Procedures are the blueprints for the manual work required to stay in compliance - they give rise to Tickets, which can be assigned, have a due date, and so forth. Click "Procedures" in the GRC navigation dropdown to view your procedures.
Procedures must be "Active" to generate tickets
Procedures have a "Status" field that dictate whether they will (1) show up in the "Open a Ticket" modal (if it's a manual procedure) and (2) trigger automatically (if it's a Basic Recurring or Asset-Based procedure). You'll mark your procedures as "Active" as part of onboarding to indicate you're ready to start running that procedure.
All Procedures have Ticket Guidance: this is the details of your procedure that implements a given control, and which will be copied on all instances of a ticket.
Procedures can be triggered in three ways:
- On a recurring trigger
- Based on a change in an asset (like activation or deactivation)
The simplest trigger of them all is a manual trigger. Tickets from these procedures will never automatically be created; you have to manually "trigger" them by clicking "Open Ticket" in the upper-right corner of the Tickets index. Examples of procedures that you would want to trigger manually include:
- Manage an ISMS Exception
- Track and correct a nonconformity
- Respond to a HIPAA complaint
Comply also supports "Recurring" procedures. These procedures will create a ticket based on the schedule on the procedures. You can see which procedures are "Basic Recurring" by filtering to those that aren't affiliated with an asset and which have a "Recurring Trigger" set in the procedures index:
But when do recurring tickets actually trigger?
Procedures that have a recurring trigger will trigger tickets either:
- When the procedure is first set to "Active." (This is how you'll trigger the "first" ticket.)
- On the first day of each "cycle." For example, monthly procedures will trigger a ticket on the first of the month, annual procedures will trigger on the first of the year, etc.
If I trigger a ticket early (for example my annual business continuity testing ticket on June 30, 2020), when will the next ticket open?
- The next ticket will open on January 1, 2021 (if annual) or on the first day of each "cycle."
The final type of procedure is "Asset-based" procedures. These procedures are special in that they will trigger one ticket per asset, for whatever asset is associated with that procedure. These types of procedures can be triggered:
- On a recurring schedule (just like "Basic Recurring" procedures), or
- When there is a lifecycle change to the underlying assets (e.g., upon activation or deactivation)
You can choose whether tickets that are created from these procedures are assigned to the same person every time, or assigned to the asset owners for the respective tickets.
From the Procedures index, you can see asset-based procedures based on those procedures that have a value under "Asset Type":
For recurring and asset-based procedures, you can change the schedule by clicking into the procedure, then clicking on "Schedule."
For asset-based procedures, you can also override the default schedule for a procedure when it comes to specific assets. This could allow you to:
- Review more sensitive assets more frequently
- Exclude certain assets entirely from the procedure
Regardless of the type of procedure, you can set the default assignee for tickets created from that procedure by clicking into the procedure, then changing "Default Assignee" (by clicking the pencil icon):
If the procedure is "asset based", you'll have the option to set the assignee as whoever the asset owner of the underlying asset is:
For example, if you procedure is Asset-Based that triggers whenever a Vendor is deactivated, and you've set the default assignee to "asset owners," then the Vendor's owner would be assigned a ticket when the vendor is deactivated.
Updated about a month ago
Learn about tickets that are created from Procedures