UnixTime

Research Note

GRC Knowledge Model

This section turns the ISO learning notes into a future compliance/evidence software model.

On this page

Purpose

How to use this page

Use this as a navigation and decision page. Follow the links for detailed control, audit, risk, evidence, and exam notes.

This section turns the ISO learning notes into a future compliance/evidence software model.

Do not build the SaaS yet. Build the knowledge model first.

Core entities

  • Organization
  • Asset
  • Threat
  • Vulnerability
  • Risk
  • Treatment
  • Control
  • Evidence
  • Audit
  • Finding
  • Corrective Action
  • Supplier
  • Incident
  • Policy
  • Procedure
  • Training
  • Review

Core model notes

Query-first example

Design rule

Every serious note should eventually answer:

  1. What object does this create?
  2. What evidence proves it exists or operates?
  3. Who owns it?
  4. How often is it reviewed?
  5. What audit question tests it?