Cowork Canvas
Workflows Mapping Book a Walkthrough
Book a Walkthrough

Workflow Gallery

Free, open-source GRC workflow templates spanning internal audit, SOX, IT controls and regulatory compliance. Preview the steps, then import them directly into your CoworkCanvas instance.

All Internal Audit SOX Regulatory Controls
  • AI Governance & Risk/Impact Assessment — GRC · 26 steps
    Assess AI systems through governance, risk mapping, measurement, impact assessment, treatment, transparency artifacts, deployment monitoring, and re-review.
  • AI Governance Framework, Roles & Obligations Review — GRC · 11 steps
    Run the AI governance office's quarterly framework cycle: review and republish the AI policy, refresh the AI RACI and competency register, keep each AI system's resource and dependency inventory current, and re-confirm value-chain roles so every provider and deployer obligation traces to an owner and evidence.
  • AI Operations Monitoring & Incident Response — Controls · 10 steps
    Operate the monthly review of the deployed AI estate: confirm automatic event logging and retention and work performance, anomaly, and drift alerts to closure; verify human-oversight staffing and intervention records; and screen AI uses against intended use and legal prohibitions. Triage reports from the AI concern channels, execute any required incident communications and regulator reporting within mandated timeframes, and retain all resolution records.
  • AI System Development, Data & Deployment Gate — Regulatory · 11 steps
    Run the release board gate that every new AI system and substantial modification must clear before deployment. The gate approves responsible-AI objectives and per-system requirements before build, governs training, validation, and test data with bias mitigation, executes the pre-deployment impact assessment and EU AI Act risk classification, confirms Annex IV-grade technical documentation, and records verification, validation, and deployment sign-off, with retraining and other changes re-entering the same gate.
  • AI Transparency & Value-Chain Communications — Regulatory · 11 steps
    Run the recurring AI-transparency cycle: keep each AI system's user and deployer documentation, AI-interaction disclosures, and AI-generated-content marking (including deepfakes) current with system changes, and retain distribution evidence. Evaluate AI suppliers against the organization's responsible-AI requirements and review customer needs and communications so customers have what they need to use the systems responsibly.
  • Annual ICFR Scoping & Risk Assessment — SOX · 24 steps
    Perform annual SOX scoping from materiality and significant accounts through RMMs, key controls, fraud risk, concurrence, and RCM publication.
  • Annual Internal Audit Planning & Resource Management — Internal Audit · 12 steps
    Run the chief audit executive's annual internal audit planning cycle: refresh the audit universe and the documented understanding of governance, risk, and control processes, develop the risk-based strategy and plan, secure the budget, staffing, and technology to deliver it, obtain board approval, and reassess the plan and resource sufficiency each quarter as the risk landscape changes.
  • Audit Engagement Planning — Internal Audit · 21 steps
    Establish the scope, risk assessment, control population, and sampling plan for an audit engagement, culminating in an approved planning memo and seeded audit record.
  • Audit Logging Coverage & Integrity Operations — Controls · 11 steps
    Operate the monthly cycle that verifies audit logging is enabled across systems, applications, and network components against the security-relevant event catalog, validates record content completeness and clock synchronization, and confirms log protection, tamper alerting, and retention against the documented schedule. The cycle produces a coverage matrix, clock-drift report, and retention and capacity attestation each month.
  • Audit Report Drafting — Internal Audit · 19 steps
    Compile fieldwork findings into a formal audit report, from issue drafting and executive summary through management responses and final issuance.
  • Authentication Platform & Session Policy Operations — Controls · 10 steps
    Monthly authentication-platform operating cycle: verify MFA enforcement and enrollment across remote, privileged, and sensitive-data access, confirm secure log-on and federation channels, defend against brute-force and anomalous logons, and enforce session lock, termination, and concurrent-session limits together with the system-use and last-logon notifications shown at every sign-in.
  • Authorized Software & Component Integrity Control — Controls · 11 steps
    Operate the monthly software-estate cycle: reconcile installed software against the approved catalog and allowlist, remove or escalate unauthorized installations, and confirm installation rights stay restricted to authorized personnel from trusted sources with usage tracked against license entitlements. For everything entering the estate, verify supplier trust and signature integrity before installation, blocking and investigating anything that fails.
  • Board Risk & Internal Control Oversight Cycle — GRC · 11 steps
    The governance office runs the board's quarterly risk and internal-control oversight calendar - verifying an independent, expert governing body reviews risk-management outcomes and program effectiveness, approves the risk strategy and material policies, and directs adjustments documented in minutes - and annually leads the effectiveness evaluation of the enterprise governance and management framework, implementing approved adjustments as strategy, context, and regulation change.
  • Business Continuity & DR Test Exercise — Controls · 8 steps
    Plan and run a business continuity or disaster recovery exercise against RTO and RPO objectives, capture gaps, and update the plans.
  • Change & Release Management (CAB) — Controls · 12 steps
    Operate the weekly Change Advisory Board and the per-change pipeline for every application, database, infrastructure, configuration, and procedure change: request intake, security and risk impact analysis, environment segregation and configuration-baseline verification, acceptance testing, CAB authorization, and controlled deployment with rollback plans and post-implementation verification. Emergency changes follow the expedited path and are ratified at the next CAB, all under one evidence set.
