💡 Feature requests

The addition of Automated Vendor Risk Assessments to the Vendor Management module would be great to have. This feature should allow for systematic evaluation of vendor security and compliance risks without manual intervention. Key functionalities: Ability to send automated risk assessment forms to vendors. Standardized risk scoring based on responses. Integration with vendor profiles for tracking and reporting. This enhancement would improve efficiency, reduce manual workload, and ensure a more consistent vendor risk evaluation process.

The Risk Register currently has predefined fields, limiting flexibility for different risk management needs. Adding custom fields would allow users to tailor risk entries to their specific requirements. Use Case Risk management processes vary across organizations, and predefined fields may not always capture all necessary details. For example: A financial institution might need a "Regulatory Compliance Impact" field. A tech company might want a "Data Sensitivity Level" field. A project-based organization could track risks by "Department" or "Project Phase."

The Risk Register currently lacks the ability to link risks to specific assets from the inventory. Adding this functionality would improve risk visibility, impact analysis, and mitigation tracking. Use Case When a security risk is identified, it often impacts specific assets within the organization’s inventory (e.g., servers, databases, applications). For example, if a vulnerability is discovered in a particular server, users should be able to directly associate that server from the inventory with the identified risk. This linkage would allow for: Better visibility into which assets are at risk. More accurate risk assessment based on the criticality of affected assets. Easier mitigation tracking, as teams can quickly identify which assets require action

It would be great to have the ability to add custom fields to vendors. This would allow us to track important details such as: Has the contract been signed? Do they delete data within six months? Where is their data located? Where do they process their data?

Users need the ability to manually mark device requirements as completed for instance when the platform does not automatically detect them. Manually confirmed items should have a distinct visual indicator to differentiate them from automatically detected completions Proposed visual labeling: a blue checkmark instead of a green one; an "M" symbol for manual completion Use Case: A security team runs a compliance check, but the platform fails to detect a specific security setting due to a misconfiguration in the detection logic. The team verifies that the setting is correctly configured on the device through an alternative method (e.g., checking system settings directly or running a different security scan). Instead of waiting for a fix in detection logic, they manually mark the requirement as completed to ensure an up-to-date compliance status.

In case the Secfix Agent does not recognize applying one of the security requirements, users want to demonstrate compliance with the security requirements (e.g. PW Manager) & would like to have the option to upload proof. For example, they could provide a screenshot showing that the necessary configurations are in place. Use case: A company with strict BYOD policies allows employees to use personal devices but does not require installing an agent. To verify compliance, employees can manually confirm security settings (e.g. PW manager) and upload screenshots as evidence. This ensures compliance verification without needing automated detection.

Start supporting Leapsome as Human Resources (HR) System

Currently, users can only view mitigations in the risk register by hovering over them or entering edit mode. This makes it difficult to quickly review mitigation details without unnecessary clicks or extra navigation. Allow mitigations to be displayed in a more accessible way, such as: Expanding mitigation details when clicking on a risk. Adding a dedicated "View" mode that shows mitigations without requiring edits. Displaying mitigations in a structured, readable format within the risk register. Benefits: Improves usability by making it easier to review mitigations at a glance. Reduces friction in risk assessment and tracking especially while showing these to the Auditor during the External Audit. Enhances overall user experience in the risk management module.

The risk treatment checkmark is not intuitive enough (when it got overdue, I didn't know what to do, the fact that I should click on/complete the checkmark wasn't clear to me)

Introduce the ability to set a custom review date for policies uploaded to the platform. This feature would allow administrators to define a specific future date when users must review and re-accept policies. If no date is set, policies will remain active without triggering an automatic reset, despite they need to be re-accepted on a yearly basis. Use Case: A customer uploads new policies today but wants all users to review and re-accept them on January 1, 2026. By setting this custom date, the system will automatically remind the administrator and prompt users for re-acceptance on the specified day. This provides greater flexibility and control over policy management, ensuring that periodic reviews happen on the organization’s preferred schedule. If no review date is set, policies will stay in effect without requiring re-acceptance, preventing unnecessary disruptions.