Both Platforms
Signing Up & Subscription
Self-service signup happens at onboard.risk-abc.com. Pick the standards you need, set up your seats, accept the legal documents, and you're in. Renewals are managed from the same surface.
1 Create your organization
1
Go to
onboard.risk-abc.comThe signup page asks for your name, work email, company name, and a short URL slug for your org.
2
Verify your email
We send a confirmation link. Click it to activate your account. The link expires after 24 hours — request a fresh one from the signup page if needed.
3
Pick at least two frameworks
Choose any two from the 11 supported standards. The remaining frameworks are available in your account at no extra charge — turn them on whenever you're ready.
4
Accept the legal documents
Review and accept the Terms of Service, Privacy Policy, and Data Processing Addendum.
5
Set up your subscription
Enter your seat count and billing details. We invoice annually. Mid-year seat additions are prorated to your renewal date.
2 Managing seats & renewals
- Add seats mid-year — prorated to your renewal date, no need to wait
- Invite users by email — they receive a one-click activation link
- Renewal notice 30 days before your renewal date with the upcoming amount
- Annual term is locked in once paid — no mid-term cancellations. Downsizes and cancellations take effect at your next renewal date
- Free auditor seats — read-only access for external auditors doesn't consume a seat
ℹ️
Need to talk to a human first? Skip the self-serve flow and book a demo — we'll set up a sandbox org so you can explore the platform with your real frameworks before you commit.
Both Platforms
Getting Started
Both RiskABC and RiskABC Gov use the same single sign-on (SSO) system. One account gives you access to every platform your organization is subscribed to.
1 Logging In
1
Go to your platform URL
Navigate to
sso.risk-abc.com — the single sign-on portal for both platforms. After login you'll choose which platform to enter.2
Enter your email address
Type in your work email and click Continue. Your account is tied to your organization's domain.
3
Enter your password
Type your password. If you've forgotten it, click Forgot password to receive a reset link by email.
4
Complete MFA (if enabled)
If your organization has MFA enabled, open your authenticator app (Google Authenticator, Authy, etc.) and enter the 6-digit code shown.
5
You're in — Dashboard loads automatically
On first login, your controls are automatically loaded in the background. The dashboard shows your current compliance posture immediately.
Sign in to RiskABC
Use your organization email
Email
you@organization.com
Password
••••••••
Sign In
Forgot password?
💡
First time? Your Org Admin will have set up your account. Check your inbox for a welcome email with a one-click magic link to sign in — no password to remember.
Both Platforms
Dashboard
The dashboard gives you an instant snapshot of your compliance posture — control completion, risk exposure, and items needing attention.
93
Total Controls
24
Implemented
8
High Risk
12
Risks Open
Completion by Domain
A.5 Org
65%
A.6 People
40%
A.8 Tech
28%
What each stat means:
- Total Controls — Total number of controls in the selected framework
- Implemented — Controls marked as fully complete with evidence
- High Risk — Controls whose associated risks score above your high-risk threshold
- Risks Open — Risks that have been identified but not yet assigned a treatment or closed; these require attention
- Completion by Domain — Bar chart showing progress per control domain or theme
Both Platforms
Controls & Statement of Applicability
Controls are the heart of both platforms. Each control maps to a specific requirement in the selected framework. You track status, add evidence, and manage applicability here.
1 Browsing Controls
🔍 Search controls…
Domain ▾
Status ▾
IDControlStatusRiskEvid
A.5.1
Policies for info security
Implemented
6 — Low
3
A.5.2
Information security roles
In Progress
9 — Mod
1
A.5.3
Segregation of duties
Not Started
17 — High
0
1
Open Controls from the sidebar
Click Controls in the left sidebar. All controls for your active framework load in a paginated table.
2
Filter by Domain or Status
Use the Domain dropdown to narrow to a specific area (e.g. Access Control, Audit). Use Status to show only Not Started or In Progress controls.
3
Search by keyword
Type any word in the search box to filter controls by name in real time.
4
Click a row to open the detail panel
Clicking any control row slides open a detail panel on the right with the full description, scoring, evidence, and edit options.
2 Updating a Control's Status
1
Open the control detail panel
Click any control row in the table to open it.
2
Click Edit
In the detail panel, click the Edit button (pencil icon) to enter edit mode.
