💡 Feature requests

Incorporate Statement of Applicability from security reports into the platform

As a user of the Secfix platform, I want the assignment of Controls to Risks in the Risk Register to be mandatory, so that no risk can be saved or left in the system without at least one linked Control. This ensures that all identified risks have documented mitigation strategies, which is essential for audit readiness and maintaining compliance with standards like ISO 27001. Currently, it’s possible to create or update a risk without assigning a Control, which introduces the risk of incomplete risk treatment and potential findings during audits. Making this a required field would help maintain data integrity and reduce the chance of user oversight. An additional helpful enhancement would be to visually flag any existing risks without Controls assigned, allowing users to quickly identify and resolve these gaps.

Email notifications are helpful in the following cases: Alerting editors/admins when users are assigned as owners. Notifying when a new admin is added to the account. Informing employees about newly uploaded policies ready for review. Sending automated employee reminder notifications, with a central setting to configure reminder frequency and preferences.

The risk treatment checkmark is not intuitive enough (when it got overdue, I didn't know what to do, the fact that I should click on/complete the checkmark wasn't clear to me)

Currently, the "Upload Evidence" button is always available for employees. However, some of our customers prefer to bulk upload evidence on behalf of their employees, making the button unnecessary. To improve user experience and avoid confusion, we would like to request a new setting that allows customers to manually enable or disable the "Upload Evidence" button.

Users need the ability to manually mark device requirements as completed for instance when the platform does not automatically detect them. Manually confirmed items should have a distinct visual indicator to differentiate them from automatically detected completions Proposed visual labeling: a blue checkmark instead of a green one; an "M" symbol for manual completion Use Case: A security team runs a compliance check, but the platform fails to detect a specific security setting due to a misconfiguration in the detection logic. The team verifies that the setting is correctly configured on the device through an alternative method (e.g., checking system settings directly or running a different security scan). Instead of waiting for a fix in detection logic, they manually mark the requirement as completed to ensure an up-to-date compliance status.

We'd like to manually add evidence records to prove that we're actually generating "records of access request issues tracked". Since Secfix doesn't provide Clickup integration yet and we can't turn some ticketing-system-related tasks green, we would then add proof for that on the manual evidence list. I'm referring to the automated tasks called "Records of access requests issues tracked" and "Records of security issues being tracked" in my example.