What does the Compliance module cover?
Quick answer
Section titled “Quick answer”The Compliance module bundles two building blocks: Policies and Risks (risk assessments). With policies, you document requirements and controls from a framework — Notory supports ISO 27001, BSI C5, and a free-form Custom framework. With risks, you assess individual assets by likelihood and impact and record countermeasures. You’ll find both under Compliance in the left-hand navigation.
Prerequisites
Section titled “Prerequisites”The Compliance module is a Pro feature. In the Basic and Community tiers, it is locked; calls are then rejected with HTTP 403 and a note about the required upgrade. An administrator can additionally enable the module under Show/hide categories.
Overview
Section titled “Overview”-
Open the “Compliance” module. Select Compliance in the left-hand navigation. The page has two tabs: Policies and Risks.
Screenshot pendingcompliance-uebersicht-01Compliance module with the 'Policies' and 'Risks' tabsThe Compliance module with the Policies and Risks tabs. -
Choose a tab. Under Policies, you maintain requirements and controls per framework (ISO 27001, BSI C5, Custom). Under Risks, you assess assets.
You’ll find the actual step-by-step instructions in the linked guides under Related topics.
The module lives under the /api/v1/compliance prefix. A quick overview of
your data: list all policies and all risks.
curl -H "Authorization: Bearer inv_dein_token" \ https://demo.notory.io/api/v1/compliance/policiescurl -H "Authorization: Bearer inv_dein_token" \ https://demo.notory.io/api/v1/compliance/risksBoth endpoints return a list sorted by title or creation date, respectively.
If the module isn’t included in the tier, the API responds with 403
(Compliance module is not included in the '…' plan).
What happens behind the scenes?
Section titled “What happens behind the scenes?”- License gate (Pro): Every call to
/api/v1/compliance/*checks thecompliancefeature. If it’s missing from the tenant’s tier, you get 403 instead of data. - Tenant isolation: Policies and risks are strictly bound to your tenant
(
tenant_id). Other tenants never see them. - Audit trail: When creating and editing, Notory records the creator and
editor (
created_by/updated_by) along with timestamps. - Two separate objects: Policies and risks are independent. A risk references a specific asset via the asset ID; a policy stands on its own and carries a framework plus an optional reference ID (e.g. the control number).
Related topics
Section titled “Related topics”- Add and assess a policy
- Assess and treat a risk
- Keep track of compliance status
- Assets — Overview — risks are attached to assets
- API introduction — authentication, base URL, error codes