What do assessments consist of?
Once you have all of the questions and question lists you need in Isora GRC, you can start to create assessments. Currently, Isora GRC supports three different types of assessments that target different types of entities. They are organizational, app, and vendor.
Organizational Assessments
An organizational assessment can be thought of as a bunch of questions along with a list of organizational entities that the assessment is targeting. For each organizational unit which is affected by the assessment, a survey will be created. Then responsible users within the organizational unit fill out the surveys. When all surveys of an assessment have been completed and signed off appropriately, then the entire assessment is complete.
Organizational assessments are not created from the Assessment page. They are created on the Settings page. Only Isora GRC superusers have the ability to create organizational assessments and publish them to users.
The following flowcharts illustrate many of the aspects of organizational assessments and how they come together to produce surveys for the users.
Figure 1: Org Unit Assessment Object Relationships
In the latest version of Isora GRC, the host categorization part of organizational assessments is optional. In earlier versions, it was required, even if included org units had no hosts.
App Assessments
For app assessments, you can only choose one app to assess for a given assessment. So there is also only one survey produced, which simply consists of the questions in the question list you use when you create the assessment, and an overall classification of the app based on the data it has access to. App assessments can be created from the Settings page by a superuser, or from the Assessments page by an Assessment Manager.
Figure 2: App Assessment Question Object Relationships
Vendor Assessments
Vendor assessments are targeted toward third-party products. Unlike other types of assessments, any Isora GRC user with any role in an organizational unit can create or edit a vendor assessment. By default, vendor assessments are visible to only other members of the same org unit that created the assessment, but you can make them visible to everyone.
A vendor assessment includes a target, which is a specific vendor product and a question list. There is just one survey, and it’s usually filled out by means of an external link provided to the vendor representative. The vendor rep does not need to log into Isora GRC to access the link. Alternatively, a local Isora GRC user could fill out the survey.
Assessment Series
Assessment series are used to track the same assessment when you run it multiple times in a series. The series are driven by the needs of your organization, and often tied to governmental regulatory requirements. Each time you are going to start a new series of related assessments, you should start by creating a new assessment series.
If you want to do a one-off assessment, you still need to create at least one assessment series with the appropriate target type because Isora GRC doesn’t directly support the concept of one-off assessments. Typically, all vendor assessments are considered part of the same series.
Only superusers can create or edit assessment series.
Expect future updates to allow Isora GRC to support additional target types.
Related content:
See also: https://saltycloud.atlassian.net/wiki/spaces/TES/pages/1307967609
https://saltycloud.atlassian.net/wiki/spaces/TES/pages/1275463545
https://saltycloud.atlassian.net/wiki/spaces/TES/pages/1275463617