Action

An event that requires an organisation to perform a function in order to close. An action can be sent from one organisation to another and be incoming or outgoing.

Answer

Made by a supplier to a specific control and includes notes and evidence.

Client

An organisation that is running an assurance programme and has connections to many suppliers.

Connection

The relationship between a client and supplier. The client can set tags on the connection.

Control

A question that suppliers answer, and clients set requirements on.

Domain

A grouping of controls.

Exemption

Applied by a client to a supplier's answers, exempting them from the requirement and changing non-compliance into compliance.

Non-Compliance

Applied by a client to a supplier's answer, changing compliance inro non-compliance.

Notification

An event that an organisation should be aware of, but may not require a response.

Organisation

Represents the main entities that use the platform, whether as a client or supplier.

Policy

A group of requirements, one per control. Made by clients and applied to suppliers via tags.

Policy Stacking

A stack of Policies are all the Policies that apply to a single supplier. They are reconciled with the highest level of control requirements being applied to the supplier.

Remediation

Action applied by a client to a supplier's answer, requesting supplier to rememdiate a non-compliant answer.

Review

A confirmation from a supplier that each of their answers are up-to-date and correct, at the time of the review.

Supplier

An organisation that is assessed over their security controls and has connections to clients.

Tag

A label that is applied by a client to a connection with a supplier. Includes a criticality rating, a data confidentiality rating and a PII flag.

User

Describes an individual person's account which is associated with an organisation.