Reports overview
Turn your compliance data into a shareable PDF: a deep dive on one framework, or a company-wide overview.
The Reports area turns the live state of your compliance program into a fixed, shareable PDF. A report is a point-in-time snapshot: it captures your controls and their status, your maturity ratings, your assessment scores, and your open risks at the moment it is generated, and renders them into a formatted document you can hand to an auditor, leadership, or a regulator.
Reports do not change after they are created. To reflect new work, generate a fresh report — each one is stamped with its own generation timestamp.
The two report types
Every report is produced from a report template, and the template is what fixes the report's type. There are exactly two types:
| Type | Produced from | Scope |
|---|---|---|
| Framework Specific (Framework Overview) | the Framework Specific Report template | One chosen framework, with a section-by-section drill-down of that framework. |
| Company Overview | the Company Overview Report template | All of your company's frameworks, aggregated; no single-framework drill-down. |
The word "Standard" sometimes appears in the interface. It is not a third report type — it is a display fallback label and an unrelated internal "detail level" value. Every report you can generate is either Framework Specific or Company Overview.
Both types share the same building blocks: an overall compliance summary, a control-status breakdown, a maturity-level distribution, key findings, a summary table of every framework in the company, recent assessment history, risk counts, a detailed table of critical and high risks, a six-month risk trend, and action items. The only structural difference is that a Framework Specific report adds a per-section drill-down for the one framework you picked.
A Framework Specific report is not purely about one framework. Its company-wide summary (for example the "active frameworks" count) and its all-frameworks summary table cover every framework in your company. Only the section drill-down is specific to your chosen framework.
What goes into the figures
A few rules decide which data lands in the report:
- Risks are filtered to reportable ones — a risk is excluded if it is resolved (status
closedormitigated) orai_proposed(an AI suggestion you have not accepted). The detailed risk table lists only critical and high risks; medium and low are counted in summaries but not itemized. - Compliance score = implemented controls divided by applicable controls. Controls marked
not_applicableare dropped from the denominator. A score of 85% or higher reads "On Track", 70–84% reads "Needs Attention", and below 70% reads "At Risk". - Maturity is the 1–5 control scale (1 Initial, 2 Managed, 3 Defined, 4 Measured, 5 Optimizing).
For the full set of statuses, thresholds, and the step-by-step generation flow, see the sub-page below.
Who can see and create reports
Three permissions govern the area, and each can be granted company-wide or scoped to specific frameworks:
| Permission | Lets you |
|---|---|
report:read | See the report list and a report's details. |
report:generate | Open the generate dialog, list templates, and generate a report. |
report:download | Download (export) a finished report. |
The list shows only reports you are allowed to see: a company-wide report:read grant shows every report, a framework-scoped grant shows only that framework's reports, and reports with no framework (Company Overview reports) are visible only with a company-wide grant.
Related
- Frameworks — the controls, sections, and assessments a report summarizes.
- Risks — where the critical/high risk table and risk trend come from.