Skip to content

What does the Compliance module cover?

Requires Pro

The Compliance module bundles two building blocks: Policies and Risks (risk assessments). With policies, you document requirements and controls from a framework — Notory supports ISO 27001, BSI C5, and a free-form Custom framework. With risks, you assess individual assets by likelihood and impact and record countermeasures. You’ll find both under Compliance in the left-hand navigation.

The Compliance module is a Pro feature. In the Basic and Community tiers, it is locked; calls are then rejected with HTTP 403 and a note about the required upgrade. An administrator can additionally enable the module under Show/hide categories.

  1. Open the “Compliance” module. Select Compliance in the left-hand navigation. The page has two tabs: Policies and Risks.

    The Compliance module with the Policies and Risks tabs.
  2. Choose a tab. Under Policies, you maintain requirements and controls per framework (ISO 27001, BSI C5, Custom). Under Risks, you assess assets.

You’ll find the actual step-by-step instructions in the linked guides under Related topics.

  • License gate (Pro): Every call to /api/v1/compliance/* checks the compliance feature. If it’s missing from the tenant’s tier, you get 403 instead of data.
  • Tenant isolation: Policies and risks are strictly bound to your tenant (tenant_id). Other tenants never see them.
  • Audit trail: When creating and editing, Notory records the creator and editor (created_by/updated_by) along with timestamps.
  • Two separate objects: Policies and risks are independent. A risk references a specific asset via the asset ID; a policy stands on its own and carries a framework plus an optional reference ID (e.g. the control number).