Risk & Compliance Management

Compliance built for
real security teams

Two purpose-built platforms — one for ISO/SOC 2/TISAX, one for CMMC/NIST/HIPAA — sharing a common risk engine, asset inventory, BIA module, and evidence management system.

Schedule a Demo View Pricing →
0 Frameworks
0 Total Controls
0 User Roles
RiskABC
ISO · SOC 2 · TISAX platform
ISO 9001:2015 ISO 20000 ISO 22301 ISO 27001:2022 ISO 27701 ISO 42001 TISAX SOC 2
RiskABC Gov
CMMC · NIST · HIPAA platform
CMMC 2.0 — 110 practices NIST SP 800-171 — 110 controls HIPAA — 42 safeguards
Two platforms, one ecosystem

The right tool for every compliance program

RiskABC handles ISO and commercial standards. RiskABC Gov handles US government and regulated industry compliance. Both share the same risk engine and scoring model.

RiskABC

ISO & commercial compliance — your way

Manage controls across ISO 27001, ISO 9001, ISO 22301, ISO 27701, ISO 42001, ISO 20000-1, TISAX VDA ISA 6.0, and SOC 2 — simultaneously. Switch frameworks in the sidebar; data, risks, and evidence remain consistent.

Statement of Applicability (SOA)
Mark controls Applicable / Not Applicable with exclusion justification. Auto-generates SOA report by domain.
Risk Register with CIA scoring
Asset × Threat pairings. Inherent and residual scores. CIA auto-carries from linked assets. Acceptable risk threshold.
Asset Inventory with CIA ratings
Hardware, Software, Data, People, Service, Facility, Cloud. 4-tier classification with org-level custom labels.
Reports & SOA export
Per-domain charts, implementation %, risk distribution pie. SOA tab shown only for frameworks that require it.
BIA with auto-risk generation
Business Impact Analysis processes auto-create Risk Register entries when impact is Moderate+ or no recovery strategy exists.
Book a Demo →
risk.risk-abc.com / risk-register
Dashboard
Controls (SOA)
Risk Register
Assets
Threats
Policies
Evidence
BIA
Reports & SOA
Audit Trail
14
Total Risks
8
Open / Active
3
High / Extreme
2
Accepted Risks
Risk NameInherentResidualTreatmentStatus
Ransomware on ERP 28 — Extreme 11 — Mod Mitigate In Treatment
Phishing Attack 9 — Mod 4 — Low Mitigate Open
Supplier data breach 19 — High 17 — High Accept Accepted ⚠
Credential theft 17 — High 7 — Low Mitigate Closed
RiskABC Gov

CMMC, NIST, and HIPAA compliance

Designed for Defense Industrial Base contractors, federal suppliers, and healthcare organizations. Every required practice and control is ready to work with the moment you log in — no setup needed. POA&M tracking built in.

CMMC 2.0 Level 2 ready
All 110 practices across 14 domains. Per-control status, approval workflow, risk scoring, and evidence collection.
POA&M risk workflow
Accepting a risk above threshold requires documented justification. POA&M banner shown on all Accepted risks. Avoid not available (all CMMC practices are mandatory).
NIST SP 800-171 Rev 2
All 110 controls across 14 security requirement families. Shared evidence and risk data with CMMC assessment.
HIPAA safeguards
42 safeguards covering Administrative, Physical, and Technical requirements for Protected Health Information.
Evidence Owner role
Dedicated Evidence Owner role to collect and upload evidence without full compliance officer access. SHA-256 file hashing on all uploads.
Request a Demo →
gov.risk-abc.com / controls — CMMC 2.0
Dashboard
Controls
Risk Register
Assets
Threats
Policies
Evidence
BIA
Reports
Audit Trail
110
Total
42
Completed
35
In Progress
33
Not Started
IDControl NameStatusRiskEvid
AC.1.001 Limit system access to authorized users Completed 9 — Mod 3
AC.1.002 Limit system access to types of transactions In Progress 17 — High 1
AC.2.005 Provide privacy and security notices Not Started 9 — Mod 0
IA.1.076 Identify system users before allowing access Completed 7 — Low 5
Framework Coverage

11 frameworks across two platforms

Every framework ships pre-seeded with all controls on first login. No setup. No imports.

