Overview

The Risk Description Refinement feature in CERRIX helps users craft clear, comprehensive, and best-practice-aligned risk descriptions. By leveraging AI-powered suggestions, users can ensure their risk documentation is accurate, structured, and effective.

How It Works

Welcome to CERRIX! Follow this guide to log in and familiarize yourself with the platform's interface.

Logging In

To access your personal CERRIX account:

1. Visit the login page provided by your functional manager.

You can find the CERRIX API documentation directly in the platform by clicking the ❓icon in the top right of the platform, and clicking on "Manuals"

Next, go to API Manual. Here, you will see an overview of all supported API endpoints.

Our security statement is a document that briefly describes the security measures that we have implemented to safeguard information.

Print Functionality in Process Management

The print feature allows users to generate customized PDF exports of a process. When clicking the print icon, you can choose from the following three options, each offering different levels of detail and context:

Print Graph

This option includes:

• Process Details

• Process Graph

• Process Steps

Use this to generate a clean and focused printout of the process without additional risk or control elements.

Print Graph, Risks, Controls, Events, and MoIs

This version extends the standard graph with related governance data. It includes:

• All items from CERRIX (Risks, Controls, Events, and Moments of Insight) linked to the Business Dimension.

• These items are visualized in the printout, and if a Risk or Control is represented (e.g., as a floating symbol), it is considered linked—regardless of where it appears.

The section “Not linked to a process step” will only show items that:

• Are linked to the Business Dimension

• But do not appear anywhere in the printout, either connected to a step or visualized separately.

Print Graph with Linked Risks and Controls

This option prints strictly what’s linked within the process graph.

Risks and Controls that are: linked to a Risk or Control symbol in the graph and that symbol is not linked to any process step are shown under the “Not linked to a process step” section.

The AI Settings page allows Application Administrators to enable and manage AI-powered features within the CERRIX environment. These features are designed to enhance functionality across various areas of risk, compliance, audit, and governance.

Access and Permissions

Only users with the Application Administrator role have access to the AI Settings page. Other user roles will not be able to view or modify these settings.

Enabling AI Features

To activate CERRIX AI features, Application Administrators must follow these steps:

• Navigate to the AI Settings page under Administration Controls.

• Review and accept the AI Terms and Conditions.

Enabling AI functionality requires administrators to explicitly acknowledge and accept the terms and conditions associated with the use of AI features in the CERRIX platform.

• Activate AI functionality.

Once the terms and conditions are accepted, the CERRIX AI features will be enabled and accessible throughout the application, based on user roles and relevant context.

Examples of CERRIX AI functionality include:

Audit Trail

For transparency and compliance, CERRIX maintains a log of:

• The user who accepted the AI Terms and Conditions.

• The timestamp of when the acceptance occurred.

This information is available for auditing purposes and helps ensure proper governance over the use of AI in your environment.

Notes

• AI cannot be enabled without accepting the terms and conditions.

• The acceptance is recorded once per environment and applies globally.

In some use cases—such as whistleblowing—it’s essential to collect information anonymously. CERRIX allows for the creation of anonymous form submissions by using an API-based approach that is not linked to any specific user account.

This guide walks you through setting up such a form and enabling anonymous submission via the CERRIX API.

Step 1: Create the Form

1. Go to the Forms module

   From your CERRIX dashboard, navigate to Forms in the main navigation menu.

2. Click “Add new form”

   This opens the form builder interface.

3. Define form fields

   Add the fields you want respondents to fill out. This can include text fields, dropdowns, attachments, etc.

Step 2: Generate an API Key

1. Open your user profile

   Click on your name in the top-right corner and select API Keys.

2. In the left-hand menu, click "API Keys"

3. Click “Add API Key”

4. Select the right permission

Step 3: Submit Anonymous Entries via API

Once your form is published and you have a valid API key, you can start submitting entries without linking them to a CERRIX user.

Refer to the Create Form Result description in the CERRIX API Manual for the exact request format.

This API enables anonymous submissions, but it should be embedded within a frontend form or tool—such as a website or internal portal—that whistleblowers or other users can interact with directly.

This page provides an overview of user provisioning and authentication options for CERRIX, leveraging Microsoft Azure Active Directory and Okta. It outlines the necessary steps and configurations to enable seamless user management and secure access to CERRIX applications.

The documentation is divided into three main guides, each addressing a specific aspect of integration:

• Azure AD Authentication: This section describes how to configure Azure Active Directory authentication for CERRIX. It covers the steps for app registration in Azure, including setting up the application name, redirect URI, supported account types, and implicit grant flow. It also outlines how to configure API permissions and provides the necessary information to CERRIX for application setup.

