💡 Feature requests

Right now, when we export the frameworks report, we only see the control details and status. We can’t see who owns the control or when it’s due. Since people tend to ignore email reminders, we often have to follow up manually — and without that information in the export, it’s hard to get a clean overview of what needs attention and who to chase. It would be great if you could extend the current export to include additional columns for Owner and Due date / Expiry date, so we can easily filter and manage follow-ups in Excel - even comments. Please update the frameworks export (CSV/Excel) to include at least: Control ID, Control Title, Status, Owner, and Due Date/Expiry Date. This would make weekly follow-ups and audit prep much easier for us. Or even better, to have the export customizable to whichever fields you need.

The option to upload attachments via the comment function is already helpful. Our goal is to have a uniform and traceable storage system for manual evidence in the GDPR module. Currently, I only have the PDF option available for export; the manual evidence appears there, but not the comments. Is there an option to include the comments in the export as well? This would be helpful for verification purposes vis-à-vis supervisory authorities or investors.

Under ISO 42001, organizations must assess not only likelihood and severity of AI risks, but also their impact, particularly in areas such as human rights, bias, safety, compliance, etc. This goes beyond the CIA focus we have in ISO 27001. Currently in Secfix: CIA categories are available in the Risk Register There is no structured field for AI-specific Impact Domains We had to document impact domains outside the platform, which is inefficient and time consuming. Suggestion Add an “Impact Domain (ISO 42001)” field to the Risk Register (multi-select, similar to CIA or a text field). This would improve audit readiness and ensure complete AI risk assessment within the platform.

It would be nice, if the pages for Automated Checks and Manual Evidences could remember the personal filter settings at least during a user session. Currently, if you leave these pages and return again, the selections are gone.

The Risk Register currently has predefined fields, limiting flexibility for different risk management needs. Adding custom fields would allow users to tailor risk entries to their specific requirements. Use Case Risk management processes vary across organizations, and predefined fields may not always capture all necessary details. For example: A financial institution might need a "Regulatory Compliance Impact" field. A tech company might want a "Data Sensitivity Level" field. A project-based organization could track risks by "Department" or "Project Phase."

Currently in the Vendors review flow, selecting a login/authentication method is mandatory to mark a vendor as Reviewed. However, not all vendors provide software or platforms that require authentication. Context Some vendors (e.g. law firms or consultants) do not offer any system requiring a login. In these cases, we are forced to select an incorrect authentication method just to complete the review. Proposed solution Add a “No authentication required / Not applicable” option that allows vendors to be marked as Reviewed without selecting a login method.

It should be possible to assign employees to more than one employee group, for example for admins of certain groups.

When uploading or updating a policy in Secfix and selecting the groups that need to acknowledge it, each group must currently be selected manually. For customers with many groups configured, this becomes time-consuming and unnecessarily repetitive, especially when most or all groups need to confirm the document. Proposed Solution Add a “Select all” checkbox/button in the group selection component when assigning document confirmations. Impact / Value Saves time for customers with many groups Reduces frustration and repetitive manual clicks Improves usability without changing core functionality

Problem The current Vendors section is limited in scope and suggests that only software vendors should be listed. In practice, organizations work with different types of third parties, such as: infrastructure providers, partners involved in collaborative development, customers participating in joint projects. These entities are currently not clearly represented in the Vendors section, although they are relevant from a risk and compliance perspective. Proposed solution Rename Vendors to Vendors & Partners, or extend the section to explicitly support different third-party types (e.g. vendor, partner, customer, infrastructure provider). Benefits More accurate representation of third-party relationships Better coverage of non-software and collaborative partners Improved clarity and usability for customers

One of the biggest challenges I face is getting employees engaged in security awareness. People don’t realize the importance of security until something goes wrong. I’d love to see a Security Awareness Hub in Secfix that helps make security training more interactive. This could include: Phishing simulations (with real-time reporting), Security quizzes with gamification elements It would also be useful to have a section for real-world case studies and alerts to keep employees informed about emerging threats. Having these features within Secfix would simplify security engagement and help drive a stronger security culture in the company.