💡 Feature requests

We would like to sort the policies alphabetically or individually in our preferred order. Reason for this - we used Secfix policy templates, but also added a few more on top of that. Some policies for instance explain, how to understand the ISMS Leader role. We would like our employees to read the policy of our choice first, to understand the mandatory ones. Currently the platform does not allow this option.

As a user of the Secfix platform, I want the assignment of Controls to Risks in the Risk Register to be mandatory, so that no risk can be saved or left in the system without at least one linked Control. This ensures that all identified risks have documented mitigation strategies, which is essential for audit readiness and maintaining compliance with standards like ISO 27001. Currently, it’s possible to create or update a risk without assigning a Control, which introduces the risk of incomplete risk treatment and potential findings during audits. Making this a required field would help maintain data integrity and reduce the chance of user oversight. An additional helpful enhancement would be to visually flag any existing risks without Controls assigned, allowing users to quickly identify and resolve these gaps.

Incorporate Statement of Applicability from security reports into the platform

The risk treatment checkmark is not intuitive enough (when it got overdue, I didn't know what to do, the fact that I should click on/complete the checkmark wasn't clear to me)

Problem Several customers require CVSS-driven remediation SLAs. Today our risk surveys generate scenarios, but we don’t natively score/track vulnerabilities against CVSS v3.1 nor enforce time-bound fixes. Proposal Add first-class CVSS support so teams can ingest CVEs from scanners, calculate/display scores, and auto-enforce remediation SLAs. This aligns with ISO/IEC 27001:2022 A.8.8 – Management of technical vulnerabilities and strengthens audit evidence.

Ability to filter treatment tasks by finished / uncompleted

Currently we need to export the vendor list in order to share with our employees, which SW is approved or is not. In a dynamic company it's a frequent mandatory manual effort. It would save hours of manual efforts and help us keep and up to date vendor list in the platform directly. Best option: Employee can access the approved vendors list directly under their compliance tasks. Bonus: Every employee sees only the approved vendors approved for their role/ department.

It would be great to have a button on the secfix.com website to easily log into the platform.

Currently it is possible to add new vendors by SSO login activity. Maybe the reverse would also be useful, in showing which vendors aren't used as much or aren't used at all. Just to check if the access is still needed.

Request We would like to have a clear warning in the Computer tab when a Secfix Agent has not synchronized for a longer period (e.g., more than 2 weeks). Currently, there is no alert or visual highlight, which makes it easy to overlook unsynchronized devices. Benefits Ensures that admins can immediately identify devices that are outdated or not synchronized. Reduces the risk of missing critical updates or compliance gaps. Improves visibility and overall system reliability.