• User Provisioning using SCIM in Azure: This section details the process of configuring user provisioning in Azure Active Directory using the System for Cross-domain Identity Management (SCIM) protocol. It covers creating an enterprise application, setting up initial connections, configuring attribute mappings for groups and users, and assigning the relevant groups for synchronization. Information required from CERRIX, such as the SCIM endpoint URL and a secret token, is also specified.

• User Provisioning using SCIM in Okta: This section focuses on setting up user provisioning via SCIM through Okta. It guides users through creating an Okta app integration, configuring SAML settings, enabling SCIM provisioning, and mapping user attributes. Essential information from CERRIX, including the CERRIX URL and secret token, is highlighted.

The MOIs module is designed to address recurring issues or ineffective controls by implementing corrective measures. This module ensures that improvements are executed and reviewed effectively.

Key Features

MOI Planning

• Create detailed plans for corrective actions.

• Set deadlines and assign responsibilities.

MOI Execution

• Monitor the progress of assigned MOIs.

• Upload supporting documentation and comments.

MOI Review

• Verify the completion and effectiveness of MOIs.

• Provide feedback and finalize the review.

Our strategic information security policy is a high-level document that outlines our commitment to protecting information assets and managing risks associated with information security. It defines the guiding principles, roles, and responsibilities for ensuring the confidentiality, integrity, and availability of information across our organization. This policy aligns with business objectives and regulatory requirements, setting a framework for decision-making on security matters.

Key elements include:

1. Scope and Purpose: Describes the policy's relevance to all information assets, systems, and employees.

2. Roles and Responsibilities: Defines who is accountable for security tasks, from executive leadership to end users.

3. Risk Management Approach: Outlines how risks are identified, evaluated, and mitigated.

4. Compliance and Standards: References relevant standards (e.g., ISO 27001, GDPR) and regulatory compliance requirements.

5. Enforcement and Review: States consequences for non-compliance and establishes a schedule for regular review and updates.

This policy provides the foundational direction for all security initiatives and helps ensure a cohesive and proactive security posture organization-wide.

This guide explains the workflow for creating and reporting incidents within the Incidents Module of CERRIX. Follow these steps to efficiently log, track, and manage incidents in your organization.

CERRIX provides a range of modules designed to support governance, risk, and compliance processes. These modules help organizations streamline workflows and ensure compliance with policies and regulations.

Core Modules

Risks

General AI FAQs

Is my data secure?

Yes, your data is handled with the utmost security. All data sent to the Azure OpenAI API is encrypted in transit and at rest. Microsoft Azure as well as CERRIX comply with strict security standards, including GDPR and ISO certifications. We store your input and the AI-generated output securely within our platform to enhance and improve the functionality of this feature.

The Dashboard in CERRIX serves as your centralized hub for accessing key features, modules, and tasks. Fully customizable, it allows users to create a workspace tailored to their needs.

Key Features

CERRIX supports a structured approach to testing the design and implementation of internal controls. This process ensures that controls are both appropriately defined and effectively implemented to mitigate associated risks.

This guide outlines the steps for initiating, executing, and documenting D&I tests in CERRIX.

Purpose of D&I Testing

The Design & Implementation test (also known as Opzet & Bestaanstest in Dutch) helps determine:

In the CERRIX platform, controls are a central component of your governance, risk, and compliance framework. Understanding the different types of control activities and testing phases is essential for effective risk mitigation and assurance.

This article explains the differences between Control Design & Implementation Testing, Control Execution, and Control Effectiveness Testing.

Control Design & Implementation Testing

Definition: This is a test of the suitability and proper setup of the control. It determines whether the control, as designed and implemented, is capable of addressing the associated risk.

Product Strategy

Pillar 1: Enabling Comprehensive Risk & Compliance Management

Why? Managing risk and compliance effectively is the core value proposition of CERRIX. Customers rely on the platform to have full visibility and control over their risk landscape.

The FSQS (Financial Services Qualification System) is a qualification and compliance standard widely used by financial institutions in the UK and Europe to assess the risk, performance, and compliance of suppliers and service providers. Managed by Hellios Information, FSQS is a community-driven approach designed to streamline the process of collecting and sharing supplier information for banks, insurance companies, and other financial organizations, ensuring that suppliers meet regulatory and security standards.

FSQS provides benefits such as:

1. Centralized Supplier Data: Suppliers complete a single questionnaire for all participating financial institutions, reducing duplicated efforts and administrative burdens.

2. Risk Assessment: The platform helps financial institutions assess potential risks in areas such as cybersecurity, operational resilience, data protection, and regulatory compliance.

Control Execution Tasks

Control Advanced Effectiveness Testing

At CERRIX, we follow a regular release planning cycle to ensure our customers receive improvements, new features, and updates.

Release Types

We operate with two types of releases:

At CERRIX, we are committed to providing you with the help and guidance you need to make the most of our platform. Whether you’re encountering an issue, have a question, or need assistance using a feature, our Support Portal is the best place to reach out.