  • Code of Conduct & Workforce Accountability Cycle — GRC · 12 steps
    Operationalizes leadership tone at the top and workforce accountability on an annual cadence: the ethics office reissues the code of conduct and rules of behavior, secures leadership review and adoption, communicates integrity and risk-aware-culture expectations to all personnel and business partners, and collects acknowledgments before access is granted. It then periodically evaluates adherence, maintains the link to performance measures, incentives, and the documented disciplinary process, and remediates deviations - with disciplinary consequences for violations - on a timely basis.
  • Combined Assurance Mapping — GRC · 23 steps
    Map assurance coverage across the Three Lines, assess reliance, find gaps and duplication, coordinate coverage, and report to the audit committee.
  • Continuous Controls Monitoring (ISCM) Cycle — Controls · 13 steps
    Run recurring control monitoring by collecting metrics, comparing thresholds, triaging degradation, updating POA&M, reporting health, and tuning cadence.
  • Control Design — Controls · 11 steps
    Design a new control from objective definition through attribute specification, risk mapping, evidence and test approach definition, and final control record creation.
  • Control Responsibility Communications & Ethics Hotline — GRC · 11 steps
    Each quarter, the ethics and compliance officer communicates internal-control and reporting responsibilities - objectives, policies, and changes that affect duties - to the people they affect, using quality, timely information. They then verify the internal and external concern-raising channels, including the anonymous whistleblower/ethics hotline, are operating, test intake-to-routing end to end, and confirm reported matters were routed to those responsible for acting on them.
  • Controlled Hardware & System Maintenance — Controls · 11 steps
    Operate the maintenance desk that schedules, approves, documents, and reviews hardware and system maintenance, repair, and replacement per manufacturer and organizational requirements, sanitizing equipment before off-site work and verifying security controls after every completion. Control the maintenance tools, personnel, and nonlocal sessions that touch in-scope systems, from inspection and approved-personnel checks to authenticated, recorded, and terminated remote connections.
  • Cryptographic Key Management Review — Controls · 8 steps
    Periodic cryptographic hygiene review: inventory keys and certificates, verify custody and rotation, flag weak algorithms, and remediate.
  • CSF 2.0 Profile & Maturity Assessment — Controls · 17 steps
    Build a controls-scoped CSF Current Profile, Target Profile, Tier assessment, gap plan, and CISO-ready roadmap.
  • Cybersecurity Assurance Review — Internal Audit · 23 steps
    Execute a CAE-owned cybersecurity assurance review using IIA Topical Requirement coverage while referencing technical control catalogs.
  • Cybersecurity Incident Response — Controls · 20 steps
    Operate the controls-scoped detect-to-respond loop from validation through containment, eradication, recovery, POA&M updates, and technical lessons learned.
  • Data Encryption & In-Use Protection Operations — Controls · 11 steps
    Operate the quarterly sweep of data stores and transmission paths against the encryption standard: at-rest encryption or tokenization with minimized retention, strong cryptography and trusted certificates on every open and external channel, and controlled transmission and removable-media movement, with CISO-approved compensating controls kept current where encryption is infeasible. The same cycle verifies data-in-use protections - field masking, process isolation, enclave configurations, identity-scoped access, and memory clearing - on high-sensitivity workloads.
  • Data Governance Council Operations — GRC · 10 steps
    Convene the chartered data governance council and, where required, the data integrity board each quarter to oversee data-lifecycle policies and standards and data-quality and integrity metrics, review and approve data-sharing and data-matching agreements, and report on data governance at defined intervals, with an annual charter and policy review folded into the cadence.
  • Data Retention & Secure Disposal — Controls · 8 steps
    Enforce retention schedules each cycle: identify expired data, dispose of it verifiably, and protect and sanitize physical media with certificates of destruction.
  • Deception, Honeytoken & OPSEC Concealment Operations — Controls · 12 steps
    Run the standing detection-engineering deception cycle each quarter: deploy, verify, and reposition honeypot/honeynet decoys and honeyclient sandbox detonation ahead of user delivery, and seed, monitor, and test honeytoken, beacon, and watermark taint mechanisms across systems and datasets. In parallel, operate the OPSEC process that identifies critical operational information, analyzes adversary collection paths, and applies concealment and misdirection countermeasures on designated systems, handing any confirmed activation to incident response rather than duplicating containment.
  • DPIA / Privacy Impact Assessment — Regulatory · 9 steps
    Screen a processing activity and, where required, run the full DPIA: necessity, privacy risks, mitigations, residual-risk decision, and sign-off.
  • DSAR Fulfillment (Access & Deletion Requests) — Regulatory · 9 steps
    Fulfill a data-subject access or deletion request inside the statutory deadline: verify identity, locate data, apply exemptions, review, and deliver.
  • Endpoint, Media & Information Handling Custody — Controls · 12 steps
    Operate the monthly endpoint, media, and information-handling custody desk: verify fleet endpoint safeguards and acceptable-use acknowledgments, review off-premises and external-system use, and keep unneeded ports, I/O devices, and sensors restricted. Run removable media end to end — authorization, classification-based storage, tracked movement, and verified sanitization or destruction with retained certificates — and maintain the information-transfer rulebook and agreements covering electronic, physical-courier, and verbal disclosure.
  • Enterprise GRC Platform Integration Bridge — GRC · 12 steps
    Define mappings, migrate or provision records, run bidirectional sync, monitor health, resolve conflicts, and confirm system-of-record coverage.
  • Enterprise Risk Assessment & Portfolio Oversight Cycle — GRC · 26 steps
    Run the second-line ERM oversight cycle from appetite and criteria calibration through risk identification, inherent and residual scoring, response selection, and portfolio reporting to governance.