RiskABC — ISO & Commercial

ISO 9001:2015
56
Quality Management · Published Sep 2015
Clauses 4–10 covering context, planning, support, operation, evaluation, and improvement.
No SOA required
ISO/IEC 20000-1:2018
46
IT Service Management · Published Sep 2018
IT Service Management System requirements. Service delivery, relationships, resolution, and control processes.
No SOA required
ISO 22301:2019
46
Business Continuity · Published Oct 2019
BCMS requirements for business continuity planning, testing, and operational readiness.
No SOA required
ISO/IEC 27001:2022
93
Information Security · Published Oct 2022
Annex A controls across 4 themes: Organizational, People, Physical, and Technological. SOA required.
SOA · CIA Scoring
ISO/IEC 27701:2025
78
Privacy Management · Second edition 2025
PIMS extension to ISO 27001. Annex A only — 31 PII Controller, 18 PII Processor, and 29 security controls.
SOA · CIA Scoring
ISO/IEC 42001:2023
38
AI Management · Published Dec 2023
AI Management System standard. Governance, risk, transparency, and impact assessment for AI systems.
SOA · CIA Scoring
TISAX VDA ISA 6.0
80
Automotive Info Security · Published Jun 2023
Trusted Information Security Assessment Exchange for the automotive supply chain. Required by major OEMs.
SOA · CIA Scoring
SOC 2 Trust Services
61
Trust Services Criteria · Published Oct 2017
Covers Security, Availability, Processing Integrity, Confidentiality, and Privacy TSCs for service organizations.
SOA · CIA Scoring

RiskABC Gov — Government & Regulated Industries

CMMC 2.0 Level 2
110
Defense Industrial Base · 14 Domains
All 110 practices across AC, AT, AU, CA, CM, IA, IR, MA, MP, PE, PS, RA, SC, SI. POA&M tracking required.
POA&M · CIA Scoring
NIST SP 800-171 Rev 2
110
CUI Protection · 14 Families
Controls for protecting Controlled Unclassified Information in nonfederal systems. Aligned with CMMC 2.0.
CIA Scoring
HIPAA
42
Healthcare Privacy · HHS Regulation
Administrative, Physical, and Technical safeguards for Protected Health Information (PHI) under the HIPAA Security Rule.
CIA Scoring
Risk Engine

One scoring model across all frameworks

Every risk in every framework uses the same CIA-weighted formula. Inherent and residual scores. Org-configurable level labels and acceptable risk threshold.

Inherent Risk Score Formula
RS
=
I × P
+
( C + I + A )
Residual: RRS = RI × RP + (C+I+A)  ·  Same CIA values carried from inherent assessment
P
Probability
1 – 5
I
Impact
1 – 5
C·I·A
CIA per dimension
0 N/A · 1 Low · 2 Med · 3 High
34
Maximum Score
I=5, P=5, C+I+A=9
0 – 8
Low
9 – 16
Moderate
17 – 25
High
26+
Extreme

Asset CIA auto-population

When a risk is linked to an asset, Confidentiality, Integrity, and Availability values carry over automatically from the asset's ratings — locked and labelled "from asset". Standalone risks prompt the user to set CIA manually.

Auto-copy from asset Locked when linked Editable standalone

Acceptable Risk Threshold

Set an org-wide threshold (≤8, ≤16, ≤25, or none). Any risk scoring above it triggers an amber warning badge and banner. Accepting a high-score risk requires a written justification before saving.

⚠ Needs action badge Justification required
RiskABC Modules

Everything in one platform

Twelve integrated modules — from controls to BIA to corrective actions — all framework-aware and org-scoped.

