Skip to main content

Compliance Auditing

Compliance Auditing helps you track your organization's adherence to industry security frameworks. Select the compliance frameworks relevant to your workspace, assess each control's implementation status, attach evidence, and monitor progress toward full compliance. Hawkra supports automatic population of certain controls based on your workspace's vulnerability and asset data.

Compliance auditing dashboard

Supported Frameworks

Hawkra includes built-in support for the following compliance frameworks:

FrameworkDescription
PCI-DSSPayment Card Industry Data Security Standard. Required for organizations that handle credit card data.
HIPAAHealth Insurance Portability and Accountability Act. Required for organizations handling protected health information (PHI).
NISTNational Institute of Standards and Technology Cybersecurity Framework. A widely adopted voluntary framework for managing cybersecurity risk.
CISCenter for Internet Security Controls. A prioritized set of actions to protect against common cyber attacks.
SOC2Service Organization Control 2. Focused on security, availability, processing integrity, confidentiality, and privacy of customer data.
GDPRGeneral Data Protection Regulation. The European Union's data protection and privacy regulation.
ISO 27001International standard for information security management systems (ISMS).

Each framework is defined with its full hierarchy of categories, subcategories, and individual controls. You can view framework details including version information, descriptions, and total control counts.

Selecting Frameworks

Activating a Framework

To begin tracking compliance against a framework:

  1. Navigate to the Compliance section of your workspace.
  2. Browse the list of available frameworks.
  3. Click Activate on the frameworks relevant to your organization.

When you activate a framework, Hawkra records who activated it and when, creating an audit trail of framework selection. You can activate multiple frameworks simultaneously -- there is no limit on how many frameworks a workspace can track.

Deactivating a Framework

If a framework is no longer relevant, you can deactivate it. Deactivating removes the framework from your active selections. Any responses and evidence you have recorded for that framework's controls are retained in the database and will be restored if you re-activate the framework later.

Permissions

Activating and deactivating frameworks requires the EditWorkspace permission. Viewing frameworks and their details requires ViewWorkspace.

Control Assessment

Each framework is organized into categories and subcategories containing individual controls. For each control, you can set an implementation status and add notes.

Implementation Status Values

StatusMeaning
Fully ImplementedThe control is completely in place and operating as intended.
Largely ImplementedThe control is mostly in place with minor gaps.
Partially ImplementedSome aspects of the control are in place, but significant work remains.
Not ImplementedThe control has not been implemented.
Not ApplicableThe control does not apply to your organization's environment.

Updating a Control

  1. Navigate to the framework and find the control.
  2. Select the appropriate implementation status from the dropdown.
  3. Add notes explaining your assessment (up to 10,000 characters). Notes are encrypted at rest using your workspace's data encryption key.
  4. Save the response.

Each response records which user made the assessment and when it was last updated.

Control assessment form

Vulnerability-to-Control Mapping (Auto-Populate)

Hawkra can automatically assess certain controls based on your workspace's actual security data. The auto-populate feature evaluates rules such as:

RuleWhat It ChecksControls Affected
Asset Inventory CompletenessPercentage of assets with both IP addresses and hostnames populated.Inventory-related controls across frameworks.
Vulnerability Remediation RatePercentage of vulnerability-asset links marked as remediated.Remediation and vulnerability management controls.
Vulnerability Scan CoveragePercentage of networks that have completed scan imports.Scanning and monitoring controls.
Access Control DefinedNumber of distinct roles used in workspace membership.Access control and authorization controls.

Auto-populated responses are marked so you can distinguish them from manual assessments. They are updated each time you run auto-populate, reflecting the current state of your workspace data.

To run auto-populate for a framework:

  1. Navigate to the framework.
  2. Click Auto-Populate.
  3. Review the results showing which controls were updated and what values were set.

Evidence Management

Attach supporting evidence to individual controls to document your compliance posture.

Adding Evidence

  1. Navigate to the framework and control.
  2. Click Add Evidence.
  3. Select an uploaded file from your workspace.
  4. Provide a name (required, max 255 characters) and optional description (max 5,000 characters).
  5. The evidence is linked to the specific framework and control.

Evidence descriptions are encrypted at rest. Each evidence record tracks who uploaded it and when.

Viewing Evidence

The evidence list for a control shows:

  • Evidence name and description
  • Original filename
  • Who uploaded it and when

Deleting Evidence

Evidence can be deleted by users with the EditWorkspace permission. Deleting evidence removes both the database record and the stored file.

Progress Tracking

Overall Progress

For each activated framework, Hawkra calculates:

  • Total controls in the framework.
  • Total responded -- how many controls have been assessed.
  • Fully implemented / Largely implemented / Partially implemented / Not implemented / Not applicable counts.
  • Completion percentage -- the ratio of fully implemented controls to applicable controls (total minus not applicable).

Progress by Category

Progress is also broken down by framework category, showing:

  • Total controls in each category.
  • Number of controls responded.
  • Number fully implemented.
  • Completion percentage for each category.

This per-category breakdown helps you identify which areas need the most attention.

Compliance progress dashboard

Gap Analysis

The gap analysis view identifies controls that are not yet fully compliant:

  • Total gaps -- Number of controls that are not fully implemented and not marked as not applicable.
  • Not assessed -- Number of controls that have not been assessed at all.
  • Gap details -- For each gap, the control ID, title, category, current status, and whether evidence has been attached.

Use gap analysis to prioritize remediation efforts and track progress toward full framework compliance.

Exporting Compliance Data

Export your compliance assessment data to CSV for external reporting, audits, or integration with other tools.

The compliance export includes configurable fields such as:

  • Control ID, title, and category
  • Implementation status
  • Assessment notes
  • Evidence attachment status
  • Assessor and assessment date

The export covers all controls in a selected framework, including those that have not yet been assessed.

tip

Start by activating the frameworks most relevant to your regulatory requirements. You can always add more later. Focus your initial assessment on the framework with the most immediate audit deadline.

tip

Run Auto-Populate after completing vulnerability scans and remediation to automatically update controls that can be assessed from your workspace data. Review the auto-populated values to ensure they accurately reflect your compliance posture.

tip

Use Gap Analysis before an upcoming audit to identify controls that still need attention. Filter for controls with no evidence attached to find areas where you need to gather documentation.

Audit Trail

All framework activation, control assessment, evidence upload, and auto-populate actions are recorded in Hawkra's audit log with the user, timestamp, and action details.