Assure is where your program demonstrates its maturity. Collect evidence, manage audits, track findings, and run corrective action cycles instead of one-off audit sprints.
Get AccessWhat Assure does
Evidence moves Draft, Submitted, Approved, Expired. You record collection, review, and expiry dates on the record, attach files with automatic versioning, and link one piece of evidence to multiple controls with per-link notes. Approvers get notified, can send back for changes, and approved records are locked with a timestamp. Expired state can apply automatically, with clear visual flagging and deletion restricted to admin workflow.
KPIs can be manual entry, computed (predefined library by category such as Compliance, Operations, Risk, Controls, General, Assure; custom query builder; or control-sourced effectiveness and execution), connector-based, or fed by external API and webhooks. You set per-item compliance thresholds with progress bars and green, amber, or red coding, and visualize values with number, pie, column, line, and spider charts.
The Audit Readiness view highlights where controls still have requirements but lack enough approved evidence, so you fix gaps on a normal cadence. You can export evidence summaries into audit questionnaire responses or packs for management review instead of rebuilding narratives from folders.
Control health scoring and KPI compliance thresholds give a running picture of posture. Chart types including spider and line support trend and multi-axis views; control-sourced series let you track a single control's effectiveness or execution over time alongside program-level indicators.
Who uses it
For security and privacy leaders who need approved evidence, clear expiry and review dates, and a view of gaps while requirements are still under internal control.
For GRC leads who coordinate evidence quality, versioning, and rework cycles alongside findings and corrective actions tied to controls.
For executives who want threshold-based indicators, charts, and control-linked metrics instead of one-off slides assembled before each meeting.
FAQ
Each evidence record follows Draft, Submitted, Approved, Expired. You set collection, review, and expiry dates; attach files with versioning; and link the record to one or many controls. Submitters and approvers work through notifications and change requests, and once approved the record is locked with a timestamp. Expiry can transition automatically, and deletion is gated so records are not removed casually.
There are four: manual entry; computed KPIs using either the predefined metric library (grouped by categories such as Compliance, Operations, Risk, Controls, General, and Assure), a custom query builder, or control-based effectiveness and execution; data from connectors; and values from an external API or webhook.
It surfaces gaps where a control still has requirements mapped but does not yet have enough approved evidence attached. That lets you prioritize collection and approval work before external review, instead of discovering holes during fieldwork.
Each KPI item can have its own target threshold. Acuna shows progress against that threshold with a bar and applies green, amber, or red styling so you can see which metrics are inside tolerance and which need attention without re-interpreting raw numbers every time.
You combine KPI visualizations (number, pie, column, line, spider), control health, and exported evidence summaries (such as packs for management review or structured answers for audit questionnaires) so leadership sees posture and proof from the same system rather than from one-off spreadsheets.
When evidence is submitted, configured approvers are notified. They can approve, which locks the record and records the approval time, or request changes, which sends the work back for revision. That gives you a clear audit trail between draft material and what you are willing to stand behind.
Operate is where recurring and one-off work runs: tasks, objectives, risk register, and treatment execution. Assure is where you prove and measure: evidence lifecycle, KPI definitions and charts, audit readiness gaps, and exports. Execution happens in Operate; demonstration and monitoring lean on Assure.
Related answers
The Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) applies to financial entities in the EU. It establishes requirements for ICT risk management, ICT-related incident reporting, digital operational resilience testing (including threat-led penetration testing for significant entities), ICT third-party risk management, and information sharing on cyber threats. DORA became applicable on 17 January 2025. Acuna covers DORA requirements across all four panes: framework mapping in Comply, ICT controls and asset inventory in Implement, incident and third-party management in Operate, and TLPT findings and corrective actions in Assure.
DORA Chapter IV requires financial entities to maintain a digital operational resilience testing programme. This includes vulnerability assessments, network security testing, gap analysis, and software security reviews. Significant entities must also conduct threat-led penetration testing (TLPT) at least every three years, simulating real-world attacks against live production systems using threat intelligence. TLPT must be performed by qualified testers and results reported to the National Competent Authority. Acuna tracks TLPT planning, findings, and corrective actions in the Assure pane.
SOC 2 Type I evaluates whether controls are suitably designed at a specific point in time. SOC 2 Type II evaluates whether those controls operated effectively over a period, typically 6 to 12 months. Type II is more rigorous because it requires evidence of sustained operation — not just that controls exist on paper. Most enterprise buyers require a Type II report. Acuna is designed for continuous evidence collection during the Type II observation period, with recurring tasks, control health scoring, and audit-ready evidence packs.
In Acuna, evidence records follow four states: Draft (being compiled), Submitted (sent for approval), Approved (locked and timestamped), and Expired (no longer current). Each record captures collection, review, and expiry dates, supports versioned file attachments, and can be linked to multiple controls with per-link notes. Approvers receive notifications and can request changes before accepting. Approved evidence contributes to control effectiveness and audit readiness metrics. Expired evidence is flagged visually and cannot be deleted without administrator approval, preserving the audit trail.
Acuna supports four KPI data source types. Manual entry is for metrics from outside the platform (pen test scores, survey results). Computed KPIs calculate automatically from live compliance data using either a predefined metric library (grouped by Compliance, Operations, Risk, Controls, General, and Assure categories), a custom query builder with filters and operators, or a control-sourced effectiveness/execution feed. Connectors pull values from integrated external services. External API/webhook receives inbound values from systems that push data to Acuna. Per-item compliance thresholds with colour-coded progress bars are available for computed sources.
Assure is the evidence and audit-readiness layer. It manages evidence records through their full lifecycle (Draft → Submitted → Approved → Expired), links evidence to controls, tracks review and expiry dates, and packages evidence for internal or external audits. Assure also handles findings management: audit observations, non-conformities, and corrective actions with due dates and ownership. The pane provides audit-readiness dashboards showing evidence coverage, expiry forecasts, and open finding counts — so you know exactly where you stand before an auditor arrives.
Audit readiness in Assure is a composite metric driven by three factors: evidence coverage (percentage of controls with at least one approved, non-expired evidence record), control health (rolled up from task completion), and open finding count (unresolved non-conformities and observations). Each factor contributes to an overall readiness score displayed on the Assure dashboard. When evidence expires or a finding goes overdue, the score drops automatically. This gives compliance managers a single number to report to leadership and auditors — backed by drill-down detail to every underlying control and artefact.
A CISO dashboard is a consolidated view of security, risk, and compliance indicators a Chief Information Security Officer needs to run their program. Effective CISO dashboards combine: multi-framework compliance posture (ISO 27001, NIS2, DORA, SOC 2), risk register with scoring and trends, control maturity by domain, and readiness for upcoming audits. In Acuna, each CISO configures their dashboard via RBAC to show only their scope, their KPIs, and the risks they own. Leadership sees the summary. Analysts see their controls. Same platform, different views per role.
Get access and our team will walk you through Assure and the full Acuna platform.
Get Access