Dashboard
Real-time compliance overview with stat cards, control implementation pie chart, domain-by-domain bar chart, risk distribution, and quick-access tiles. Framework-aware — switches with framework selector.
Pie chartsBar chartsRisk distribution
Controls & SOA
Full control library with search, domain filter, status, and applicability (SOA) filters. Per-control risk calculator, evidence upload, inline notes. Approval workflow (Not Reviewed → Pending → Approved/Rejected). SOA hidden for non-SOA frameworks.
SOAExclusion reasonsPer-control risks
Risk Register
Asset × Threat risk matrix. Inherent and residual scoring with CIA. Standalone risks (no asset) fully supported for ISO 9001, ISO 20000, and other non-IS frameworks. Threshold enforcement.
MitigateAcceptTransferAvoid
Asset Inventory
7 asset types (Hardware, Software, Data, People, Service, Facility, Cloud). 4-tier sensitivity classification with org-level custom names. Full inventory fields: hostname, serial, manufacturer, location, managed_by. CIA ratings per asset.
7 typesCustom labelsCIA ratingsRisk links
Threat Library
Threats organised by 6 categories: Cyber, Physical, Human, Environmental, Operational, Legal-Compliance. Each threat links to a vulnerability list. Internal, External, and Both sources. Linked to Risk Register entries.
6 categoriesVulnerabilities
Policies
15 policy types (Information Security, Access Control, BCP, Incident Response, Privacy, and more). 5 document kinds. Review date tracking with urgency badges (overdue, ≤30d, ≤90d). Version and approver tracking. Linked controls.
15 typesReview datesVersion control
Evidence Library
6 evidence types with distinct color coding: Policy Doc (blue), Screenshot (purple), Artifact (orange), Text Description (gray), Test Result (green), Certificate (yellow). Linked to controls. Uploaded-by and validation metadata.
6 typesSHA-256 hashingValidation dates
Reports & SOA
Multi-tab reports: SOA (implementation pie, domain bar chart, applicable vs N/A counts), Risk (distribution by level, treatment type), Summary. SOA tab shown only for SOA-applicable frameworks. CSV export.
Pie chartsCSV exportFramework-aware
BIA — Business Impact Analysis
Document critical business processes with RTO/RPO/MTD, 5-category impact matrix (Financial, Compliance, Operations, Reputation, InfoSec) × 4 time windows. Application dependencies, key personnel, vendors, gaps. Auto-creates Risk Register entries. XLSX import with downloadable template — bulk-load whole programs in one upload.
6-tab formImpact matrixAuto-risk genXLSX import
Immutable Audit Trail
10 action types: CREATE, UPDATE, DELETE, LOGIN, LOGOUT, EXPORT, UPLOAD, APPROVE, REJECT, VIEW. Immutable log with user name, IP address, timestamp, and failure reason. Click any UPDATE row to see a field-level before / after diff — exactly what changed and what it was.
10 actionsIP loggingField-level diff
Org Settings
Customise review buffer days (15–90), 4-tier asset classification labels, 4-tier risk level labels, acceptable risk score threshold, and 4-tier BIA criticality tier labels. All labels update live across every module.
Custom labelsRisk thresholdBuffer days
Tasks
Manual and auto-generated work queue. Any risk scoring above your acceptable threshold automatically opens a Task; lower the residual back below threshold and the task closes itself. Status pills, click-to-edit, batched assignment emails so reviewers don't get one notification per task.
Auto from risksManual createBatched email
CA / CI — Corrective & Improvement Actions
Run corrective actions (reactive) and continuous-improvement initiatives (proactive) in one register. Five narrative fields per action: root cause, containment, corrective action, preventive action, effectiveness check. Link any CA/CI to a Task — closing the action auto-completes the task. Verifier signature recorded once effectiveness is confirmed.
CorrectiveImprovementTask tie-inVerification
Power-user

Bulk operations

Select multiple Assets, Risks, Threats, or BIA processes and delete them in one move. BIA bulk-delete cascades cleanly — auto-generated risks and their open tasks disappear with the parent process. Restricted to Org Admin and Privileged Consultant.

AssetsRisksThreatsBIA + cascade
Cross-platform

Shared assets across platforms

Run both ISO and Gov programs? Asset inventory built in RiskABC can be imported read-only into RiskABC Gov — no double-entry. Bidirectional opt-in: both sides must agree to the share. Imported assets carry a source badge so it's always clear where they came from.

Read-only on importBidirectional opt-inSource badge
Business Impact Analysis

Full BIA module — both platforms

Document every critical business process, rate its impact across five categories, plan recovery, and auto-generate risks where gaps exist.

Criticality Tiers (RiskABC)

Tier 0
Mission Critical
RTO 0–15 min · Zero tolerance for outage
Tier 1
Essential
RTO ≤ 1 hour · Core operations
Tier 2
Important
RTO ≤ 4 hours · Significant impact
Tier 3
Deferrable
RTO 24h+ · Can tolerate outage

All tier names are fully customizable in Org Settings.

What's captured per process

RTO · RPO · MTD
Recovery Time Objective, Recovery Point Objective, Maximum Tolerable Downtime — in hours.
Recovery Strategies
Current recovery strategy plus alternatives for loss of apps, building/power, phones, and staff.
People, Apps & Vendors
Application dependencies with outage workaround, key personnel cross-training, vendor contacts.
Gap Analysis
Log gaps with action owner, due date, and status. Drives remediation planning.

Impact Matrix — 5 categories × 4 time windows

Category0–4h4–24h1–3 days3+ days
Financial LowMediumHighVery High
Compliance NoneLowHighVery High
Operations MediumHighVery HighVery High
Reputation NoneLowMediumHigh
Info Security LowMediumHighHigh
⚡ Auto-Risk Generation (RiskABC)

When a BIA process is saved, the system automatically creates a Risk Register entry if:

  • Any impact matrix cell is Medium or higher
  • No recovery strategy / workaround is defined

Risk impact level is derived from the BIA max impact. Name prefixed with [BIA].

CMMC 2.0 Level 2

All 14 CMMC domains covered

All 110 practices are ready to work with the moment you log in. Full approval workflow, risk scoring, and POA&M enforcement included.

