Object Definitions
To get the most out of ZenGRC, it is imperative that you have a solid understanding of the basic object definitions of ZenGRC. Going forward we will provide you with a Style Guide where you establish how you want your content to appear within ZenGRC. For this to be most effective however, you must first understand our criteria.
Program
Programs are typically standardized, industry-wide compliance guidelines issued by large authoritative sources. In ZenGRC, a program contains all objects related to one authoritative source. They are often made up of directives (regulations, contracts, clauses, standards, policies, or sections), objectives and controls, assets and risks, and so on. These different object types can be mapped to their respective programs within ZenGRC. Examples of typical programs are PCI, FedRAMP, HIPAA, and SOC 2, but thanks to the dynamic flexibility of ZenGRC, any program can be up and running in minutes. The Audit functionality of ZenGRC is often utilized on Programs, to assess the effectiveness of controls and objectives set in place to maintain compliance with a specific Program.
Directives
Regulations - An authoritative source (e.g. ISO 27001, SOX, Fisma)
Standards - A directive set by a third-party agency, industry group or other non-governmental entity
Policies - A business principle that guides operations
Contracts - A legal agreement between business parties
Clause - A portion of a Contract object
Section - A portion of a Regulation, Policy, or Standard objects
Objectives/Controls
Because both objectives and controls provide information on how to meet compliance requirements, the two objects can often be confused in ZenGRC. It is up to you to decide where you would like to draw the line between controls and objectives. Below, we offer our definitions of the two objects.
Objectives are general guidelines and recommendations for compliance strategies. Because they are quite vague, interpretation of objectives can vary by company and more actionable, specific controls are often put in place to ensure that objectives are met. We define an objective as an actionable goal that serves to uphold a compliance requirement (the opposite of a risk).
Controls are prescriptive guidelines or rules set in place to ensure a company meets its compliance goals. Often times they are step-by-step instructions or commands that when met, assure compliance. We define controls as a company solution that mitigates risks and supports the compliance of its mapped objective.
Risks - Considerations, events, activities, etc. that may reduce the chances an organization will achieve its strategy and goals
Threat Actors - Individuals or organizations who impose risk from an outsider, insider or partner position
Audits - Official inspections of an individual's or organization's controls and/or accounts, typically by independent bodies
Control Assessments - A conclusion of a control's effectiveness at a certain period of time, with regards to a specific selection of mapped objects
Issues - A gap or finding that requires remediation or acceptance
Requests - An audit task that requires a response, usually with evidence attached
Other ZenGRC Objects
People | Individual ZenGRC users or company stakeholders |
| Org Groups | A team or department |
| Vendors | A company that provides products or services |
| Access Groups | An object to manage edit levels for a collection of users (beta) |
| Systems | A company's physical asset |
| Processes | A series of actions or steps |
| Data Assets | Information that requires protection, such as a user list |
| Products | A service or product delivered to customers, closely related to Systems |
| Projects | A planned set of tasks to be executed over a fixed period |
| Facilities | A building or business location |
| Markets | An area where products or services are sold |
Feature Definitions
System of Record
ZenGRC's system of record keeps track of your compliance posture and universe. Our easy-to-use interface allows you to customize attributes without development efforts and map many-to-many relationships between all of the objects that matter to your company.
Workflow
The workflow feature enables you to complete typical compliance related tasks such as document requests. Furthermore, because of their incredible flexibility, workflows can really be used to task manage any project or process within the scope of your business operations. Workflows can be set up with varying frequencies such as daily, weekly, monthly, quarterly, annually, and so. Workflows can be broken up into smaller sub categories based on task groups, and within task groups specific tasks/requests can be created and assigned to specific ZenGRC users. Objects can be mapped to task groups and each task can be assigned to a specific person. Please view our other video on workflows for an advanced tutorial.
Audit
Our Audit module allows for 3 use cases:
Reporting
1) Downloadable reports - .csv exports that you can use to pull any piece of information from your system-of-record
2) Reporting dashboards - executive level visibility into onboarding progress, as well as transparency into the project management of an audit