💡 Feature requests

It would be great to have the ability to add custom fields to vendors. This would allow us to track important details such as: Has the contract been signed? Do they delete data within six months? Where is their data located? Where do they process their data?

As a user managing risks in the Secfix platform, I want the selection of CIA (Confidentiality, Integrity, Availability) classifications to be a mandatory step when creating or editing a risk in the Risk Register. This ensures that each risk is properly evaluated in terms of its potential impact on information security principles, which is a core requirement of most compliance frameworks such as ISO 27001. At present, risks can be saved without CIA categories assigned, which may result in incomplete risk assessments and weak prioritization during audits or internal reviews. Enforcing this field would help standardize risk documentation and support more effective treatment decisions. It would also be helpful to highlight any existing risks that are missing CIA classifications, allowing users to easily review and update them accordingly.

We had a minor non conformity during the audit, because the users who uploaded the policies were at the same time the approvers. It would be great to have this option disabled from platform perspective.

Currently, in the risk register, we can only see the beginning of a risk description, and need to hover over each one to read the full sentence. This makes it difficult to quickly review or compare multiple risks - especially when prepping for an audit or working collaboratively across teams. We’d love the ability to see the full risk sentence/description at a glance, either by: Expanding the column width Wrapping the text onto multiple lines Or displaying the full text in a tooltip or modal upon click (rather than hover) Hovering over each individual item is time-consuming and unintuitive, particularly when managing a longer list of risks or reviewing historical entries. It would streamline our workflow and make the tool much more usable during time-sensitive tasks like audit prep. Thanks for considering this quality-of-life improvement!

Request I would like to have an internal audit reporting tool integrated into the platform that we can fully manage ourselves. The tool should allow us to document findings and observations from internal audits and directly generate actionable items such as tickets or to-dos from these entries. This would streamline the audit follow-up process and ensure traceability. Benefits Centralized and structured internal audit documentation. Immediate creation of follow-up tasks to close gaps efficiently. Improved traceability and accountability during audit cycles. Reduced reliance on external tools or manual workflows.

Request I would like to see a centralized repository within the platform for two types of documents that currently lack a dedicated space: Documents not directly linked to Policies (POLs) – such as cloud exit strategies, backup strategies, or overarching compliance frameworks. These documents are important for audits and internal controls but do not fit neatly under specific policies. Documents exclusively related to the ISMS (Information Security Management System) – such as ISMS-specific procedures, frameworks, or strategic documents that are essential for managing the system but aren’t tied to individual POLs. Benefits Clear and structured access to critical compliance documents. Better support for audit readiness and ISMS maintenance. Reduced risk of document scattering and information loss.

Request I would like to see a visually designed risk management matrix integrated into the platform. Currently, risk evaluation lacks an intuitive graphical overview, which makes it harder to quickly grasp the overall risk landscape. A matrix-style visualization would allow users to see likelihood and impact at a glance. Benefits Faster and more intuitive risk assessment. Improved clarity for stakeholders reviewing risk levels. More professional and audit-ready presentation of risk data.

The Secfix agent monitors employees OS. Because of it, we can check which OS versions our employees are using. Based on auditor requests, it'd be nice if I could "manage" OS versions using Secfix and notify employees that they need to update it - just as I can with employee tasks.

When a user selects the "mitigate" option for a risk, the system should enforce that the post-mitigation risk rating is lower than the initial rating. Right now, it's possible to apply a mitigation and keep the same risk score, which doesn't make logical sense and can lead to confusion during audits or internal reviews. Ideally, there should be a validation or warning to guide the user to adjust the rating appropriately—or at least justify why it remains unchanged (e.g., if it's already at the lowest possible level). This would help ensure that the mitigation steps are meaningfully reflected in the risk scoring and support better risk management practices. This improvement would prevent user errors, make the risk register more reliable, and align with auditor expectations.

It would be helpful to have an FAQs section in the Trust Center to address common customer questions.