Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Once you have all of the questions and question lists you need in Isora GRC, you can start to create assessments. An assessment can be thought of as a bunch of questions along with a list of organizational entities that the assessment is targeting. For each organizational unit which is affected by the assessment, at least one survey will be created. Then responsible users within the organizational unit fill out the surveys. When all surveys of an assessment have been completed and signed off appropriately, then the assessment is complete.

Assessments aren't created from the assessment module. They are created using the admin module. Only Isora GRC superusers have the ability to create assessments and publish them to users.

The following flowcharts illustrate many of the aspects of assessments and how they come together to produce surveys for the users.

Figure 8-2 Org Unit Assessment Object Relationships

For app assessments, you can only choose one app to assess for a given assessment. So there is also only one survey produced, which simply consists of the questions in the question list you use when you create the assessment.

Figure 8-3 App Assessment Object Relationships

Assessment Types

Assessment types are used to track the same assessment when you run it multiple times in a series. The types are driven by the needs of your organization, and often tied to governmental regulatory requirements. Each time you are going to start a new series of related assessments, you should start by creating a new assessment type.

Click “manage assessment types” to see a list of existing types, edit or remove them, or add a new one. You can also upload a simple CSV where each line has the name of an assessment type.


Assessment types have different target types, depending on what they assess. For example, if you're assessing the security of an application, the target would be "app". The "org unit" target refers to an assessment which includes OU-level questions and classification of all hosts on sheets that belong to the OU. You can rename an existing assessment type, but you can't change its target type.

Expect future updates to allow Isora GRC to support additional target types.

Related content:

See also: Setting up Assessments



  • No labels