Contacting Support

You can easily get in touch with our support team via our dedicated portal:

👉

Through this portal, you can:

At CERRIX, we recognize that trust and transparency are fundamental to supporting our clients in the domains of governance, risk, and compliance. Ensuring the security and privacy of your data, while operating in accordance with internationally recognized standards, is a cornerstone of how we build and maintain our SaaS platform.

Our compliance framework is designed to meet the expectations of regulated industries and to support your organization’s own compliance objectives. We are committed to continuously improving our internal controls, information security practices, and data protection processes.

On this page, you will find detailed information about our certifications, policies, and adherence to key frameworks and regulations that demonstrate our commitment to compliance and operational excellence:

CERRIX is committed to ethical standards and contributing to global climate goals. This Corporate Social Responsibility (CSR) policy outlines our principles, actions, and ambitions in environmental stewardship, social responsibility, and ethical business conduct.

CERRIX provides a set of standardized import templates to help you efficiently upload data into various modules of the application. These templates are designed to ensure structured input and alignment with the latest system features and validation rules.

We strongly recommend always using the most recent version of each template to guarantee compatibility with the current version of the CERRIX platform.

If you need guidance on using the templates or require support during the import process, please get in touch with us.

CERRIX has achieved compliance with ISO/IEC 27001:2022 since August 20, 2024.

The Incidents module in CERRIX helps organizations track, manage, and resolve risk-related incidents in a structured and auditable manner. This module supports the full lifecycle of incident management, from initial reporting to final resolution, with integrated workflows, data governance, and transparency across all stakeholders.

The Incidents module is designed to help users:

• Capture and report new incidents in a standardized way

• Monitor the status and progress of incidents via a structured workspace

• Apply organization-specific workflows for processing incidents

• Maintain accurate and consistent reference data for categorizing and analyzing incidents

Below are the key documentation articles that explain each component of the Incidents module:

Incidents Standing Data

Review the reference data that underpins incident classification and reporting.

• Categories and subcategories

• Impact and severity ratings

• Cause and root cause options

• Screenshot placeholders:

Creating a New Incident

Learn how to create a new incident from scratch, including required fields, categories, and options for assigning responsibilities.

• Walkthrough of the incident form

• Mandatory vs optional fields

• Assigning responsible users or departments

• Screenshot placeholders:

Incidents Workflow

Understand how incident workflows are configured and how incidents progress through stages in your organization.

• Overview of workflow stages

• Transition logic and actions

• Escalation and reassignment rules

• Screenshot placeholders:

Incidents Workspace

Explore the centralized workspace where you can view, filter, and manage all existing incidents.

• Grid and filter functionalities

• Status indicators and priority levels

• Search and sorting capabilities

• Screenshot placeholders:

Incidents Roles & Rights

Understand how user roles determine access and responsibilities within the Incidents module. This page outlines all available roles, their permissions, and how they support collaboration across teams during the incident lifecycle.

Best Practices and Tips

To make the most of the Incidents module, consider the following best practices and tips:

• Define clear escalation paths and responsibilities in your workflow configuration

• Regularly review and update standing data to align with organizational risk posture

• Use custom fields if your organization requires additional data points

• Consider integrating incidents with related modules (e.g., Risk, Controls, or MoI's) for better traceability

Key Benefits of Incidents Compared to Events

• Greater flexibility – Easily create custom fields for each incident type, allowing full customization to match your organization’s needs.

• Streamlined workflows – A single, standardized workflow for all incident types simplifies handling and tracking.

• Enhanced financial impact tracking – Record financial impact per department and third party for improved reporting.

• New and improved fields

The Controls Module in CERRIX allows organizations to define, manage, and monitor internal controls related to processes, risks, and compliance frameworks. This guide explains how to create and manage a control, including how to link it to relevant elements such as risks and documentation.

Purpose of Controls

Controls help ensure that your organization is effectively mitigating risks and complying with relevant standards and frameworks. CERRIX supports various types of controls and enables detailed configuration, classification, and linkage to business elements.

Adding a New Control

To create a new control in CERRIX:

1. Navigate to the Controls Module.

2. Click Add New Control.

Control Setup

When adding a control, complete the following fields:

• Organization: Select the relevant entity within your organization.

• Control Name: Provide a descriptive name (e.g., Monitoring of Training Certification).

• Control Description: Describe the control’s purpose (e.g., Training completion is monitored quarterly via LMS reports).

• Control Owner: Assign responsibility for maintaining and executing the control.

Linking a Control

After saving a control, additional linking options become available in the left-hand panel.

You can link the control to:

• Processes: Attach it to one or more business processes.

• Frameworks: Link the control to compliance frameworks or laws (e.g., ISO 27001, GDPR).

• Risks: Associate the control with one or more risks it helps mitigate.

• Documents: Upload supporting documentation relevant to the control.