3
Set the Status
Choose from:
Not Started → In Progress → Implemented. Use Exception for controls that cannot be implemented.4
Assign an owner (optional)
Select the team member responsible for this control from the Assigned To dropdown.
5
Save
Click Save Changes. The dashboard stats update immediately.
💡
Best practice: Don't mark a control Implemented until at least one piece of evidence is attached. This keeps your SOA audit-ready.
3 Adding Evidence to a Control
1
Open the control detail panel
Click the control you want to attach evidence to.
2
Scroll to the Evidence section
The lower portion of the detail panel shows all attached evidence and an Add Evidence button.
3
Choose evidence type and add a title
Select from:
Policy Doc · Screenshot · Artifact · Text Description · Test Result · Certificate. Enter a clear, descriptive title.4
Attach a file (optional)
Click Choose File to upload a document, screenshot, or certificate. Files are hashed on upload for integrity verification.
5
Save the evidence
Click Add. The evidence count on the control row updates immediately.
4 Statement of Applicability (SOA)
The SOA declares which controls are applicable to your organization and why. Required for ISO 27001 certification.
1
Open the control detail panel
Find the control you want to mark as not applicable.
2
Set Applicability
In edit mode, change Applicability to
Not Applicable. A reason field appears — choose from the dropdown (Legal/Regulatory, Contractual, Risk Assessment, etc.).3
Add a justification note
Type a brief explanation in the notes field. This text appears in your exported SOA report.
4
Generate your SOA report
Go to Reports & SOA → click Export SOA to download a CSV or view it on-screen. All applicable/not applicable decisions are included.
⚠️
Gov platform note: In RiskABC Gov (CMMC), all practices are mandatory — you cannot mark controls as Not Applicable. The Applicability field is display-only in CMMC mode.
Both Platforms
Risk Register
The Risk Register captures every identified risk, links it to assets and threats, scores it, and tracks treatment. RiskABC Gov adds POA&M enforcement for high risks.
1 Creating a New Risk
12 risks
+ Add Risk
Risk NameScoreStatusTreatment
Unauthorised access to CUI
17 — High
In Treatment
Mitigate
Data breach via phishing
26 — Ext
Open
Mitigate
1
Click Add Risk
Open the Risk Register from the sidebar and click the + Add Risk button in the top right.
2
Enter a risk name and description
Give the risk a clear, specific name. Example: "Unauthorized access to customer records via weak passwords".
3
Link to an Asset (optional)
Select the asset this risk targets from the dropdown. If the asset doesn't exist yet, add it in the Asset Inventory first.
4
Link to a Threat (optional)
Select the threat that could exploit this risk (e.g. External Attacker, Insider Threat). Available on both platforms.
5
Assign an owner and save
Set the risk owner — the person responsible for treatment. Click Create Risk.
2 Scoring a Risk
Risk scores are calculated automatically from the values you enter. The formula is: (Probability × Impact) + (C + I + A).
Score
Result
=
P × I
Probability × Impact
+
C + I + A
CIA Impact
Probability & Impact (P/I)
Scale: 1–5
- 1 = Very Unlikely / Negligible
- 3 = Possible / Moderate
- 5 = Almost Certain / Catastrophic
CIA Scores
Confidentiality · Integrity · Availability
- ISO: 0–3 per dimension
- Assets: 1–3 per dimension
- Max total CIA = 9
Risk levels:
Low · 0–8
Moderate · 9–16
High · 17–25
Extreme · 26+
3 Risk Treatment & POA&M
1
Open a risk and click Edit
Click any risk in the register to open its detail panel, then click Edit.
2
Choose a Treatment
Select one:
Mitigate — Implement controls to reduce the riskAccept — Accept the risk as-is (requires justification if above threshold)Transfer — Transfer risk to a third party (e.g. insurance)Avoid — Remove the activity causing the risk (ISO only)
3
Enter treatment notes
Describe the specific actions being taken. This text is included in risk reports and audit exports.
4
Set residual risk scores
After treatment, enter the expected Residual Probability and Residual Impact to show the risk level after controls are applied.
⚠️
Gov Platform — POA&M enforcement: If you select
Accept on a risk above your organization's threshold, a POA&M banner is shown and documented justification is required. The Avoid option is not available in Gov (all CMMC practices are mandatory).