  • Enterprise Risk Register Lifecycle — GRC · 20 steps
    Manage risks from intake and deduplication through owner assignment, control mapping, KRIs, quarterly review, escalation, and retirement.
  • Enterprise Risk Treatment Operations Cycle — GRC · 10 steps
    The first-line risk-owner operating cycle for the documented enterprise risk methodology: identify and analyze risks and strategic opportunities across entity and process levels - including cybersecurity, privacy, and financial-reporting risk - then evaluate and prioritize them against risk criteria. For risks exceeding tolerance, select, implement, and track treatment to completion, re-evaluate residual risk, and maintain the risk register and portfolio report to management and the board, with dynamic reassessment triggered by significant change.
  • Environmental & Utility Systems Maintenance — Controls · 11 steps
    Run the monthly preventive-maintenance calendar that independently tests and maintains fire and water detection systems, environmental monitoring, emergency power and lighting, protected cabling, and electromagnetic shielding, producing the single maintenance-and-inspection log of test records, service tickets, and alarm-notification checks.
  • Equipment Maintenance, Movement & Marking Control — Controls · 11 steps
    Operate the recurring equipment control cycle: run maintenance to manufacturer specification with only authorized personnel and full activity/fault logging, and authorize, monitor, and track every asset delivery, removal, and movement through isolated loading areas. Apply the siting checklist and marking verification at installation or relocation, and tie maintenance, movement, and marking evidence together in the quarterly reconciliation.
  • ESG-Related Risk Materiality & Integration — GRC · 20 steps
    Assess ESG-related risks, stakeholder inputs, materiality, controls, KRIs, disclosure inputs, and board reporting.
  • EU AI Act Obligation Impact Analysis — Regulatory · 26 steps
    Parse EU AI Act obligations, map affected AI use cases, crosswalk controls, flag conformity gaps, and hand high-risk items to AIMS.
  • Facility Access Administration & Monitoring — Controls · 12 steps
    Operate continuous facility-access administration: authorize, issue, and periodically review physical credentials, enforce entry controls and visitor escort/logging, and secure, rotate, and revoke keys, combinations, and badges on compromise, termination, or role change. Run the monthly review of surveillance, intrusion-detection output, physical access logs, and visitor records, investigate anomalies, and confirm data-center/protected-asset access and environmental safeguards with facilities.
  • Financial Controls Policy & Segregation-of-Duties Governance — SOX · 11 steps
    The SOX PMO reapproves and communicates the financial-control policy suite, including entity-wide ITGC and period-end reporting oversight policies, on its annual cycle. Every quarter it also refreshes the segregation-of-duties conflict matrix, screens role design and system access for incompatible duties, and documents mitigating controls where segregation isn't practicable.
  • Financial Systems Transaction Integrity Monitoring — SOX · 11 steps
    Operate the recurring financial-systems transaction-integrity cycle each period — clearing rejected-input and suspense queues, dispositioning automated-processing exceptions, and reconciling interface transfers. Validate system-generated reports and spreadsheets before reliance, with configuration retested on every change and evidence captured as you go.
  • Finding Remediation & Action-Plan Monitoring — Internal Audit · 16 steps
    Track audit findings and agreed actions from registration through evidence validation, escalation, risk acceptance, and committee reporting.
  • Framework Adoption & Cross-Mapping — GRC · 17 steps
    Adopt or refresh a framework by building current and target profiles, crosswalking controls, prioritizing gaps, and maintaining a live mapping table.
  • Fraud & Forensic Investigation Engagement — Internal Audit · 19 steps
    Run a predication-gated fraud and forensic investigation from allegation intake through evidence preservation, forensic procedures, interviews, loss quantification, audit-committee reporting, and referral and remediation handoffs.
  • Fraud Risk Assessment & Anti-Override Control Review — SOX · 12 steps
    Lead the annual (or event-triggered) fraud risk assessment across fraudulent reporting, asset misappropriation, and corruption, evaluating incentives, opportunities, and rationalizations while explicitly rating the risk of management override of controls. Recalibrate the anti-override control set - journal-entry review criteria and significant-estimates scrutiny - and report refreshed results and mitigations to the audit committee.
  • GPAI Model Provider Compliance Cycle — Regulatory · 12 steps
    Run the recurring compliance cycle owned by providers of general-purpose AI models: maintain model technical documentation and the downstream-provider information pack, operate the EU copyright reservation-of-rights policy, and publish the training-content summary on every model release and quarterly refresh. For models designated as posing systemic risk, the cycle additionally runs state-of-the-art model evaluations with adversarial testing, assesses and mitigates systemic risks, tracks and reports serious incidents to the AI Office, and verifies cybersecurity protection of the model and its infrastructure.
  • Identity & Authenticator Lifecycle Administration — Controls · 12 steps
    Operate the standing identity desk: issue unique identifiers for every user, service, and device from the authoritative source, hold shared-identifier requests to documented approval with compensating controls, and run the monthly sweep that deactivates dormant identifiers and enforces non-reuse. Proof identities proportional to assurance level before binding credentials, then administer the authenticator lifecycle end to end: verified issuance with defaults changed and strength enforced, protected storage, transmission, and entry, embedded-credential checks, and scheduled rotation or compromise- and separation-triggered revocation.
  • Identity Assurance Review — Controls · 17 steps
    Review IAL, AAL, and FAL requirements against current identity proofing, authentication, and federation controls, then remediate and validate gaps.