Additional Features

• Version History: Keep track of control changes over time.

• Audit Trail: Review who created or modified the control and when.

• Filtering & Search: Quickly locate controls using filters or keywords.

Controls Roles, Rights and Permissions

You can find an overview of the different roles, rights and permission for controls in this handy overview:

Control Effectiveness Testing ensures that controls are functioning as intended to mitigate risks. This process involves multiple steps to validate design and operational effectiveness.

Steps for Effectiveness Testing

Step 1: Source Document Uploader

1. Navigate to the test plan in the Controls module.

2. Click Upload Source Document.

3. Drag and drop files or browse to upload relevant documents.

4. Optionally, add a description for the uploaded file.

Step 2: Generating Samples

• Choose a sampling method:

  • By Number: Generate samples based on a predefined count.

  • By Date: Use a date range to generate samples.

  • By Spreadsheet: Upload a spreadsheet and configure sample generation.

Step 3: Uploading Evidence

• Upload evidence for each sample.

• Mark samples without evidence and provide a reason in the comments.

Step 4: Testing

• Assess each sample and document findings.

• Provide scores and comments for each test step.

Step 5: Reviewer Step

• The reviewer assesses the results, provides feedback, and confirms the final outcome.

Best Practice: Ensure all required documents are uploaded before moving to the next step.

Control Description Snapshot

When a test plan is closed, CERRIX automatically creates a snapshot of the control description as it was at that moment.

This snapshot ensures that the historical context of the control is preserved, even if the control description is updated later on. When you open a Control Advanced Effectiveness Test Plan after it has been closed, this snapshot is displayed instead of the current control description.

The date displayed next to the control description indicates when the snapshot was taken.

Control Effectiveness Testing Roles, Rights and Permissions

You can find an overview of the different roles, rights and permission for controls in this handy overview:

A Data Protection Impact Assessment (DPIA) is a process used to identify and minimize data protection risks in projects or initiatives that involve the processing of personal data, especially when new technologies are involved or when processing could significantly impact individuals' privacy. DPIAs are mandated under regulations like the GDPR when data processing poses high risks to the rights and freedoms of individuals.

Key aspects of a DPIA include:

1. Purpose: Identifying the need and objectives of processing personal data.

2. Data Flow Analysis: Mapping out data collection, processing, storage, and sharing practices.

3. Risk Assessment: Evaluating risks to individuals' privacy, such as unauthorized access, loss, or misuse of data.

4. Mitigation Measures: Proposing actions to reduce identified risks, like implementing technical safeguards, limiting data access, or anonymizing data where possible.

5. Documentation and Review: Keeping records of findings and reviewing the DPIA periodically, especially if processing changes.

Our DPIA helps to ensure compliance with privacy laws, demonstrate accountability, and build trust with users by showing a proactive approach to data protection.

This document explains how to generate and configure API keys for connecting external applications to the CERRIX APIs. The CERRIX API manuals describe available endpoints and payload formats. This guide focuses on the steps required to securely create and manage API credentials.

1. Create a New API Key

1. Log in to CERRIX.

2. In the top right corner, click on your name.

3. Select View profile.

4. In the left-hand menu, go to API Keys.

5. Click Add to create a new API key.

6. Enter a descriptive Name for the API key.

7. The expiration date of an API key can be configured, but there is a maximum limit: it cannot be set to longer than one year from the date of creation. You can shorten this period if desired, but not extend it beyond the one-year maximum.

2. Configure Allowed IPs

To improve security, API keys can be restricted to specific IP addresses.

1. Under Allowed IPs, click Add.

2. Enter the IP address of the server or system that will use this API key.

   • This should typically be the IP of the system where your integration or application will run.

   • For testing purposes, you may also use your own IP address. (Confirm with your administrator which IP is appropriate.)

3. Select Accessible APIs

When creating an API key, you can define which APIs the key is authorized to call.

1. In the API key configuration screen, select the APIs you want this key to have access to.

2. Only the selected APIs can be accessed with this key. This allows you to follow the principle of least privilege.

4. Save and Retrieve the Credentials

1. Click Save to create the API key.

2. Once saved, the system will generate:

   • Identifier

   • Password

5. Using the API Key

Use the generated Identifier and Password to authenticate your requests as described in the . Ensure that:

• The calling system’s IP matches one of the allowed IPs.

• The API key has been granted access to the endpoints you intend to call.

The latest status of a ticket can always be viewed on the customer portal. Here, you can also add additional questions or information to a ticket.

After creating a ticket, the customer receives a confirmation email containing a unique ticket number. This ticket number must be mentioned when contacting support so that the relevant employee can quickly locate and update the correct ticket with the latest information.

A ticket can have one of the following statuses:

When the status of a ticket is updated, the customer receives a notification via email.

