Once you have all of the questions and question lists you need in Isora GRC, you can start to create assessments. Currently, Isora GRC supports three different types of assessments that target different types of entities. They are organizational, app, and vendor.
Organizational Assessments
An organizational assessment can be thought of as a bunch of questions along with a list of organizational entities that the assessment is targeting. For each organizational unit which is affected by the assessment, at least one a survey will be created. Then responsible users within the organizational unit fill out the surveys. When all surveys of an assessment have been completed and signed off appropriately, then the entire assessment is complete.
Assessments aren't Organizational assessments are not created from the assessment moduleAssessment page. They are created using on the admin moduleSettings page. Only Isora GRC superusers have the ability to create organizational assessments and publish them to users.
The following flowcharts illustrate many of the aspects of organizational assessments and how they come together to produce surveys for the users.
...
Figure 8-2 1: Org Unit Assessment Object Relationships
In the latest version of Isora GRC, the host categorization part of organizational assessments is optional. In earlier versions, it was required, even if included org units had no hosts.
App Assessments
For app assessments, you can only choose one app to assess for a given assessment. So there is also only one survey produced, which simply consists of the questions in the question list you use when you create the assessment, and an overall classification of the app based on the data it has access to.
...
Figure 8-3 App Assessment Object Relationships
Assessment Types
Assessment types App assessments can be created from the Settings page by a superuser, or from the Assessments page by an Assessment Manager.
...
Figure 2: App Assessment Question Object Relationships
Vendor Assessments
Vendor assessments are targeted toward third-party products. Unlike other types of assessments, any Isora GRC user with any role in an organizational unit can create or edit a vendor assessment. By default, vendor assessments are visible to only other members of the same org unit that created the assessment, but you can make them visible to everyone.
A vendor assessment includes a target, which is a specific vendor product and a question list. There is just one survey, and it’s usually filled out by means of an external link provided to the vendor representative. The vendor rep does not need to log into Isora GRC to access the link. Alternatively, a local Isora GRC user could fill out the survey.
...
Assessment Series
Assessment series are used to track the same assessment when you run it multiple times in a series. The types series are driven by the needs of your organization, and often tied to governmental regulatory requirements. Each time you are going to start a new series of related assessments, you should start by creating a new assessment typeseries.
Click “manage assessment types” to see a list of existing types, edit or remove them, or add a new one. You can also upload a simple CSV where each line has the name of an assessment type.
...
| Info |
|---|
Expect future updates to allow Isora GRC to support additional target types. |
Creating or Editing Assessments
To work with assessments, click the “manage assessments” link. In the table, you can see a list of existing assessments. A value of published=”yes” means that the assessment has been published to Isora GRC, and surveys are available to users. It does not indicate whether any individual surveys of the assessment have been launched.
All assessments that have ever been created will be listed here. This allows you to see both current and historical data. You can remove assessments by clicking the X next to them. You can also edit an existing assessment, or click the + button to create a new one.
...
The page you see when you edit an existing assessment is just like what you see when you create a new one, except it’s already filled in with existing data.
Historically, assessments would be targeted to one or more organizational units. In current versions of Isora GRC, you can create assessments that target various types of entities. Depending on the target type of an assessment, different options will be presented when you create a new assessment.
To create a new one, click the + button. This starts a 2-step process. In the first step, you assign a name, due date and assessment type. Depending on the type you choose, the following drop-down will be populated with question lists that are appropriate for the target type of the assessment. If this is a draft and you don't want anyone to actually start the assessment yet, leave the "publish on create" box unchecked.
...
Click “next” to proceed to the second step of the process. Depending on what type of assessment you are creating, the next step will offer different options. For example, if the target of the assessment type is "app," you type the name of the app you want to assess into the search box.
...
If the type of assessment you are doing includes unit-level questions, then you'll be presented with a list of organizational units, so you can choose whichever ones you want to include. Each OU chosen will result in a survey being published once the assessment is launched, and whoever has the authority within that OU will be able to answer the questions.
...
Continue clicking the checkboxes next to the OU names and filling out the forms for each OU, until all of the OUs that you want have been included. If you check the checkbox to “skip org units without sheets,” then any OUs that do not have any sheets of hosts will not be included in the assessment, even if you selected them. Until it has been published, you can edit the assessment later to add or remove OUs, or even change the assessment type or question list. Once published, you won’t be able to edit the assessment.
Click the “create” button to save the new assessment.
If you save an assessment without publishing it, you will see a published value of “no” in the assessments table. You can edit the assessment to make whatever changes you still need, then check the “published” checkbox to publish it later.
...
Once an assessment has been published, the assessment managers and other Isora GRC users can view and work with it on the assessment module when they log inIf you want to do a one-off assessment, you still need to create at least one assessment series with the appropriate target type because Isora GRC doesn’t directly support the concept of one-off assessments. Typically, all vendor assessments are considered part of the same series.
Only superusers can create or edit assessment series.
| Info |
|---|
Expect future updates to allow Isora GRC to support additional target types. |
Related content:
| Iframe | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
Next: 8.3 Working with notifications
...
| hidden | true |
|---|
...
See also: Setting Up Assessments
Questions- the Building Blocks of an Assessment
Working With Answer Response Groups