NorthGRC Release Log

Version 6.1 - September 22, 2025

This will show if the risk of an assessment is within your risk appetite, or if the risk exceeds the appetite you have defined. You can use this to easily identify what risks should be treated, and what should be accepted. 

With 6.1 you will be able to create your own threat groups. When creating a new threat, where you choose the threat group you will see the possibility to create your own:

Previously you could see all available risk scales for all workbenches in the risk settings. Now you will only see the risk scales related to the workbench you are currently working in:

A new risk Dashboard widget have been added, to show you the highest assessed threats in the specific workbench. You will find the new widget under Dashboard > Risk:

QOL changes in compliance

Workbench-Specific Control Status Controls now maintain independent statuses per workbench, enabling multiple users to work on the same control simultaneously without conflicts. Status changes apply only to your current workbench.

Compliance Goal Downgrade You can now reduce your compliance goal under Settings > Planning > Compliance Goal. The system will preview which tasks and documents will be removed before requiring confirmation. All you have to do is to click the slider and choose what level you want to downgrade to:

New Integration Capabilities

NorthGRC now offers open APIs that seamlessly connect with your existing systems and applications. This integration capability allows you to leverage NorthGRC's compliance management features within your current technology ecosystem.

If you want to know more about API access and availability, you can contact la@northgrc.com 

Version 6.0 ​- May 1, 2025

• select which columns you want to see
• create custom made filters
• see and add treatment tasks directly from the landscape page

You can read more about the new risk landscape additions here in danish and here in english.

Threat based risk analysis

If certain threats are not relevant for a certain assset, you can mark them as "not relevant" when you perform a threat based risk analysis.

You will see this option when you enter Threat based analysis:

Threats can be assessed for both C, I and A

In earlier versions, threats got one combined assessment for impact and one for probability. The assessments have been split up, so you can have individual assessments for confidentiality, integrity and availability. Per default, C, I and A all have the same value, but you can change it if you want. Remember that changing a threat does not impact your risk - it impacts the information you are presented with when analyzing risk.

The biggest change you will notice the threat catalogue, is that on each threat you now have three options, instead of one, for both impact and Probability:

Risk reports

add the report element "Asset Information" to see details about the assets in the report

Dashboards

Do you have more than one SoA? Pick which one should be shown on your dashboard.

Select which period you want to see your progress for.

More accurate calculation of compliance percentage

We have improved the calculation and are now using work hours instead of task duration for a more accurate number of how far you have come with your compliance work.

Version 5.7 ​- October 21, 2024

An update with less new content, but a lot of backend updates to improve the system.

Vendors

• Updates to vendor assessment approval

Tasks

• Updates to group tasks
• You can now set a task to implementation, which means it will count towards your compliance %

Version 5.6 ​- September 12, 2024

ISO 27017 -  Information security controls for cloud services has been added to the requirements in NorthGRC.

We have added new controls to the standards ISO 27001 and the Norwegian NSM Grunnprinsipper. This means that if you have enabled any of these standards, you will have a number of new controls showing up on your compliance page. All the new controls have the status "Needs review".

New controls for ISO 27001:

• Information security policy
• Information security objectives
• Changes to the ISMS
• Communications relevant to the ISMS
• ISMS documentation
• Creating and updating ISMS documentation
• Control of ISMS documentation
• Management review
• Documentation of management review
• Improving the ISMS
• Handling nonconformities

New controls for NSM Grunnprinsipper

• Software inventory
• Certified IT products
• Risk Analysis in the Supply Chain
• Code Maintenance
• Security Architecture
• Compatible IT Systems
• Access to Services
• Whitelisting Software
• Approved System Configurations
• Security of IoT Devices
• Direct Traffic between Devices
• Traffic between the Organisation and its Vendors
• Simplified Account Management
• Certificates
• Anti-spoofing
• Supported Email Clients and Browsers
• Plug-ins
• Securing logs
• Assessment of Security Monitoring Data
• Information about Penetration Testing
• Incidence Impact
• Escalation of Incidents
• Registration of Incidents
• Review of Security Controls

Version 5.5 ​- August 2024

Planning

• It is now possible to create tasks that must be carried out by multiple users and track the individual users’ progress. This works much like the “sign for reading” functionality. 
• You can also sort the phases in your plan as you want.