  • Incident Management Lifecycle — GRC · 20 steps
    Run enterprise incident management with regulatory notification clocks, root-cause analysis, CAPA, control updates, and governance reporting.
  • Incident Reporting Channels & Spillage Response — Controls · 10 steps
    Operate the standing incident-reporting capability: run the monitored mailbox, hotline, and service portal with full acknowledgment and triage routing, execute the information-spillage response procedure end to end, and maintain reviewed contacts with authorities and special-interest groups.
  • Incident Response Readiness Program — Controls · 12 steps
    Operate the annual incident response readiness cycle: maintain the written incident response plan through designated-management approval and protected distribution to named responders, then deliver role-based IR training and run the scheduled capability test. Feed exercise and training gaps back into the plan and training program, with significant incidents or organizational changes triggering off-cycle runs of the same procedure.
  • Information Security Program Governance Review — Controls · 11 steps
    Operate the CISO's recurring security program governance review: each quarter maintain the senior-management-approved information security program plan and keep security roles, authorities, and reporting lines current, and each year deliver the written board report confirming the CISO mandate and run the security workforce competency review, so the program stays approved, resourced, and owned through organizational change.
  • Internal Audit Charter, Independence & Board Governance Cycle — Internal Audit · 11 steps
    Run the internal audit function's board-governance cycle: deliver the CAE's functional reporting and executive sessions to the audit committee, secure committee action on the CAE's appointment, evaluation, remuneration, and the audit plan and budget, and reaffirm the function's organizational independence in writing. Lead the periodic board review and reapproval of the audit mandate and charter with its unrestricted-access provisions, execute the stakeholder communication plan across the board, management, regulators, and external auditors, and retain the governance evidence.
  • Internal Audit Engagement Lifecycle — Internal Audit · 20 steps
    Run an IIA-aligned engagement from evidence requests and fieldwork through findings, conclusions, report issuance, and action registration.
  • Internal Audit Ethics, Objectivity & Competency Program — Internal Audit · 11 steps
    Run the internal audit function's annual professional-practice cycle: every auditor and assisting party attests to the ethics and professional-courage expectations with deviations documented and resolved, signs conflict-of-interest declarations backed by per-engagement conflict screening, assignment rotation, and recusal, and completes confidentiality acknowledgments while access to audit files is reviewed and restricted; the cycle closes with competency assessment against role requirements and approved, tracked continuing-professional-development plans for each auditor.
  • ISMS Internal Audit & Management Review — Controls · 8 steps
    Run the ISMS clause 9.2 internal audit and clause 9.3 management review: findings, corrective actions, review inputs, decisions, and follow-up.
  • ISMS Risk Assessment & Treatment Cycle — Controls · 18 steps
    Perform ISO 27005 risk assessment and treatment planning to produce current risks and SoA inputs for ISO 27001 control applicability.
  • ISO 27001 SoA Review & Controls Assessment — Controls · 23 steps
    Review Statement of Applicability decisions, verify implementation evidence, assess controls, remediate gaps, and publish the approved SoA version.
  • IT Asset Inventory & Classification Upkeep — Controls · 11 steps
    Run the quarterly cycle that reconciles the authoritative hardware, software, systems, and services inventory against discovery scans and change records, correcting discrepancies and confirming owner, location, and security attributes for every in-scope component. In the same cycle, review and refresh the classification, priority, and labeling of information and associated assets, including on physical media, so both registers stay current for downstream audit, compliance, and security scoping.
  • IT Availability & Resilient Failure Operations — Controls · 12 steps
    Operate the monthly IT availability control across the full cycle: monitor scheduled batch jobs and system processing with documented incident and problem resolution, verify backups with periodic restore testing and track processing availability against service expectations, protect network services against denial-of-service events with fail-secure component behavior and alternate communications readiness, and work the mean-time-to-failure replacement queue with verified fail-safe procedures that place failing systems into a known, alerting safe state.
  • IT Governance Objective Review (COBIT) — GRC · 8 steps
    Assess selected COBIT objectives against target capability levels, build the improvement roadmap, and report to the governance board.
  • IT Operations & Capacity Management Cycle — Controls · 9 steps
    Operate the weekly IT operations and capacity management cycle: execute job scheduling, processing, infrastructure monitoring, and facility management per documented procedure, then reconcile outcomes and correct any exceptions. Review processing capacity and utilization against forecast demand, trigger capacity additions before thresholds are breached, and confirm priority-based allocation and quotas keep protecting shared resources, with breach alerts routed to responsible personnel.
  • Joiner-Mover-Leaver Access Lifecycle — Controls · 8 steps
    Handle joiner, mover, and leaver events end-to-end: provision role-based access, adjust with SoD checks on transfer, and evidence timely removal on exit.
  • Legal & Regulatory Compliance Register Evaluation — Regulatory · 11 steps
    Run the compliance office's recurring register-evaluation cycle: maintain the register of applicable legal, regulatory, and contractual requirements — including intellectual-property and software-licensing obligations — with named owners, evaluate compliance with each requirement on its defined cadence through documented reviews, and drive remediation of non-compliance with status reported to management, keeping the register and evaluation results retained as evidence.
  • Malware, Email & Web Content Defense Operations — Controls · 11 steps
    Operate the monthly malicious-content defense cycle: verify centrally managed anti-malware coverage, scanning, signature updates, and tamper protection across every commonly affected component, and review quarantine, alerting, and detection-log handling. Tune email and web filtering for spam and phishing at entry and exit points, and maintain mobile-code technology authorizations and website category and reputation filtering with enforcement-log review.