An ISAE 3402 Type II assurance report is an independent audit report that assesses the effectiveness of a service organization’s internal controls over a specific period, typically related to financial reporting. This report is based on the International Standard on Assurance Engagements (ISAE) 3402 and is commonly used by service organizations to demonstrate to clients that they have reliable controls in place.

Key components of an ISAE 3402 Type II report include:

1. Management Assertion: A statement from the service organization’s management regarding the controls' design and implementation.

2. Scope and Objectives: Defines the systems, processes, and time period covered in the report.

3. Description of Controls: An outline of the controls implemented, typically covering areas like access management, data processing, and risk management.

4. Auditor’s Opinion: An independent auditor’s opinion on whether the controls are suitably designed and operating effectively over the specified period.

5. Test Results: Findings from testing the controls to determine their operational effectiveness, identifying any deficiencies or areas for improvement.

An ISAE 3402 Type II report offers a higher level of assurance than a Type I report by assessing not only the design but also the operating effectiveness of controls over time, giving clients confidence in the service provider’s ability to manage risks associated with financial reporting.

Overview

The Control Description Refinement feature in CERRIX helps users craft clear, comprehensive, and best-practice-aligned control descriptions. By leveraging AI-powered suggestions, users can ensure their control documentation is accurate, structured, and effective.

How It Works

Preparations for Using Risk Budgets

Preparations start from a dashboard that includes the Administration Controls widget, which is available for an unrestricted administrative user.

The Incidents module in CERRIX is designed to streamline the process of handling incidents within your organization, providing a structured and auditable workflow. This guide walks you through the standard flow of an incident's lifecycle and highlights key actions and interface elements you can interact with during the process.

Overview of the Incident Workflow

The Incident Workflow guides users through each required step in processing incidents, clearly showing the current status and future actions needed.

At the top of the incident screen, you'll see a clear visualization of the workflow steps:

• Completed steps are highlighted green.

• Available next steps are clearly indicated, showing what actions can currently be performed.

• Future steps are visible but inactive until prior required steps have been completed.

Note: Only assigned users can perform actions at each workflow step.

Key Steps in the Workflow

Incident Creation

Read more about creating a new incident in this article:

Assessing & Evaluating an Incident

After an incident has been reported:

1. To continue with processing, select either:

   • Accept incident to move forward.

   • Reject incident if it's invalid or incorrect.

   • Leave a comment (required). This comment will be visible in the

Linking Related Items

In the Assessing, Improving or Review stage, you’ll see a Link iconwhich can be used to link relevant items by clicking on the linking button:

• Link existing Risks or Controls

  • Use the dedicated button to select relevant items from the system.

• Create a Measure of Improvement (MOI)

  • Opens a new tab for MOI creation.

If an incident is created and linked to a Risk or Control, that incident can also be found as a linked item in the specific Risk or Control. For Risks and Controls these incidents are shown in page of linked events.

Business and Framework Dimensions

Additional configuration dimensions include:

• Business Dimensions Allow associating incidents with particular business dimensions defined in your system.

• Framework Dimensions Facilitate linking incidents to your organization's compliance and internal control frameworks.

Attach Supporting Documents

• Click on the Attach icon

• Drag and drop or select a file to upload.

• Files will be attached directly to the incident for context and traceability.

Review and Closing an Incident

At the Review stage, the incident has the status Ready for Review:

1. Review all linked data, documents, and details carefully.

2. Next, there are two options:

   1. Approve & close, or click

      • The incident workflow finishes, and the incident moves to a read-only

Chat and Incident History

The incident page includes an interactive Chat and History Pane accessible from the right side:

• View complete audit trails of incident updates, statuses, notes, and decisions made throughout the workflow.

• Use this pane for update notes. Future releases will enable direct chat functionalities among incident participants for additional collaboration.

Incidents Workflow Emails Notifications

Email messages automatically alert relevant users when the incident advances through workflow stages:

• Email behaviors in the Incidents module mirror those in the existing Events module used within your CERRIX environment.

• In your production environment, relevant stakeholders will receive emails upon workflow status changes (e.g., confirmation, review readiness, approval).

• In this demonstration environment, emails are inactive, but in production, known standard processes apply.

Note: If your existing CERRIX configuration refers to these as "Events," you might consider standardizing your terminology to "Incidents" for clarity, though this naming choice remains flexible.

Execution-based control testing allows you to assess the effectiveness of controls by directly using the control execution tasks that occurred within a defined test period. This feature integrates control execution data with advanced effectiveness testing, providing a streamlined and auditable testing workflow.

Overview

In many organizations, controls require to be executed according to a predefined schedule (e.g., monthly access right reviews). Execution-based testing collects these tasks and uses them as the test source, removing the need to manually upload population files.

All control executions scheduled within the test period are automatically included as the source for the control test.

Preconditions

Before initiating an execution-based test you must ensure that control execution is enabled in the configuration of the control:

Activating Execution-Based Testing

Execution-based testing is configured within the control test plan.