Both Platforms
Asset Inventory
The asset inventory catalogs everything your organization relies on — hardware, software, data, people, and services. Assets link directly to risks so you always know what's at stake.
1
Open Assets from the sidebar
Click Assets. The full asset list loads with type icons, classification badges, and CIA scores.
2
Click + Add Asset
Click the button in the top right to open the new asset form.
3
Set the asset type and classification
Type:
Classification:
Hardware · Software · Data/Information · People · Service · Facility · CloudClassification:
Public · Internal · Confidential · Restricted
4
Score CIA impact (1–3 each)
Set Confidentiality, Integrity, and Availability scores. These feed directly into any risk linked to this asset.
5
Add optional metadata
Optionally fill in owner, department, hostname, serial number, location, and managed-by fields for a full asset record.
ℹ️
Gov platform: An additional CMMC Asset Type field appears with options:
CUI Asset · Security Protection Asset · Contractor Risk-Managed Asset · Specialized Asset. This is required for CMMC scoping.
Both Platforms
Threat Library
The Threat Library is a catalog of threat actors and scenarios you face. Linking threats to risks makes your risk register more accurate and your reports more meaningful.
1
Open Threats from the sidebar
Click Threat Library. You'll see a list of all threats with their category, source, and how many risks reference them.
2
Click + Add Threat
Enter a name for the threat (e.g. "Ransomware attack", "Supply chain compromise").
3
Set category and source
Category:
Source:
Cyber · Physical · Human · Environmental · Operational · Legal/ComplianceSource:
Internal · External · Both
4
Link the threat to risks
Go to the Risk Register and select this threat when creating or editing a risk. Linked risks appear in the threat's detail view.
Both Platforms
Policies
Track your organization's security policies with version control, review dates, and direct links to the controls they support.
1
Click + Add Policy
Open Policies in the sidebar and click the add button.
2
Fill in the basics
Enter the policy Name, select its Type (e.g. Information Security, Access Control), and set the Document Kind (Policy, Procedure, Standard, etc.).
3
Set review and approval details
Enter the Review Date, Approver name, and Approval Date. The system emails a reminder when the review date approaches.
4
Link to controls
Use the Linked Controls picker to associate this policy with the specific controls it satisfies. Linked policies appear in the control detail panel.
💡
Policy lifecycle: Policies move through
Draft → Under Review → Approved → Expired. Update the status as the document progresses. Expired policies show as a warning on the dashboard.
Both Platforms
Evidence Library
The Evidence Library is a central store of all proof that your controls are implemented. Every piece of evidence is linked to one or more controls and validated with a SHA-256 file hash.
18 evidence items
+ Upload
TypeTitleControlDate
Policy Doc
Information Security Policy v2.1
A.5.1
Apr 2026
Screenshot
MFA enabled — all admin accounts
A.8.5
Apr 2026
Artifact
Pen test report Q1 2026
A.8.8
Mar 2026
1
Click + Upload Evidence
From the Evidence page or directly from a control detail panel.
2
Enter a title and choose the type
Title is required. Choose from:
Policy Doc · Screenshot · Artifact · Text Description · Test Result · Certificate. The type determines the color badge shown.3
Select the linked control
Use the control picker to link this evidence to one or more controls. This is what makes the evidence count go up on the Controls page.
4
Upload a file (optional)
Attach a PDF, image, or document. The file is SHA-256 hashed on upload — you'll see the hash in the evidence detail for integrity verification.
5
Validate the evidence
A Compliance Officer or Org Admin can mark evidence as Validated with their name and date. Validated evidence carries more weight in audits.
Both Platforms
Business Impact Analysis (BIA)
The BIA module captures recovery requirements for each critical business process. Use it to feed your continuity planning and meet ISO 22301 and CMMC requirements.
1
Open BIA from the sidebar
Click BIA. You'll see any existing business process entries and an + Add Process button.
2
Enter the process name and department
Name it clearly, e.g. "Customer invoicing" or "CUI data processing".
3
Set the Criticality Tier
Choose
Tier 1 (Mission Critical), Tier 2 (Important), or Tier 3 (Deferrable). Tier names can be customized in Org Settings.4
Set RTO, RPO, and MTD
RTO — Recovery Time Objective: how fast you must recover (hours)RPO — Recovery Point Objective: how much data loss is acceptable (hours)MTD — Maximum Tolerable Downtime: longest acceptable outage (hours)
5
Add dependencies and key personnel
List the applications, vendors, and key staff this process depends on. This builds the dependency map for your continuity plan.