  • Network & Provider Service Monitoring — Controls · 11 steps
    Operate the monthly cycle that keeps network devices hardened and controlled and network-service documentation (security features, service levels, management responsibilities, including outsourced services) current, monitoring delivered services for conformance and addressing deviations. Review external providers' activity, service status, and security-relevant events against contractual obligations through their logs and reports, confirm cross-organizational audit-exchange methods and identity-context preservation, and feed every deviation into a single owned remediation log.
  • Network Segmentation & Boundary Rule Management — Controls · 10 steps
    Operate the boundary estate end to end: maintain the trust-zone model, gate and implement rule changes to managed interfaces under a deny-by-default baseline, monitor boundary traffic for external threats, and run the quarterly segmentation and rule-set review with a full rule-change record. Enforce label preservation and guard-rule policy at every cross-domain interconnection point so only authorized data types and flow directions pass between security domains.
  • NIST RMF System Authorization (ATO) Cycle — Controls · 27 steps
    Move a system through RMF prepare, categorize, select, implement, assess, authorize, and monitor activities for ATO decisions.
  • Outsourced & Critical-Component Development Oversight — Controls · 11 steps
    Each quarter, review every active outsourced and third-party development engagement for secure-development, IP-ownership, and audit-rights contract terms, verify deliverables against requirements with security-testing evidence on file, and screen developers of critical systems before granting development-environment access. Maintain the register of components critical to security or mission and the rationale and assurance evidence behind every specialized or custom development decision made because commercial items could not meet requirements.
  • Personal Data Quality & De-identification — Regulatory · 10 steps
    Run the recurring PII data-hygiene cycle: check personal data for accuracy, relevance, timeliness, and completeness, correct or delete failing records and notify recipients, execute individual correction requests, and de-identify data where full identifiers are not required.
  • Personnel Screening, Agreements & Sanctions Administration — GRC · 12 steps
    For every hire, role change, and annual high-risk rescreen, the HR Personnel Security Partner applies the position risk designation, completes proportional background verification, and executes and retains the employment security and confidentiality agreements required before access is granted. When a policy violation is reported, the same owner runs the graduated, consistent disciplinary process and documents the sanction, required notifications, and the feedback into awareness and control improvements.
  • Physical Asset Custody & Count Program — SOX · 10 steps
    Operate the standing physical-asset custody and count program each cycle — counting and reconciling cash, negotiable instruments, and accounting records to the books, verifying custody-log authorization, and confirming storage and retention safeguards — with audit-ready evidence captured as you go.
  • Physical Environment Monitoring Review — Controls · 10 steps
    Operate the monthly physical-environment monitoring review across facilities hosting systems and data: sweep badge and entry logs, camera surveillance coverage and flagged footage, and environmental sensor alerts, and feed every confirmed anomaly into security-event analysis.
  • Platform Isolation & Separation Enforcement — Controls · 11 steps
    Operate the semiannual platform isolation cycle: verify user, system-management, and security functions remain separated across sensitivity domains via partitioning or virtualization, confirm shared resources are cleared or sanitized between users and processes while covert-channel bandwidth stays under threshold, and verify hardware- and software-enforced separation mechanisms keep critical code protected from runtime alteration.
  • Policy Exception & Risk Acceptance — GRC · 8 steps
    Manage policy exceptions end-to-end: justify, risk-assess, compensate, approve time-bound, register with expiry, and re-review.
  • Policy Lifecycle Management — GRC · 23 steps
    Manage policies from drafting and linkage through stakeholder review, approval, publication, workforce attestation, monitoring, and refresh.
  • Privacy Breach Assessment & Notification — Regulatory · 12 steps
    Assess a personal-data breach handed off from incident response: scope the exposure, decide notifiability against GDPR, US state, and HIPAA clocks, notify regulators and affected individuals on time, and close with a defensible breach-register entry.
  • Privacy Program Operations (Consent, Complaints & Sharing) — Regulatory · 9 steps
    Run the privacy program's recurring operations: capture and honor consent and preferences, resolve privacy complaints with an accounting of disclosures, and govern data-sharing agreements.
  • Privacy Safeguards & Notice Management — Regulatory · 10 steps
    Run the privacy office's periodic program cycle: maintain the inventory of statutory, regulatory, and contractual privacy requirements, confirm PII-protection accountability, verify that administrative, technical, and physical safeguards remain appropriate to the data held, remediate gaps, and keep external privacy notices and required registrations accurate to actual processing and delivered at the point of collection.
  • Privileged Access & Authorization Model Management — Controls · 10 steps
    Operate the quarterly privileged-access control cycle: recertify every privileged account against its business justification and time bound, enforce separate accounts for administrators, review logged utility-program use, and process application-allowlist changes so unauthorized software stays blocked. In the same cycle, maintain the role and security-attribute authorization model against organizational change and spot-test that enforcement points across applications, databases, and infrastructure apply approved authorizations to sensitive data, source code, and administrative functions.
  • Production Operations & Processing Integrity Cycle — SOX · 12 steps
    Operate the recurring IT operations bridge each shift — authorized batch jobs executed and monitored, failures resolved through a tracked incident process, and backups verified with periodic restore testing against recovery objectives. The same cycle watches performance, capacity, and security telemetry against thresholds and confirms daily processing integrity, from input edit checks and interface reconciliation through outputs released only to authorized recipients.
