NorthGRC Release Log

• on the compliance page when shown as ISO 27002:2022
• in your Statement of Applicability (SoA) in draft version
• in your 27002 rules document in draft version

The controls are suggestions for your compliance work, and they are set as "Needs review" per default. The controls are called:

1. Topic specific policies (in chapter 5.1)
2. Management responsibilities (in chapter 5.4)
3. Assessing security events (in chapter 5.25)
4. Responding to security incidents (in chapter 5.26)
5. Maintaining Information Security During Disruption (in chapter 5.29)
6. Monitoring Changes to Legal Requirements (in chapter 5.31)
7. Record Management (in chapter 5.33)
8. Handling Data Subject Access Requests (in chapter 5.34)
9. Reviewing the ISMS (in chapter 5.35)
10. Ensuring Effective Information Security Compliance (in chapter 5.36)
11. Establishing Secure Physical Perimeters (in chapter 7.1)
12. Securing Network Service Use (in chapter 8.21)

Version 5.7 ​- October 21, 2024

An update with less new content, but a lot of backend updates to improve the system.

Vendors

• Updates to vendor assessment approval

Tasks

• Updates to group tasks
• You can now set a task to implementation, which means it will count towards your compliance %

Version 5.6 ​- September 12, 2024

ISO 27017 -  Information security controls for cloud services has been added to the requirements in NorthGRC.

We have added new controls to the standards ISO 27001 and the Norwegian NSM Grunnprinsipper. This means that if you have enabled any of these standards, you will have a number of new controls showing up on your compliance page. All the new controls have the status "Needs review".

New controls for ISO 27001:

• Information security policy
• Information security objectives
• Changes to the ISMS
• Communications relevant to the ISMS
• ISMS documentation
• Creating and updating ISMS documentation
• Control of ISMS documentation
• Management review
• Documentation of management review
• Improving the ISMS
• Handling nonconformities

New controls for NSM Grunnprinsipper:

• Software inventory
• Certified IT products
• Risk Analysis in the Supply Chain
• Code Maintenance
• Security Architecture
• Compatible IT Systems
• Access to Services
• Whitelisting Software
• Approved System Configurations
• Security of IoT Devices
• Direct Traffic between Devices
• Traffic between the Organisation and its Vendors
• Simplified Account Management
• Certificates
• Anti-spoofing
• Supported Email Clients and Browsers
• Plug-ins
• Securing logs
• Assessment of Security Monitoring Data
• Information about Penetration Testing
• Incidence Impact
• Escalation of Incidents
• Registration of Incidents
• Review of Security Controls
  
  

Version 5.5 ​- August 2024

Planning

• It is now possible to create tasks that must be carried out by multiple users and track the individual users’ progress. This works much like the “sign for reading” functionality. 
• You can also sort the phases in your plan as you want.

Vendors

• You can request approval of a vendor assessment (much like approval of documents). In this way, it is possible to accept a questionnaire even though not all answers are completely at your acceptance level. When an assessment is approved, the vendor will no longer have a “red” status.
• We have added a tab for all vendors, making it easier to see which systems they host and/or develop and their relations to other assets.
• These relations are also exported when exporting your vendors to a csv file.
• You can filter your vendors by organisation (a small thing but frequent request).
• When adding new fields to vendors, the fields are added to existing vendors as well.

Risk

• Risk treatment tasks are now visible on the Risk Landscape page.
• See status for your business goals for as far back as you want (not just 90 days)
• Filter your risk reports on organisational units, asset categories or by tags.
• When exporting your assets to a csv file, organisation and and relations are now exported as well.
• When analysing risk, the possible threat sources are now shown as well.
• When adding new fields to an asset category, the fields are added to existing assets as well.
• You can hide the information (exclamation mark) on the risk landscap page that shows where an asset was created.

Version 5.4 ​- July 2024

We're excited to announce several new features in our document library to streamline your workflow

Easily add classifications to your documents. Clearly display who is responsible and accountable for each document. Display which standards your documents adhere to. Track the creators and approvers of each document version.

Additionally, we've improved our knowledge base to make finding answers even easier. Now, you can quickly find solutions to your questions about using NorthGRC. Or maybe you want to watch our On-Demand Webinars? Just click the question mark in the upper right corner to visit the revamped knowledge base.

Is your organisation aiming for CSRD compliance or looking to report on sustainability? Our new ESG Workbench is here to help! It includes all ESRS' and Disclosure Requirements, Value Chain Mapping, Compliance Plans and much more!

Version 5.2.5​ - June 2024

In this version we have added Article 20 - and a few new controls - to NIS2.

You can now assess privacy risk on a 4, 5 or 6 scale to fit your organisations needs.

We have split up the access rights to give you the opportunity to control your users’ access rights separately for the Data Protection and Information Security workbench.

It is now easier to manage your vendors. All relations, contact persons, agreements, logs etc. are easily accessed in the bottom of the vendor dialogue.

…and then we have fixed a number of bugs.

​Version 5.1​ - February 2024

Have you created relations between your assets in the risk module? If yes, it is now possible to see if a high risk on one asset is inherited to others. In this way, it will be clear that otherwise secured IT systems are actually at risk if the server room they reside in is vulnerable to flooding.

Larger organisations now have the opportunity to upgrade to an enterprise solution. The Enterprise solution allows for separate but connected compliance tools.

An overall "master" can see how all "members" are developing and ​then dive into the details of ​each member's compliance level.

Policies and other documentation are easily shared throughout the organisation, and document templates are easily controlled centrally.

Version 4.3 ​- October 2023

Working with GDPR​ compliance? You can now do privacy risk analyses on vendors, IT systems, processes​, etc. Look for the "Risk" menu in your Data Protection workbench.

Deleted something and then changed your mind? You can find and restore it from the recycle bin in Settings.

Create your own custom tags and use them for sorting and filtering throughout the tool.

Furthermore​, we have added more information to your risk landscape, more requirements to your requirement library​, and much more.

Version 4.2 ​- September 2023

Take a look at the Planning pages. We have made it easier to work with tasks and made you a reporting tab. Here you can easily see all the tasks you and your colleagues have carried out within a certain timeframe.

Create tasks directly on an asset or a control and remember to keep them updated. Link risk treatment tasks to multiple risk analyses.

What is the risk file for your company’s business goals? Does anything stand in the way of reaching them? Create your business goals and see how they are affected by the risks of your assets, vendors and processes.