Dashboard
Live assurance position for this tenant. Every figure below is computed from the registers — nothing is typed into a slide the night before an audit.
Certification roadmap
Continuous monitoring — drift since last scan
Residual risk heatmap
Posture score trend
Governance
Activity
Board view
A live, presentation-ready summary — pull this up instead of screen-sharing the full console. Nothing here is editable; it always reflects the current data.
Certification roadmap
Top risks
Upcoming milestones
Posture scan
Reads Conditional Access, directory roles, PIM, Identity Protection, Intune, OAuth app grants and Secure Score via Microsoft Graph — read-only, inside the tenant — across Identity, Devices, Apps & Data, Monitoring, Continuity, Supplier and Governance. Failed and review-grade checks become proposed risks and actions for your approval; checks with no automatable signal show Manual — verify rather than a false pass. Nothing enters the client register without a practitioner's sign-off.
Tenant posture
Checks
Risk register
Inherent and residual scoring, linked controls and treatment actions. Residual scores recalculate automatically as linked actions complete.
| ID | Risk | Category | Source | Inherent | Residual | Owner | Status |
|---|
Actions register
Every action traces to a risk and a control. Completing an action prompts evidence capture and updates the linked risk's residual score — the audit trail builds itself. Also the home for non-conformities and observations raised during internal or external audits.
| ID | Action | Type | Risk | Control | Priority | Owner | Due | Status | Evidence |
|---|
Vendor risk
Third-party suppliers with access to systems or data, reviewed on a cadence proportional to their criticality. Linked to the supplier-related controls (A.5.19–A.5.23, CC9.2, DISP.26) and to the risk register — an overdue review here is a live gap in the Statement of Applicability, not a separate spreadsheet.
| ID | Vendor | Criticality | Review status | Next review | Certifications | Owner | Questionnaire |
|---|
AI systems
Every AI system in use, its impact assessment status, and the ISO 42001 controls it evidences — the register ISO 42001 certification is actually built on, not a slide deck assembled the week before audit. EU AI Act risk tiers (Prohibited/High/Limited/Minimal) drive how much scrutiny each system gets.
| ID | System | Risk tier | Impact assessment | Vendor | Owner | Last reviewed |
|---|
Frameworks
Every framework Compliance365 delivers is available in Checkpoint — turn one on the moment a client purchases it. Enabling a framework here makes its control set appear in the Statement of Applicability immediately; nothing is deleted when a framework is switched off.
Posture-scan pass/review/fail thresholds, tunable per client. Each falls back to the default shown if left blank.
Optional dashboard and workflow additions — switch any of these off per client without losing data. Turning one back on picks up exactly where it left off.
Statement of Applicability
One control set per purchased framework, cross-mapped to the others so shared evidence is never duplicated. ISO 27001 and ISO 42001 ship with their full Annex A; the remaining frameworks ship starter subsets — extend any of them in the SharePoint Controls list as engagements progress.
| Control | Title | Applicable | Status | Also satisfies | Owner | Verified | Evidence |
|---|
Documents
Real evidence storage in this tenant's SharePoint — the ISMS manual, policies, risk treatment plan, training records. Upload here, or upload directly in SharePoint and paste the link when linking evidence to a control or action. Files over 4 MB: upload in SharePoint directly, then paste the link.
Upload a document
| Name | Category | Modified | Size |
|---|
Internal audits
ISO 27001 clause 9.2 requires the organisation to run its own internal audit programme, independent of any external certification audit. Schedule audits per framework, record the outcome, and any findings raised become non-conformities or observations in the Actions register.
| ID | Framework | Scope | Auditor | Planned | Status |
|---|
Management review
ISO 27001 clause 9.3 requires top management to review the ISMS at planned intervals. Recording a review here snapshots the live inputs (posture, risks, actions, non-conformities, control readiness) at that moment, alongside attendees and decisions — a minuted record an auditor can inspect.
| ID | Date | Attendees | Next due |
|---|
Compliance calendar
Every recurring ISMS activity in one place — access control reviews, BCP/DR and backup restore tests, supplier reviews, awareness training, the external surveillance audit cycle and certificate expiry. Complete an item and, if it recurs, its next due date rolls forward automatically.
| ID | Activity | Category | Frequency | Owner | Next due | Last completed |
|---|
Audit log
An append-only, read-only record of who changed what and when — control status changes, evidence links, verifications, risk approvals, action/audit/review/calendar activity and framework toggles. Evidence for ISO 27001 A.8.15 (logging) and SOC 2 CC7.2, distinct from the plain-English Activity feed on the Dashboard.
| When | Actor | Action | Target | Before | After |
|---|
Audit reports
Generated from the live registers, in Compliance365 brand. What used to be a fortnight of assembly is a button.
Statement of Applicability
Full SoA with applicability justifications, implementation status and evidence references. The document your certification auditor opens first.
Risk register snapshot
Complete register with heatmap summary, treatment decisions and movement since the last snapshot.
Audit readiness report
Per-framework readiness: control implementation, open critical risks, overdue actions, evidence coverage — and what the auditor will ask about.
Management review pack
Quarterly KPI trends, top risks, action throughput and recommendations — satisfies the management review requirement directly.
Executive summary
One page: score with trend arrow, implementation %, high/critical risk count, next milestone, top 3 risks. Built for a five-minute board update.
Trust Center
A public, read-only page — certifications held, high-level posture, Statement of Applicability summary and (optionally) your sub-processor list. Generated as a single self-contained HTML file into this tenant's own Documents library. Publishing it is a normal SharePoint sharing action you take yourself — Checkpoint generates the file and never makes anything public on its own.
What's shown
Sub-processors listed publicly
Only appears on the page if "Sub-processor list" above is switched on. Choose which vendors from the Vendor risk register are named.
Auditor pack
Assembles the current Statement of Applicability, an evidence index, a recent audit log excerpt and the latest management review record into one file an external auditor can open via a SharePoint sharing link — no Checkpoint licence needed. Time-boxing and access control are enforced by SharePoint's own sharing-link expiry when you create that link, not by Checkpoint.
Portfolio
A view across every client tenant you manage — not tied to whichever tenant you're currently signed into. This list itself is bookkeeping stored only in this browser's local storage — client name, tenant ID, and the last-synced summary numbers (posture score, readiness %, risk count). No risk, action or control records are ever copied here; syncing a client signs you into their tenant separately and reads their live Checkpoint data on the spot, in their own SharePoint, same as the main console. Nothing about any client is stored centrally or on Compliance365 infrastructure.