  • Public Content & External Sharing Authorization — Controls · 12 steps
    Operate the standing publication-authorization capability: verify only trained, designated individuals post to public-facing systems, confirm external information shares carry information-owner authorization consistent with classification and sharing agreements, and run the quarterly sweep that re-verifies the documented no-authentication actions and inspects public content for nonpublic exposure.
  • Quality Assurance & Improvement Program Cycle — Internal Audit · 25 steps
    Operate the QAIP cycle across ongoing review, internal assessment, external quality assessment, improvement planning, and board reporting.
  • Quarterly 302/906 Sub-Certification Cascade — SOX · 12 steps
    The SOX PMO runs the quarterly sub-certification ritual that underpins the principal officers' Section 302 and 906 certifications: it maintains the certifier hierarchy, refreshes the questionnaire for period changes, launches the cascade from process owners through controllers to segment CFOs, chases completion to the cutoff, and triages every exception or qualification raised. Material items reach the disclosure committee before the CEO and CFO sign, and the certification population and its evidence are archived with the period's filing support.
  • Quarterly Board & Audit-Committee GRC Reporting — GRC · 20 steps
    Compile the quarterly GRC board pack across risk profile, audit, SOX, regulatory deadlines, control health, incidents, issues, and decisions.
  • Regulatory Compliance Attestation Cycle — Regulatory · 23 steps
    Compile evidence for a regulation or obligation set, resolve gaps, route officer certification, and archive the attestation package.
  • Regulatory Exam & External Audit Management — GRC · Regulatory · 16 steps
    Manage a live regulator exam or external audit from notification intake through request fulfillment, QC'd evidence release, fieldwork support, findings response, and commitment closure.
  • Regulatory Horizon Scanning & Triage — Regulatory · 13 steps
    Ingest regulator publications, classify applicability, assign owners, and route relevant changes into impact analysis.
  • Regulatory Impact Analysis & Obligation Mapping — Regulatory · 23 steps
    Parse regulatory changes into obligations, map them to policies and controls, identify gaps, and hand confirmed gaps to implementation.
  • Regulatory Obligation Implementation — Regulatory · 22 steps
    Implement a new or changed regulatory obligation from gap analysis through policy update, control design, process operationalization, and coverage validation.
  • Resilience & Failover Readiness Verification — Controls · 11 steps
    Each quarter, verify that the alternate storage site, alternate processing capability, and diverse telecommunications the organization's recovery objectives depend on remain current, separated from primary-site hazards, and able to assume operations within RTO, and that safe-mode, alternate-communications, and alternate-security-mechanism designs on critical systems are configured and ready. Findings convert into owned corrective actions, with any recovery-time-impacting gap escalated immediately rather than held for end-of-cycle closure.
  • Resilient Architecture & Non-Persistence Operations — Controls · 11 steps
    Operate the quarterly non-persistence and resilient-architecture program: refresh designated non-persistent components and services from known-good trusted sources, purge stale information, verify diverse sourcing and fragmentation of high-value data, and review thin-node, technology-heterogeneity, and distributed processing and storage posture against current threats.
  • Risk & Control Self-Assessment (RCSA) Program — GRC · 13 steps
    The first-line RCSA ritual: refresh the assessment universe, issue rating questionnaires to named control and process owners, collect attested self-assessments with exception capture, chase completeness, challenge and calibrate with the second line, aggregate the residual-risk view, and route issues to remediation and exceptions to formal acceptance before reporting to the risk committee.
  • Risk & Resilience Framework Governance — GRC · 10 steps
    Establish, approve, and maintain the enterprise risk management framework and its ICT operational-resilience (DORA) and regulated-technology extensions - accountabilities, resources, processes, and risk tolerance - with management-body sponsorship, planned implementation across the organization, and at-least-annual review.
  • Risk Appetite Definition & Board Reporting — GRC · 23 steps
    Define appetite statements, tolerances, KRIs, board approval, monitoring, and ERM reporting for governance oversight.
  • Risk Communication, Reporting & Performance Review — GRC · 11 steps
    Each quarter - and on an event-driven basis whenever a significant matter arises - the ERM office runs structured stakeholder consultation across the risk process, including supplier and third-party risk and human and cultural factors, and delivers the cadenced risk, control, and performance reporting packages internally at every level and to external stakeholders and partners. The same cycle reviews risk-management and internal-control performance against the framework's design and intended outcomes with accountable management, then converts the lessons into owned, tracked improvement actions driven to closure.
  • Risk Register Intake — GRC · 12 steps
    Capture a new risk from initial identification through inherent scoring, control mapping, residual scoring, and owner assignment with a defined review cadence.
  • Secure Baseline & Integrity Drift Management — Controls · 11 steps
    Operate the monthly secure-baseline cycle: maintain and approve hardening baselines and least-functionality settings against accepted industry standards, run configuration-compliance scans and remediate drift as findings, triage file-integrity, hash/signature, and secure-boot alerts while verifying security functions operate correctly, and keep the configuration management plan and procedures current annually or after significant environment change.
  • Secure Connectivity & Network Trust Services Operation — Controls · 11 steps
    Operate the quarterly cycle that re-authorizes remote, wireless, and organization-controlled mobile access, sweeps for rogue connections, and verifies session-trust and out-of-band credential-delivery protections. The same cycle confirms DNSSEC-authenticated, fault-tolerant name resolution and clock synchronization to authoritative time sources.
