Knowledge Base

(Legacy) ComplianceOS Documentation

❗️

This area of documentation describes our legacy products, ComplianceOS and Gridiron Classic.

If you are looking for our most up-to-date documentation of our current Aptible Comply product, please see Welcome to Aptible Comply.

Security Management Program (or “ISMS”)

Your Security Management Program is the set of information security documents and activities that you manage through Aptible Comply.

Your Security Management Program might also be referred to as your ISMS, which stands for Information Security Management System.

Revisions

Whenever you make a change to your Program in Aptible Comply, a new Revision will be created.

Revisions represent a specific point in time in your ISMS. You can only make changes from the current Revision (thus forming a linear history of changes to your ISMS).

You can review the history of Revisions for your Program under the History tab in the Aptible Comply user interface, and visualizes changes across those Revisions.

Revisions can be exported, and they’ll be visibly labelled as drafts. See PDF Exports for more information.

Approvals

In general, as an administrator, you will frequently create new Revisions, and will mostly interact with your latest Revision.

In particular, during the initial set up phase of your ISMS (i.e. while you’re still making substantial changes to your ISMS and implementing new Procedures throughout your organization), working from your current Revision will be the easiest way to leverage Aptible Comply.

That said, once your ISMS starts to stabilize (and especially if you’re planning to undergo an audit!), you should take the time to tag specific revisions of your ISMS as approved versions.

Approved versions are a pointer to a specific revision, but they’re completely frozen (i.e. you can’t edit them), with the exception of Procedure Statuses, which you can still modify for an approved version as you make operational changes throughout your organization.

We recommend using approved versions to model the current and effective version of your Compliance Program, which members of your Organization are expected to follow.

To make changes to your ISMS more approachable to those members, Gridiron Aptible Comply lets users visualize a list of changes from one approved version to the next.

Approvals can also be exported. Unlike revisions, they will not be labelled as drafts. See PDF Exports for more information.

❗️

This area of documentation describes our legacy products, ComplianceOS and Gridiron Classic.

If you are looking for our most up-to-date documentation of our current Aptible Comply product, please see Welcome to Aptible Comply.

PDF Exports

Aptible Comply provides several types of exports for you to distribute your Security Management Program (or “ISMS”) internally or externally to auditors, customers, or prospects.

You can request an export through through the app by clicking the Export button in the Revision History or Program tab, which will respectively provide you with an export of a Revision or Approval.

Export Types

Entire ISMS Export

Contents

This export is a ZIP archive that includes:

  • One PDF for each document in your ISMS. Those files are smaller and easier to navigate.
  • One PDF that includes all the documents in your ISMS. This file might be easier to share externally.
  • An Error Report.

Audience

We recommend using the Entire ISMS Export internally to distribute your ISMS in cases where you cannot grant users direct access to Aptible Comply.

You might also want to share this report externally if you’re explicitly asked for your ISMS Manual.

Gap Assessment Export

Contents

The Gap Assessment is a ZIP archive that includes:

  • One PDF for each of the Protocols you have subscribed to. This document breaks down your Policies in terms of the Protocol’s Controls. Relevant Procedures (i.e. those that map to a Policy that appears in the export) are also included.
  • An Error Report.

Audience

We recommend sharing a Gap Assessment externally when you’re asked about your ISMS.

Customers and Prospects

When interacting with prospects and customers, you might want to share your Gap Assessment proactively to demonstrate your good security practices.

Auditors

When undergoing an audit, sharing your Gap Assessment is the ideal way to give your auditor a roadmap to your ISMS.

Indeed, your auditor will be familiar with the Controls required by the Protocol they’re auditing you for, but they will not be familiar with your ISMS structure.

Sharing a Gap Assessment solves this problem by providing your auditor with a convenient breakdown of your ISMS in terms of the Protocol Controls they are familiar with.

Error Reports

Exports contain error reports to warn you about errors such as placeholders or unmapped controls that appear in your export.

While those errors do not prevent the generation of an export, we encourage you to review them before distributing an export.

You can open the error report with any text editor, such as TextEdit on Mac, Notepad on Windows, or Gedit on Linux.

❗️

This area of documentation describes our legacy products, ComplianceOS and Gridiron Classic.

If you are looking for our most up-to-date documentation of our current Aptible Comply product, please see Welcome to Aptible Comply.

Protocols

Protocols are formal sets of information-security-related Controls that your Security Management Program (or “ISMS”) seeks to address.

Aptible Comply supports multiple Protocols, including (but not limited to!) ISO 27001 and HIPAA.

Controls

Controls represent the formal requirements of a Protocol. Controls are used as guidelines for the implementation of your Security Management Program (or “ISMS”), and auditors leverage them as evaluation criteria when you undergo an audit.

In Aptible Comply, you can visualize controls and locate Policies that map to them in your ISMS through the Protocol Assessors.

Policies

Policies represent commitments your team makes to a security or privacy action or outcome.

Policies are mapped to one or more Controls, representing how you intend to address those requirements in your Security Management Program (or “ISMS”).

