could fill out the survey.
In the new UI, when you create a new third-party vendor product assessment, you fill out an intake step which creates a product deployment object. In the old UI, product deployments are optional.
Diagram- Old UI Terminology
Diagram- New UI Terminology
Assessment Series
Assessment series are used to track the same type of assessment when you run it multiple times in a series. The series are driven by the needs of your organization, and often tied to governmental regulatory requirements. Each time you are going to start a new series of related assessments, you should start by creating a new assessment series.
If you want to do a one-off assessment, you still need to create at least one assessment series with the appropriate target type because Isora GRC doesn’t directly support the concept of one-off assessments. Typically, all vendor assessments are considered part of the same series.
Only superusers can create or edit assessment series.
Related content:
See also:
Questions- the Building Blocks of an Assessment