  • Secure Development & Release Security Gate — Controls · 12 steps
    Operate the secure-development lifecycle at every release: engineer security and privacy-by-design requirements into the build, execute the documented security test plan with retained evidence against defined acceptance criteria, and verify hardened runtime behavior before production. Between releases, track vulnerability remediation and patching within risk-based timeframes and queue unsupported software for replacement at the quarterly portfolio review.
  • Secure SDLC Phase-Gate Program — Controls · 10 steps
    Operate the secure SDLC phase-gate program that every development initiative passes through: chair the intake, requirements, design, and build/release gates against the documented secure development lifecycle, verifying governed scope and security resourcing, approved application-security requirements, secure-architecture review, and secure-coding and trust-boundary input-validation evidence at each stage. Monitor adherence to and performance of the process itself and track every exception to closure.
  • Security & Privacy Architecture Review Board — Controls · 12 steps
    Operate the standing Security & Privacy Architecture Review Board: maintain the enterprise, security, and privacy architecture views that describe how systems, information flows, and protections align with mission and strategy, review solution designs and acquisition decisions for architectural alignment, and push approved updates into system security plans and acquisition requirements.
  • Security Awareness Training Campaign — Controls · 8 steps
    Run a security awareness campaign end-to-end: curriculum, launch, completion tracking, phishing simulation, escalation, and effectiveness reporting.
  • Security Control Assessment & POA&M Remediation — Controls · 20 steps
    Assess security controls using 800-53A methods, record determinations, open POA&M items, validate remediation, and update the authorization package.
  • Security Monitoring & Detection Operations — Controls · 10 steps
    Operate the SOC's weekly monitoring cycle: verify continuous monitoring is deployed and functioning under the documented strategy across hosts, networks, and applications, and report security status to defined roles. Work the central SIEM analysis queue to correlate and enrich events with threat intelligence, triage flagged anomalies to genuine security events, and verify the health, coverage, and tuning of the continuous protection services.
  • Security Policy Suite Review — Controls · 16 steps
    Operate the annual (and change-triggered) review cycle for the full security policy suite across eight policy families: secure acquisition, development, configuration-management, and maintenance; asset, media, and physical protection; access control, identification, and personnel security; communications protection and cryptography; security awareness and cyber-hygiene; audit-logging, monitoring, and system integrity; contingency planning and disruption mitigation; and incident response. Each policy is reviewed against current risk and threat inputs, updated, reapproved, and disseminated with communication and acknowledgment tracking captured as one evidence set.
  • SOC 2 Readiness & Evidence Collection — Controls · 8 steps
    Get audit-ready for SOC 2/SOC 1: map controls to criteria, close gaps, run the evidence request list, QA evidence, and coordinate the auditor.
  • SOX Deficiency Remediation — SOX · 15 steps
    Track a control deficiency from initial identification and severity grading through root-cause analysis, remediation execution, and validated closure.
  • SOX IPE Validation — SOX · 14 steps
    Validate an Information Produced by the Entity (IPE) report for completeness and accuracy, then decide whether it is reliable control evidence or a deficiency.
  • SOX ITGC Testing — SOX · 23 steps
    Scope and test SOX-relevant ITGCs by referencing the controls-owned 800-53 catalog and test scripts rather than rebuilding procedures.
  • SOX Key Control Operation (Close Cycle) — SOX · 8 steps
    Operate the financial-close key controls each period — reconciliations, management review, journal-entry approval — with audit-ready evidence captured as you go.
  • SOX Key Control TOD/TOE Test — SOX · 25 steps
    Test key controls for design and operating effectiveness, including walkthrough, sampling, IPE linkage, exception handling, and reviewer sign-off.
  • SOX Process Walkthrough — SOX · 20 steps
    Capture an end-to-end process walkthrough and identify the key controls inside it, producing a walkthrough memo and draft control records.
  • SOX Scoping Decision — SOX · 13 steps
    Decide whether a process is SOX-relevant, then scope it or document the exclusion.
  • Strategic Context & Objectives Alignment Cycle — GRC · 12 steps
    Annually refresh the organization's documented mission, stakeholder expectations, and critical objectives and dependencies, and communicate that context to those who scope and prioritize risk work. Realign strategy with mission and risk profile, cascade objectives and publish the roadmap, then close by documenting mission-essential business processes and information-protection needs as the approved basis for risk-assessment scoping.
  • Subservice Organization & Third-Party Personnel Oversight — GRC · 12 steps
    On the annual per-vendor cycle with quarterly issue follow-up, the vendor risk manager maintains the register of subservice organizations relevant to user-entity control objectives, verifies their contracts and assurance reports, and maps complementary user-entity controls. The same review confirms supplier contracts hold third-party personnel to equivalent security terms and tracks every identified issue to resolution.
  • Supplier Service Registry & Critical Supplier Assessment — GRC · 11 steps
    The vendor risk manager maintains the register of supplier-delivered services - the systems and data each service touches and its internal relationship owner - keeping it current as services onboard, change, or exit, and runs security and risk assessments of critical suppliers before acquisition or engagement, recording results and triggering reassessment when services, dependencies, or risk profiles change.
  • Supply-Chain Integrity & OPSEC Operations — Controls · 11 steps
    Operate the standing supply-chain integrity program: inspect each period's critical system and component receipts for tamper-evidence and authenticity, keep provenance and chain-of-custody records current, and disposition suspected counterfeits with inspector-training refresh where lapses appear. In the same monthly cycle, review the register of sensitive supply-chain information to confirm disclosure remains limited to parties with a validated need to know and remediate any overexposure found.