6
Log gaps
In the Gap Analysis section, record any gaps between current capability and your recovery targets. Assign an owner and due date to each gap.
7 Bulk-loading processes from XLSX
If you've already documented your processes in a spreadsheet — or you're migrating from another tool — skip the manual entry and use the import flow.
1
Click Import on the BIA page
A modal opens explaining how the import works.
2
Download the template (first-timers)
Click ↓ Download Template to get a pre-formatted XLSX with every supported sheet and column. Fill it in offline.
3
Choose your file and upload
Click Choose File… and select your XLSX. The parser reads the
Business Processes and RTO sheet to create processes, then walks the other sheets (Standard Applications, Vendors, Key Personnel, Process Inputs/Outputs/Impacts) to attach data to each process by name.4
Cross-sheet matching is automatic
If your workbook has a wider Critical Processes and RTOs sheet, RPO and MTD values from there are pulled in by matching Business Unit + Application Name — handy when process names diverge between sheets.
5
Review the import summary
After upload you see how many processes were created and any warnings — e.g. a row in the Vendors sheet that didn't match an existing process. Fix the spreadsheet and re-import, or add the missing process manually.
6
Criticality tier is auto-derived
If you don't set a tier, the parser walks the impact matrix and assigns one — Very High → Tier 0, High → Tier 1, Medium → Tier 2, otherwise Tier 3. You can override it later from the process detail screen.
💡
Made a mistake? Use the Select button on the BIA list, tick everything you want to remove, then click the Delete button (it shows the count of selected items). Bulk delete cascades — auto-generated risks and their open tasks disappear with the parent process. Restricted to Org Admin and Privileged Consultant.
Both Platforms
Tasks
Tasks are the platform's work queue. Some are entered manually; others appear automatically when a risk crosses your acceptable threshold.
1 Where tasks come from
- Auto from risks — any risk with a residual score above your org's acceptable threshold opens a task automatically. Bring the residual back below threshold and the task closes itself.
- Manual — click + New Task on the Tasks page to create one yourself: title, description, assignee, priority, due date.
- From CA / CI — closing a corrective or improvement action linked to a task auto-completes that task (Done if Closed, Dismissed if Cancelled).
2 Working a task
1
Open Tasks from the sidebar
Status filter pills run across the top — Open / In Progress / Done / Dismissed.
2
Click any row to edit
Update assignee, priority, due date, or move the status forward. Status changes log to the audit trail.
3
Use Re-sync from risks if needed
If you've changed your acceptable threshold and want every existing risk re-evaluated, click this once — the system opens new tasks for any risk now above threshold and dismisses tasks for risks now below.
📧
Email batching — if you're assigned multiple tasks in a short window, you receive one consolidated digest email instead of a flood. Quiet by design.
Both Platforms
CA / CI — Corrective & Improvement Actions
Where Tasks track the work, CA / CI tracks the investigation behind the work. Use it to document root cause, the fix, and the proof that the fix held.
1 Corrective vs. Improvement
🛠 Corrective Action (reactive)
- Triggered by an incident, audit finding, or non-conformity
- Aim: stop the bleeding, then prevent recurrence
- All five narrative fields usually filled in
📈 Continuous Improvement (proactive)
- Triggered by an idea, KPI miss, or routine review
- Aim: improve a process that already works
- Containment + root cause may not apply
2 Filling out an action
1
Open CA / CI from the sidebar
Sits directly under Tasks. Click + New CA / CI.
2
Pick the kind
Corrective or Improvement. The form is the same — just labels for filtering.
3
Fill the five narrative fields
Root cause — what really caused it
Containment — what you did immediately to limit damage
Corrective action — what you're doing to fix it
Preventive action — what you're doing so it doesn't happen again
Effectiveness check — how you'll prove the fix held
Containment — what you did immediately to limit damage
Corrective action — what you're doing to fix it
Preventive action — what you're doing so it doesn't happen again
Effectiveness check — how you'll prove the fix held
4
Link a Task (optional)
Pick an existing task to tie this CA / CI to it. Closing the action will auto-complete the linked task; cancelling it dismisses the task.
5
Move through the statuses
Open → In Progress → Pending Verification → Verified → Closed. To Close, both Corrective Action and Effectiveness Check must be filled in.