You can visualize Policies and their mappings through the Policies Assessor.

Procedures

Procedures represent how your organization concretely implements the objectives set forth in your Policies.

Procedure Statuses
Aptible Comply lets you track a Status for your Procedures. Statuses help you get a picture of how far along you are in the process of implementing your Security Management Program (or “ISMS”).

ISMS Roles

Aptible Comply provides several ways to assign the roles in your Security Management Program (or “ISMS”) to people in your organization.

Upon selecting an ISMS role to configure, you may choose:

  • Custom: Gives you the flexibility to list users one-by-one
  • Connected: Lets you link the ISMS role to an existing Aptible role (or team)

Custom User List

Selecting existing Aptible users

When you use the Custom option, you can select individuals from a dropdown of existing Aptible users. (View example of selecting users here.)

Beyond saving you the hassle of typing out names and emails, the benefit of this is the ISMS role will now be linked to those Aptible users. This way, if they change their email addresses or are removed from the organization, the ISMS will automatically track that.

Manually entering names and emails

Alternatively, when using the Custom option, you can enter people’s names and emails manually by clicking “Add a user manually.” (View example of manually entering users here.)

Connected Team

When you use the Connected option, you can just assign an ISMS role to an Aptible role (or team) that exists in your User Management Dashboard on Gridiron Classic.

For example, you might already have a Legal Team defined in your Dashboard. When defining who’s responsible for the legal role in your ISMS, you can just link to that team. (View example of connecting a team here.)

The benefit of this is that you can add or remove team members in your Dashboard without having to approve new versions of your ISMS every time you do so.

❗️

This area of documentation describes our legacy products, ComplianceOS and Gridiron Classic.

If you are looking for our most up-to-date documentation of our current Aptible Comply product, please see Welcome to Aptible Comply.

Assessors

Assessors are the heart of Aptible Comply: they provide you with structured access to your Security Management Program (or “ISMS”), and their objective is to allow you to:

  • Navigate and understand your ISMS (e.g. locate relevant Policies for a specific Control)
  • Edit your ISMS efficiently and contextually (e.g. visualize related Policies in order to edit a Procedure).

Protocol Assessors

Protocol Assessors map Controls to downstream Policies.

You cannot edit Controls, since they’re set defined by the Protocol you are targeting.

That said, you might often use your Protocol Assessors in the context of an audit, in response to an auditor asking you for the Policies you that have that address a given Control.

Policies Assessor

The Policies Assessor maps Policies to upstream Controls and downstream Procedures.

You can use the Policies Assessor to edit Policies.

When editing a Policy, you should consider:

  • What are the requirements set forth in the upstream Controls? You should make sure that the Policy addresses them.
  • If you’ve updated the Policy, do the downstream Procedures require updating as well?

Procedures Assessor

The Procedures Assessor maps Procedures to their upstream Policies.

You can use the Procedures Assessor to edit Procedures, and to configure Procedure Statuses.

When editing a Procedure, you should consider:

  • What are the requirements of the upstream Policies this Procedure maps to?

When configuring a Procedure’s Status, you should consider:

  • What evidence do you have that the Status you are configuring is indeed correct?

Permissions

Aptible Comply supports the following user permissions

  • Compliance Owners: those users can edit your Security Management Program (or “ISMS”), make changes to Procedure Statuses, and create Approvals.
  • Compliance Users: those users have read-only access to your Security Management Program (or “ISMS”). They also receive Training.

Training

Training is included in Aptible Comply subscriptions, but is currently delivered through Gridiron Classic.

Configuring Training

To configure training for your organization, click on the Training Management button in the user dropdown in Aptible Comply.

This will take you to Gridiron Classic, where you can invite new users to your Organization so that they can receive training.

In Gridiron Classic, training is assigned to users based on their role in the Organization and the Protocols you have subscribed to, but you can manually override automatically-assigned training through the Workforce Training engine (also accessible in Gridiron Classic).

Note that inviting users to receive training will grant them read-only permissions to your Security Management Program (or “ISMS”) (see Permissions for more detail). This is desirable, since you’d want your end users to be able to learn about the rules set forth in your ISMS!

Accessing Training

To access training, click on the Training Assignments button in the user dropdown in Aptible Comply.

This will take you to Gridiron Classic, where you can complete training assignments.

External Documents

Operating an ISMS involves a number of activities that are easier to perform using Google Sheets or Excel.

For those, the Aptible Comply package includes a number of pre-built external document templates for you to leverage, as well as guidance on how to use them in the form of Procedures.

When setting up Aptible Comply, you will be prompted to make your own copies of those documents. Later on, while working through the implementation of your Procedures, you will be prompted to perform specific activities using those External Documents.

For some fairly complex activities, such as performing a Risk Assessment, your package might also include a workshop with your Aptible Data Protection Advisor.

❗️

This area of documentation describes our legacy products, ComplianceOS and Gridiron Classic.

If you are looking for our most up-to-date documentation of our current Aptible Comply product, please see Welcome to Aptible Comply.

Updated over 2 years ago