Vendors

• You can request approval of a vendor assessment (much like approval of documents). In this way, it is possible to accept a questionnaire even though not all answers are completely at your acceptance level. When an assessment is approved, the vendor will no longer have a “red” status.
• We have added a tab for all vendors, making it easier to see which systems they host and/or develop and their relations to other assets.
• These relations are also exported when exporting your vendors to a csv file.
• You can filter your vendors by organisation (a small thing but frequent request).
• When adding new fields to vendors, the fields are added to existing vendors as well.

Risk

• Risk treatment tasks are now visible on the Risk Landscape page.
• See status for your business goals for as far back as you want (not just 90 days)
• Filter your risk reports on organisational units, asset categories or by tags.
• When exporting your assets to a csv file, organisation and and relations are now exported as well.
• When analysing risk, the possible threat sources are now shown as well.
• When adding new fields to an asset category, the fields are added to existing assets as well.
• You can hide the information (exclamation mark) on the risk landscap page that shows where an asset was created.

Version 5.4 ​- July 2024

We're excited to announce several new features in our document library to streamline your workflow

Easily add classifications to your documents. Clearly display who is responsible and accountable for each document. Display which standards your documents adhere to. Track the creators and approvers of each document version.

Additionally, we've improved our knowledge base to make finding answers even easier. Now, you can quickly find solutions to your questions about using NorthGRC. Or maybe you want to watch our On-Demand Webinars? Just click the question mark in the upper right corner to visit the revamped knowledge base.

Is your organisation aiming for CSRD compliance or looking to report on sustainability? Our new ESG Workbench is here to help! It includes all ESRS' and Disclosure Requirements, Value Chain Mapping, Compliance Plans and much more!

Version 5.2.5​ - June 2024

In this version we have added Article 20 - and a few new controls - to NIS2.

You can now assess privacy risk on a 4, 5 or 6 scale to fit your organisations needs.

We have split up the access rights to give you the opportunity to control your users’ access rights separately for the Data Protection and Information Security workbench.

It is now easier to manage your vendors. All relations, contact persons, agreements, logs etc. are easily accessed in the bottom of the vendor dialogue.

…and then we have fixed a number of bugs.

​Version 5.1​ - February 2024

Have you created relations between your assets in the risk module? If yes, it is now possible to see if a high risk on one asset is inherited to others. In this way, it will be clear that otherwise secured IT systems are actually at risk if the server room they reside in is vulnerable to flooding.

Larger organisations now have the opportunity to upgrade to an enterprise solution. The Enterprise solution allows for separate but connected compliance tools.

An overall "master" can see how all "members" are developing and ​then dive into the details of ​each member's compliance level.

Policies and other documentation are easily shared throughout the organisation, and document templates are easily controlled centrally.

Version 4.3 ​- October 2023

Working with GDPR​ compliance? You can now do privacy risk analyses on vendors, IT systems, processes​, etc. Look for the "Risk" menu in your Data Protection workbench.

Deleted something and then changed your mind? You can find and restore it from the recycle bin in Settings.

Create your own custom tags and use them for sorting and filtering throughout the tool.

Furthermore​, we have added more information to your risk landscape, more requirements to your requirement library​, and much more.

Version 4.2 ​- September 2023

Take a look at the Planning pages. We have made it easier to work with tasks and made you a reporting tab. Here you can easily see all the tasks you and your colleagues have carried out within a certain timeframe.

Create tasks directly on an asset or a control and remember to keep them updated. Link risk treatment tasks to multiple risk analyses.

What is the risk file for your company’s business goals? Does anything stand in the way of reaching them? Create your business goals and see how they are affected by the risks of your assets, vendors and processes.