  • System Categorization, Security Planning & Authorization — Controls · 12 steps
    Operate the per-system control that categorizes each system and its information by confidentiality, integrity, and availability impact with criticality analysis and accountable-official approval, develops and maintains the approved system security and privacy plan, and secures formal authorization to operate before production use. Internal system connections are authorized and documented, and reauthorization is tracked on frequency and significant change.
  • Technical Security Testing & Pentest Engagement — Controls · 17 steps
    Plan, execute, report, and retest technical security findings while mapping results to controls and secure-design defects.
  • Technology Investment & Project Risk Governance — GRC · 11 steps
    The quarterly technology investment board applies defined benefit, cost, and risk criteria to evaluate, prioritize, and monitor the technology and innovation portfolio, taking corrective action where value is not being realized. The cycle carries the annual capital-planning leg that allocates security funding and personnel to the risk strategy and enforces security-risk sections in every project gate from initiation through delivery.
  • Technology Lifecycle & Capacity Review — Controls · 12 steps
    Quarterly cycle that reconciles the solution asset record for components, ownership, and licensing, acts on use and cost optimization, and drives components approaching end of support to a replacement or upgrade plan or a documented, risk-accepted compensating control before support lapses. The same cycle monitors solution availability and capacity against current and forecast demand, raises corrective plans for projected shortfalls, and validates that agreed targets were met in the prior period.
  • Third-Party ICT Vendor Regulatory Assurance — Regulatory · 23 steps
    Assess third-party and ICT vendor regulatory obligations, gaps, remediation, and register updates for DORA, FFIEC, and related regimes.
  • Third-Party Risk Program & Vendor Oversight Cycle — GRC · 12 steps
    Each quarter, the Vendor Risk Program Lead refreshes the third-party risk program's governing artifacts - the SCRM plan and policy, the criticality-ranked vendor inventory, the DORA Article 28(3) contract register, concentration-risk view, and critical-provider exit-strategy status - then executes this cycle's tiered reassessments, drives recorded vendor risks to remediation, and confirms external/cloud provider oversight and supplier incident-notification coverage remain current.
  • Third-Party Vendor Assurance Engagement — Internal Audit · 23 steps
    Run an IA-led third-party assurance engagement covering governance, risk tiering, control environment, monitoring, exclusions, and reporting.
  • Third-Party Vendor Risk Lifecycle — GRC · 24 steps
    Operate the enterprise vendor risk lifecycle from inventory and questionnaire through SOC review, C-SCRM controls, contract gates, monitoring, and reassessment.
  • Threat Intelligence & Insider Threat Program — Controls · 9 steps
    Operate the threat program each cycle: ingest and share threat intelligence, run intel-driven hunts, and review insider-threat indicators with a governed response.
  • User Access Review & Recertification — Controls · 8 steps
    Quarterly user access review: extract entitlements, certify with managers, revoke and evidence removals across in-scope systems.
  • User Activity & External Exposure Monitoring — Controls · 10 steps
    Operate the monthly insider-risk monitoring cycle: review captured privileged and remote session activity and personnel technology usage against acceptable-use expectations, restricting access to authorized reviewers and routing findings to HR and legal counsel per the disclosed monitoring terms. In the same cycle, sweep external open-source and dark-web channels for improperly disclosed organizational information, alerting designated personnel and initiating takedown on discovery, with confirmed findings from both halves logged into one restricted case feeding security-event evaluation.
  • Vendor Due Diligence & Contracting Gate — GRC · 11 steps
    For each new vendor engagement or contract renewal, tier the vendor by criticality, run proportionate due diligence across security posture, financial and operational risk, and supply-chain exposure, and document the acceptance decision before binding the contract to required security, privacy, and applicable regulatory clauses. Where personal data is involved, obtain written privacy commitments before access begins and schedule compliance monitoring and breach-notification routing into incident response.
  • Vendor Offboarding & Secure Termination — GRC · 12 steps
    Execute a vendor's contractual exit provisions end to end on each relationship termination: revoke all access and credentials, transition the service to its successor, return or verifiably destroy organizational data, securely dispose of dedicated components and tooling using defined techniques, and retain the required post-relationship evidence.
  • Vendor SOC 1/SOC 2 Report Review & CUEC Mapping — Controls · 16 steps
    Review vendor SOC reports, exceptions, CUECs, bridge letters, and reliance conclusions for controls assurance and service-organization dependencies.
  • Vulnerability & Patch Management Cycle — Controls · 8 steps
    Recurring vulnerability management cycle: scan, triage by severity, patch on SLA, verify by rescan, and risk-accept residuals with expiry.
  • Workplace & Remote Work Security Cycle — Controls · 10 steps
    Operate the quarterly workplace and remote-work security cycle: walk offices for clear-desk, clear-screen, and output-device compliance, and verify and enforce remote-working device, privacy, environment, and connectivity attestations before granting access. Review the approved alternate-work-site list, assess control effectiveness, and confirm workers there have a functioning incident-reporting channel.
  • Year-End Deficiency Aggregation & Severity Evaluation — SOX · 18 steps
    Freeze the year-end deficiency register, prove its completeness against testing results, aggregate related deficiencies, and evaluate severity through compensating-control and prudent-official conclusions that feed 302/404 certifications and audit-committee reporting.
© 2026 CoworkCanvas. All rights reserved. CoworkCanvas Privacy Terms