1. Create or open a control test plan.

2. Ensure the test period matches a period in which execution tasks are scheduled.

3. On the second page: Sample Generation, enable the option: Use control execution

This activates the automatic collection of execution tasks for the test source.

Starting the Control Test

Once the test period has ended, the tester can initiate the control test as usual.

Execution-based testing consists of:

1. Source Upload & Sampling

2. Evidence Upload

3. Testing

4. (Optional) Review

These follow the standard CERRIX test workflow, but with additional execution-based functionality.

Source Upload & Sampling

When execution-based testing is enabled, CERRIX automatically loads all execution tasks planned within the test period.

What you will see:

• A summary of all execution tasks found.

• A count of execution tasks that were not yet completed. (In normal scenarios, all tasks should be completed when effectiveness testing begins.)

Sample generation:

The source uploader only needs to provide the sample size. After sample generation, the evidence uploader can begin their work.

Notes

• The original source, an overview of all control executions for the test plan period, remains accessible through the Source documents section.

• Completed execution tasks included in a test sample cannot be deleted or reopened to safeguard audit integrity.

• If no execution tasks are found in the test period, CERRIX assumes the control did not occur. The tester can only give a final conclusion, based on that assumption. If the control did occur, with the source evidence not being registered in control executions but elsewhere, the testplan should be recreated without the option "Use control execution".

Evidence Upload

The evidence uploader sees all selected samples, each corresponding to a specific control execution. For example:

Automatic evidence linking

If the control execution includes evidence, this evidence is automatically copied into the sample.

Linked evidence is marked with a link icon, indicating that it originated from a control execution rather than a manual upload. For example:

Situations the evidence uploader may encounter

Testing & Reviewing

The tester and reviewer can assess samples as they normally would. Both roles can access:

• The source document

• The linked control execution tasks

• Automatically or manually uploaded evidence

Additional execution-based indicators

• A warning appears when a task is not completed.

• A warning appears when a task was completed after the evidence uploader finished their work.

• Linked evidence from execution tasks displays a link icon; manually uploaded evidence does not.

Additional Notes

• If there are no execution tasks within the period of the control test, it is assumed that the control didn't occur.

• Execution tasks that were deleted or rescheduled outside the test period before sampling took place are not included in the population. After sampling it is not possible to delete and even rescheduling the task will not remove it from the source of the testplan.

• This mechanism ensures a fully auditable snapshot: Execution tasks used in a test cannot be removed from the testplan after sampling, ensuring the integrity of the sample.

The Incident Standing Data functionality in CERRIX enables users to define and manage reusable data components used when creating and handling incidents. This feature provides flexibility, control, and customization tailored to your organization's specific incident management needs.

This documentation explains how to manage Incident Standing Data, including classifications, incident types, custom fields, and email notifications in CERRIX’s Incident Management module.

Accessing Incident Standing Data

Incident Standing Data is located within the Incident Workspace in CERRIX.

1. Navigate to Incidents from your main menu.

2. On the Incident Workspace, locate and click on the Standing Data in t

3. he left hand menu.

Managing Classifications

Classifications define the severity or urgency level of an incident (for example: Low, Medium, High).

To manage classifications:

1. Within the Standing Data menu, select Classification.

2. Modify or add new classifications:

   • Change the name of existing classifications.

   • Apply a color code to quickly visualize severity.

Managing Incident Types

Incident Types allow you to define and tailor the data fields specifically needed when users log incidents.

Creating an Incident Type

To create a new incident type:

1. Within Standing Data, click on Incident Types.

2. Select Add.

3. Enter a descriptive name to identify the Incident Type clearly.

Adding Custom Fields

You can add custom fields to any new incident type:

1. Create Sections to logically group custom fields:

   • Name and rearrange sections easily.

   • Remove fields and sections as needed.

2. Add Fields within sections:

Examples of Adding Custom Fields:

• Text area field: Provide open-ended text inputs.

• Drop down single select: Let users select from a predetermined list. Colors can be optionally assigned per choice.

• Financial Impact: Numerical data or specific values tailored to your incident reporting needs.

Configuring Email Notifications

Incident types can trigger notifications to specific recipients upon creation.

To configure notifications per incident type:

1. Select your incident type.

2. Navigate to the Configuration tab.

3. Add email address(es) for recipients who need notification when an incident with this type is created.

Standard (Built-in) Incident Types

CERRIX provides two pre-defined incident types for common use cases:

• Operational Incident

• Data Breach

These built-in incident types:

• Cannot be edited or deleted.

• Guarantee compatibility with pre-established forms and reporting structures.

• Maintain existing data mappings and integration points.

Important: Custom fields cannot yet be added to standard types (e.g., Data Breach). However, this enhancement will be available in future updates.