AC
Access Control
AT
Awareness & Training
AU
Audit & Accountability
CA
Security Assessment
CM
Configuration Management
IA
Identification & Auth
IR
Incident Response
MA
Maintenance
MP
Media Protection
PE
Physical Protection
PS
Personnel Security
RA
Risk Assessment
SC
System & Comms Protection
SI
System & Info Integrity

Role-Based Access Control — both platforms

Org Admin
Full read + write access
Manage users & settings
Delete any record
Compliance Officer
Edit controls & policies
Manage risks & assets
Upload evidence
Risk Manager (RiskABC only)
Full risk register access
Asset management
BIA management
Evidence Owner (Gov only)
Upload evidence
Update control status
Read-only elsewhere
Auditor
Read-only all modules
View audit trail
No write access
Consultant
Same as Compliance Officer
Cannot manage users
Multi-org access
Privileged Consultant
Full write access
Org settings access
Multi-org access
Evidence Management

6 evidence types — linked to controls

Centralized evidence library with type color-coding, file hashing, validation metadata, and per-control evidence counts visible in every controls table.

Policy Document
Uploaded policy, procedure, or standard. PDF/DOCX/XLSX. Shows file name and upload date.
Screenshot
Screen capture demonstrating a control is in place. Images accepted. SHA-256 hash logged.
Artifact
System-generated output — config export, log file, report. Any file type.
Text Description
Free-text description of how a control is implemented. Written attestation.
Test Result
Output from a security test, penetration test, or scan. Linked to the control tested.
Certificate
ISO certificate, third-party audit report, or vendor certification. Expiry tracking.

Audit trail — every action logged

CREATEJane DoeUploaded Policy Doc for AC.1.001 — Access Control Policy v2.12 min ago
UPDATEJohn SmithUpdated control AC.2.005 status: Not Started → In Progress18 min ago
James DoeAuditor login from 203.0.113.42 — SUCCESS1 hr ago
EXPORTAlice JohnsonExported SOA Report — ISO/IEC 27001:2022 — 93 controls3 hrs ago
DELETEBob WilliamsDeleted Risk: [BIA] Payroll Processing — Business Continuity RiskYesterday
Org Settings

Customize everything to your organization

Classification labels, risk level names, acceptable thresholds, BIA tier names — all configurable per organization with live updates across every module.

📋 Asset Classification Labels
Tier 1 — least sensitive
Public
Tier 2
Internal
Tier 3
Confidential
Tier 4 — most sensitive
Restricted

Stored DB values unchanged — only display names change.

⚠️ Risk Level Labels
Score 0–8 (lowest)
Low
Score 9–16
Moderate
Score 17–25
High
Score 26+ (highest)
Extreme

Score thresholds are fixed — only the label names change.

🎯 Acceptable Risk Threshold
≤ 16
Risks scoring > 16 (Moderate threshold) are flagged as requiring remediation or accepted with justification
0 — Low 8 — Moderate 16 — High ← 25 — Extreme
📊 BIA Criticality Tier Labels
Tier 0 (0–15 min RTO)
Mission Critical
Tier 1 (≤1h RTO)
Essential
Tier 2 (≤4h RTO)
Important
Tier 3 (24h+ RTO)
Deferrable

Custom names shown in BIA table, badges, and summary cards.

Feature Comparison

RiskABC vs RiskABC Gov

Same risk engine, different compliance programs. Choose the platform that matches your regulatory obligations — or use both.

Feature RiskABC (ISO / SOC 2) RiskABC Gov (CMMC / NIST)
Dashboard with domain charts
Controls management 8 frameworks 3 frameworks
Statement of Applicability (SOA) (ISO 27001, 27701, 42001, TISAX, SOC 2)
Risk Register (Asset × Threat) Mitigate / Accept / Transfer / Avoid Mitigate / Accept / Transfer
CIA scoring in risk formula All frameworks
Standalone risks (no asset)
Risk threshold + justification POA&M required
Asset Inventory (7 types, CIA)
Threat Library
Policy management (15 types)
Evidence Library (6 types + SHA-256)
Business Impact Analysis (BIA) Tier 0–3 Tier 1–4
BIA → Risk auto-generation
Immutable Audit Trail
Reports & CSV export SOA + Risk + Summary Risk + Assessment
Risk Manager role
Evidence Owner role
Custom classification labels
Custom risk level labels
Custom BIA tier labels Tier 0–3 Tier 1–4
Multi-tenant (org-isolated data)
SSO + MFA

See RiskABC in action

Schedule a live demo and we'll walk you through both platforms with your specific compliance requirements in mind.

Schedule a Demo
Pick a date and time — we'll show you RiskABC live, tailored to your frameworks.
Book a Demo →
View Pricing
$2,000 per seat per year. All 11 frameworks across both platforms included — no add-on fees.
See Pricing →