Andrew on InfoSec GRC

Category: Simple GRC

  • Designing Workflow Due Dates That Don’t Lie to Users

    A practical deep dive into records, requirements, gates, and “Pending”

    If you’ve ever built workflow software with approvals, phases, and deadlines, you’ve probably learned this lesson the hard way:

    Dates lie unless you’re very explicit about what they depend on.

    At some point, a user will ask:

    • “Why does this record say it’s due on March 10?”
    • “Why did the date move when I edited a requirement?”
    • “Why can’t I set this requirement later if the record already exists?”

    And if your answer is “well… it depends”, you already know you’re in trouble.

    (more…)

  • Building a Unified Workflow System: A Practical Model for Any GRC Process

    Most companies want structure, but few want rigidity. When I started designing a workflow engine flexible enough to support assessments, issues, action plans, exceptions, vendor reviews, and policy changes, I realized one unavoidable truth: every business wants the freedom to configure a process their way, but they also need enough guardrails to keep approvals consistent and auditable. That tension-flexibility vs. structure, is exactly what a Unified Workflow System must solve.

    (more…)

  • Building the Foundations: Libraries, Objects, and Requirements in Simple GRC

    Over the past few weeks, I’ve been shaping the core structure behind Simple GRC — specifically how all the governance, risk, and compliance content connects together.
    I wanted something clean, logical, and scalable. GRC data tends to get messy fast — one framework references another, controls overlap, requirements duplicate, and every “simple mapping” turns into a web of dependencies.

    To handle that without losing my mind, I built a model centered around Libraries, Objects, and Requirements.
    It sounds simple (and that’s the point), but there’s quite a bit going on under the hood.

    (more…)

  • Building a Powerful Spreadsheet Import System for Complex GRC Records

    Managing large volumes of interconnected GRC records is typically painful. Users often rely on spreadsheets to manage controls, requirements, mappings, or entire libraries before bringing them into a centralized platform. The challenge is building an import process that is flexible enough to support complex hierarchies, easy enough for non-technical users, and reliable enough to ensure correct tenant scoping and data validation.

    (more…)

  • Adding Interactive Sheets to GRC Platform: A Complete Implementation Guide

    Modern GRC platforms are evolving rapidly as teams demand more flexibility in how they capture, review, and manipulate operational data. While structured fields remain essential, users increasingly want a dynamic area where they can model calculations, track notes, compare values, or collaborate on process details—without leaving the system. Spreadsheet-like interfaces are the natural solution. They’re intuitive, powerful, and require almost no training. Integrating an embedded spreadsheet per record or requirement can dramatically improve the usability of a GRC system, especially one that handles complex workflows or documentation management.

    (more…)

  • Sankey for MapGRC

    Project: MapGRC (Laravel 12, Multi-Tenant)
    Feature: Dynamic Sankey Diagram Visualization Page
    Goal: To create an interactive Sankey diagram that visually represents relationships between GRC entities (Libraries, Types, Objects, and Requirements) across user-defined steps or sections, allowing users to explore complex mappings in a structured, intuitive, and analytical way.

    (more…)