DORA Incident Types

As part of CERRIX’s support for the Digital Operational Resilience Act (DORA), a standardized set of DORA-specific incident types is now available. These incident types are aligned with the reporting obligations under DORA and are designed to help organizations track and report major ICT-related incidents effectively.

Overview

The DORA incident types are provided as a predefined template in the system. These are separate from your custom incident types and follow the structure required for DORA-compliant reporting.

Available in the Following Report Types

The DORA incident fields and structure are embedded in three predefined report types:

• DORA Initial Report

• DORA Intermediate Report

• DORA Final Report

These templates ensure that incident reporting aligns with regulatory expectations throughout the incident lifecycle.

Key Features

• Standardized Structure: Includes all fields required for DORA reporting (e.g., incident classification, root cause, impact, response timeline).

• Pre-filled Field Labels: Uses terminology aligned with regulatory guidelines to ensure consistency.

• Integration Ready: Templates are structured for easy integration with external DORA reporting systems.

Incident Sent Emails

As an administrator, all sent mails can be viewed via an extra tab in the incident module, underneath the Standing Data.

CERRIX uses a role-based access model to manage who can view, edit, and approve information across the platform. This ensures that every user only has access to the functions and data they need for their responsibilities, supporting both data security and efficient collaboration.

Roles and Permissions in CERRIX

Each user is assigned one or more roles, which define their level of access. Roles are aligned with common responsibilities in governance, risk, compliance, audit, and incident management. Permissions specify what a role can do within a module.

Permission Matrices per Module

CERRIX provides a Permission Matrix for each key module. These matrices are the authoritative reference for configuring and validating user rights. In the matrix sheet:

• Each row lists a specific action (e.g., Can report new incidents, Can delete risks).

• Each column represents a role (e.g., Risk Unrestricted Admin, Incident Assessor).

• The cells indicate whether the role has permission, and what the scope of their permission is (Unrestricted, Restricted, or Assigned).

Incidents Permission Matrix

You can see which permissions these roles have in this permission matrix:

Risks Permission Matrix

You can see which permissions these roles have in this permission matrix:

Controls Permission Matrix

You can see which permissions these roles have in this permission matrix:

Control Effectiveness Testing Permission Matrix

The role descriptions for Control Effectiveness Testing are the same as those for the .

You can see which permissions these roles have in this permission matrix:

Welcome to CERRIX, your comprehensive solution for Governance, Risk, and Compliance (GRC) management. This documentation will provide you with an understanding of how to use CERRIX effectively.

Overview

CERRIX is a cloud-based platform that centralizes and streamlines compliance, risk management, and audit processes. By integrating all four lines of governance, it ensures consistent workflows and enhanced operational efficiency.

Why Use CERRIX?

• Simplifies GRC Management: Tracks human processes across your organization.

• Improves Compliance: Helps meet regulatory and organizational frameworks.

• Enhances Efficiency: Reduces time and resources spent on manual processes.

Tip: Use CERRIX to reduce complexity and bring clarity to your compliance workflows.

Ready to get started? Proceed to the page for instructions on logging in and navigating the dashboard.

Control execution tasks are essential for ensuring that your risk and compliance controls are regularly tested and updated. In CERRIX, these tasks are linked directly to your controls, providing transparency and traceability throughout your compliance program.

This guide will cover:

On this page you’ll find comprehensive instructions and best practices for implementing the CERRIX platform within your organization.

The document below is designed to help you navigate every step of the implementation journey, from initial project setup to going live and ongoing support. It covers:

• Project Setup – Defining your implementation plan, roles, and communication strategy.

• Configuration – Structuring and customizing CERRIX to fit your unique processes and frameworks.

The SLA Dashboard provides customers with real-time insights into support performance and platform availability. It is designed to help you monitor ticket trends, track SLA adherence, and review uptime metrics relevant to your organization.

This article explains how to access the SLA Dashboard, what information it contains, and how to interpret the widgets.

Accessing the SLA Dashboard

You can access the SLA Dashboard through the CERRIX Support Portal

• Log in to the .

• Navigate to Dashboards → SLA Dashboard (individual customer).

Filtering Options

The SLA Dashboard includes a date range filter:

• Default setting: Last quarter (3 months).

• Filter behavior: The filter applies to the ticket creation date. Only tickets created within the selected date range are shown in the widgets.

Dashboard Widgets

The SLA Dashboard is organized into several widgets, each focused on a specific area of support and availability:

Ticket Trend

• Purpose: Provides an overview of how many tickets were opened and closed by your team.

• Granularity: Displayed per month within the selected date range.

Tickets per Type

• Purpose: Shows the breakdown of tickets created by type (e.g., incident, bug, change request).

Response and Resolution Times

• Purpose: Shows how your support tickets performed against agreed service levels for response and resolution, separated per ticket type.

• Definitions:

  • Response SLA Met (%): Percentage of tickets that received an initial response within the defined SLA timeframe.

