Once you have all of the questions and question lists you need in Isora GRC, you can start to create assessments. Currently, Isora GRC supports three different types of assessments that target different types of entities. They are organizational, app, and vendor.
Organizational Assessments
An organizational assessment can be thought of as a bunch of questions along with a list of organizational entities that the assessment is targeting. For each organizational unit which is affected by the assessment, a survey will be created. Then responsible users within the organizational unit fill out the surveys. When all surveys of an assessment have been completed and signed off appropriately, then the entire assessment is complete.
...
Figure 1: Org Unit Assessment Object Relationships
In the latest version of Isora GRC, the host categorization part of organizational assessments is optional. In earlier versions, it was required, even if included org units had no hosts.
App Assessments
For app assessments, you can only choose one app to assess for a given assessment. So there is also only one survey produced, which simply consists of the questions in the question list you use when you create the assessment, and an overall classification of the app based on the data it has access to. App assessments can be created from the Settings page by a superuser, or from the Assessments page by an Assessment Manager.
...
Figure 2: App Assessment Question Object Relationships
Vendor Assessments
Vendor assessments are targeted toward third-party products. Unlike other types of assessments, any Isora GRC user with any role in an organizational unit can create or edit a vendor assessment. By default, vendor assessments are visible to only other members of the same org unit that created the assessment, but you can make them visible to everyone.
A vendor assessment includes a target, which is a specific vendor product and a question list. There is just one survey, and it’s usually filled out by means of an external link provided to the vendor representative. The vendor rep does not need to log into Isora GRC to access the link. Alternatively, a local Isora GRC user could fill out the survey.
...
Assessment Series
Assessment series (formerly referred to as “assessment types”) are used to track the same assessment when you run it multiple times in a series. The series are driven by the needs of your organization, and often tied to governmental regulatory requirements. Each time you are going to start a new series of related assessments, you should start by creating a new assessment series.
...