6
Verifier signs off
Once status is Verified, the page shows a green "Verified by … on …" banner. That's your audit-ready record that the effectiveness check passed.
ℹ️
Who can close? Closing requires Compliance Officer or higher. In RiskABC ISO this is tighter than the edit permission — Risk Manager can edit a CA / CI but not close it.
Both Platforms
Reports & Export
Generate audit-ready exports at any time. All reports pull live data — no manual preparation needed.
🔵 RiskABC Reports
- SOA Export (CSV)
- Controls status report
- Risk register export
- Evidence summary
- Audit log export
🔴 RiskABC Gov Reports
- CMMC / NIST SOA Export
- POA&M report
- Risk register export
- Evidence summary by domain
- Audit log export
1
Open Reports & SOA from the sidebar
Click Reports & SOA. You'll see tabs for different report types.
2
Choose your report type
Select SOA for a full Statement of Applicability, Risks for the risk register, or POA&M (Gov only) for accepted high risks requiring documented plans.
3
Preview on-screen
The report renders in the browser first — review it to confirm the data looks correct before exporting.
4
Click Export CSV
Download the report as a CSV file. Open it in Excel or Google Sheets for further formatting, or attach it directly to your audit submission.
💡
Audit tip: Run your SOA export monthly and save a dated copy. Auditors often want to see the evolution of your compliance posture over time, not just the current state.
Both Platforms
Audit Trail
Every meaningful action in the platform is recorded. The audit trail is append-only — nothing can be edited or deleted once written.
1 What gets logged
- 10 action types — CREATE, UPDATE, DELETE, LOGIN, LOGOUT, EXPORT, UPLOAD, APPROVE, REJECT, VIEW
- Who — user name and email
- When — timestamp to the second
- Where from — source IP address
- Result — success or failure with reason
2 The diff modal — what changed and what it was
UPDATE rows go beyond "X edited Y." Click any update row and you see a side-by-side, field-level table of what changed — old value in red on the left, new value in green on the right.
1
Open Audit Trail from the sidebar
You'll see a paginated table of every action. Filter by action type, user, or resource type at the top.
2
Click an UPDATE row
A modal opens showing the field-by-field diff. Only fields that actually changed are listed.
3
Read the diff
Old value highlighted in red on the left, new value in green on the right. Empty values show as (not set).
🔒
Who can see diffs? The diff modal is restricted to Org Admin and Privileged Consultant — the rest of the audit trail is visible to everyone with audit access. Records written before the diff feature shipped show as "No diff captured for legacy entry."
3 Exporting the log
Use the Export CSV button at the top of the table to download the current filtered view. Pair this with your monthly SOA export for a complete audit-ready bundle.
Both Platforms
Org Settings
Settings lets Org Admins customize the platform to match your organization's terminology and risk appetite.
- Risk level labels — Rename Low / Moderate / High / Extreme to match your policy
- Risk thresholds — Set the score above which a risk requires POA&M documentation
- Classification labels — Rename Public / Internal / Confidential / Restricted
- BIA tier names — Rename Tier 1 / Tier 2 / Tier 3 to your own terminology
- Asset sharing — Share your asset inventory read-only with your Gov workspace
ℹ️
Only Org Admins can access Settings. If you can't see the Settings option in the sidebar, ask your Org Admin to update your role.
Both Platforms
Users & Roles
User management happens centrally in the SSO portal. Each user is assigned a role that controls what they can see and do within each platform.
| Role | View | Edit Controls | Edit Risks | Upload Evidence | Manage Users |
|---|---|---|---|---|---|
| Org Admin | ✓ | ✓ | ✓ | ✓ | ✓ |
| Compliance Officer | ✓ | ✓ | ✓ | ✓ | ✗ |
| Risk Manager (ISO only) | ✓ | ✗ | ✓ | ✗ | ✗ |
| Consultant | ✓ | ✓ | ✓ | ✓ | ✗ |
| Evidence Owner (Gov only) | ✓ | ✗ | ✗ | ✓ | ✗ |
| Privileged Consultant | ✓ | ✓ | ✓ | ✓ | ✗ |
| Auditor | ✓ | ✗ | ✗ | ✗ | ✗ |
ℹ️
Changing roles — Your Org Admin can set account types and role assignments from the Onboard portal.