Andrew on InfoSec GRC

Category: GRC Platform Development

  • Designing Workflow Due Dates That Don’t Lie to Users

    A practical deep dive into records, requirements, gates, and “Pending”

    If you’ve ever built workflow software with approvals, phases, and deadlines, you’ve probably learned this lesson the hard way:

    Dates lie unless you’re very explicit about what they depend on.

    At some point, a user will ask:

    • “Why does this record say it’s due on March 10?”
    • “Why did the date move when I edited a requirement?”
    • “Why can’t I set this requirement later if the record already exists?”

    And if your answer is “well… it depends”, you already know you’re in trouble.

    (more…)

  • Building a Unified Workflow System: A Practical Model for Any GRC Process

    Most companies want structure, but few want rigidity. When I started designing a workflow engine flexible enough to support assessments, issues, action plans, exceptions, vendor reviews, and policy changes, I realized one unavoidable truth: every business wants the freedom to configure a process their way, but they also need enough guardrails to keep approvals consistent and auditable. That tension-flexibility vs. structure, is exactly what a Unified Workflow System must solve.

    (more…)

  • Building Custom Fields in a GRC Platform — Challenges and Solutions

    One thing I underestimated when I first started building my GRC platform was the amount of flexibility people want when it comes to metadata. Everyone asks for “just a couple of extra fields,” and before you know it, you’re knee-deep in requirements around conditional logic, multi-model support, imports, exports, surveys, reporting, and tenant isolation.

    Custom fields seem simple until you actually start designing them for a multi-tenant GRC environment. That’s when the fun begins.

    Here are the real challenges I hit, and the approach that finally worked.

    (more…)

  • Building the Foundations: Libraries, Objects, and Requirements in Simple GRC

    Over the past few weeks, I’ve been shaping the core structure behind Simple GRC — specifically how all the governance, risk, and compliance content connects together.
    I wanted something clean, logical, and scalable. GRC data tends to get messy fast — one framework references another, controls overlap, requirements duplicate, and every “simple mapping” turns into a web of dependencies.

    To handle that without losing my mind, I built a model centered around Libraries, Objects, and Requirements.
    It sounds simple (and that’s the point), but there’s quite a bit going on under the hood.

    (more…)

  • Building a Powerful Spreadsheet Import System for Complex GRC Records

    Managing large volumes of interconnected GRC records is typically painful. Users often rely on spreadsheets to manage controls, requirements, mappings, or entire libraries before bringing them into a centralized platform. The challenge is building an import process that is flexible enough to support complex hierarchies, easy enough for non-technical users, and reliable enough to ensure correct tenant scoping and data validation.

    (more…)

  • Adding Interactive Sheets to GRC Platform: A Complete Implementation Guide

    Modern GRC platforms are evolving rapidly as teams demand more flexibility in how they capture, review, and manipulate operational data. While structured fields remain essential, users increasingly want a dynamic area where they can model calculations, track notes, compare values, or collaborate on process details—without leaving the system. Spreadsheet-like interfaces are the natural solution. They’re intuitive, powerful, and require almost no training. Integrating an embedded spreadsheet per record or requirement can dramatically improve the usability of a GRC system, especially one that handles complex workflows or documentation management.

    (more…)

  • Sankey for MapGRC

    Project: MapGRC (Laravel 12, Multi-Tenant)
    Feature: Dynamic Sankey Diagram Visualization Page
    Goal: To create an interactive Sankey diagram that visually represents relationships between GRC entities (Libraries, Types, Objects, and Requirements) across user-defined steps or sections, allowing users to explore complex mappings in a structured, intuitive, and analytical way.

    (more…)

  • Comments module design and specifications

    When you’re building out a GRC platform, you eventually hit that moment where “leaving notes” isn’t enough. Records, requirements, risks—everything ends up needing proper conversation around it. And that conversation has to live with the object, not in someone’s inbox or a random Slack thread. After ignoring this part for way too long, I finally decided to build a proper comments module that feels native to the way the rest of the platform works.

    (more…)

  • Mappings(Relations) Functionality for GRC Platform

    GRC platforms are designed to allow relations between various GRC objects. Controls might be linked to assets, risks, organizations, Authority etc.

    To provide the ability to manage mappings efficiently, the Mappings functionality should be available and also very user friendly. Mappings should not only be available from within the object, but rather implemented as a mappings layer, where any object can be quickly selected and mapped to another object.

    (more…)

  • RACI – common GRC functionality

    RACI shall be embedded into each GRC object. Any control, risk, asset etc. should have RACI associated with it.

    (more…)