  • Resolution SLA Met (%): Percentage of tickets resolved within the SLA timeframe.

Uptime

• Purpose: Displays the measured uptime percentage of your CERRIX environment.

• Method: Based on automated checks that validate the basic availability of your environment.

• Important to note:

  • Scheduled maintenance is not filtered out.

Further Information

• Purpose: Provides context for availability metrics.

• Contents:

  • Overview of recent releases.

  • Summary of incidents that may have impacted platform availability.

Drill-Down & Export Options

Each SLA Dashboard widget includes an arrow icon in the top-right corner. Clicking this arrow allows you to drill down into the underlying data for that specific widget.

Available actions:

• Print: Generate a printer-friendly version of the drill-down view.

• Export: Download the underlying dataset in Excel or CSV format.

SLA Dashboard Data

• Data Source: The SLA Dashboard pulls directly from the CERRIX support and monitoring systems.

• Refresh Rate: Data is updated in real time.

• Only use data from July 1st 2025 onwards as a source, as only to these tickets the correct SLA's have been applied.

Incident Summary

Product: CERRIX Platform

Date: 2025-07-09

Reference ID: RCA-20250709-P1-ReleaseDowntime

The Risks module in CERRIX is the foundation for identifying and managing potential risks to your organization. It enables organizations to proactively manage risks and ensure alignment with compliance standards.

Key Features

Risk Identification

CERRIX enables secure, controlled sharing of control test information and evidence through the External Connections module. This feature is especially useful for auditors or third parties who require direct access to relevant control data and documentation.

Steps to Set Up External Connection:

Navigate to the Administration Controls menu.

Click on External Connections.

Click on Add.

Fill in the following fields:

Click Next

Provide the following details:

Click Next

Select the controls that can be queried through the API.

Click Next

From the dropdown menu, select Effectiveness under Testplan type.

Specify the Start Date and End Date for the testplans from the controls that may be queried through the API.

Click Next

Click Complete

Your API key and secret are now displayed on the screen. Ensure you store them securely, as they won't be shown again.

Requesting data through the API calls

Use your new API credentials to export control data. You can use any API tool (e.g., Postman) or your terminal. In the example below, we will use Postman.

Request the Export

Steps to Set Up ControlTestInformation:

• Open Postman: Start the Postman application on your computer.

• Create a New Request:

Click on the '+' icon or 'Create a request' to create a new request tab.

• Set the HTTP Method:

From the dropdown menu next to the URL input bar, select the POST method.

• Enter the URL:

Input the Base URL followed by the Routing path.

The Base URL is always composed of the environment URL followed by "/api,"

For routing to Control Test Information, please use the following path:

Fill in the URL as:

https://<your-environment>.cerrix.com/api/thirdpartyassurance/requestexport

• Add the following query Params:

• Set up the Authorization.

  • Select the “Basic Auth” type.

  • Fill in the API key and secret as provided in the earlier step.

1. Press "Send"

2. A Request ID will be retrieved from the API call. Save this Request ID.

Retrieve the Export Results

• Create a New Request:

Click on the '+' icon or 'Create a request' to create a new request tab.

• Set the HTTP Method:

From the dropdown menu next to the URL input bar, select the GET method.

• Enter the URL:

Input the Base URL followed by the Routing path.

The Base URL is always composed of the environment URL followed by "/api,"

For routing to Get Result, please use the following path:

Fill in the URL as:

https://<your-environment>.cerrix.com/api/thirdpartyassurance/getresults/<requestId>

1. Fill in the 'requestId' field with the Request ID received through the previous API call.

2. Set up the Authorization.

   1. Select the “Basic Auth” type.

   2. Fill in the API key and secret as provided in the earlier step.

Here's a sample response containing all information related to the control:

Request the export for Get Evidence Document

• Create a New Request:

Click on the '+' icon or 'Create a request' to create a new request tab.

• Set the HTTP Method:

From the dropdown menu next to the URL input bar, select the GET method.

• Enter the URL:

Input the Base URL followed by the Routing path.

The Base URL is always composed of the environment URL followed by "/api,"

For routing to Get Evidence Document, please use the following path:

Fill in the URL as:

https://<your-environment>.cerrix.com/api/thirdpartyassurance/getevidencedocument/<requestId>

• Add the following query Params:

• Fill in the 'requestId' field with the Request ID received in the first API call.

• Set up the Authorization.

  • Select the “Basic Auth” type.

  • Fill in the API key and secret as provided in the earlier step.

Logging

CERRIX logs all API calls made for external connections. This ensures users always have an overview of the requested APIs and their respective timestamps. Furthermore, it provides insight into the specific controls that were requested.

• Navigate to the Administration Controls menu.

• Click on Third Party Assurance.

On this page you can find an overview of all Third Party Assurance connections.

For each connection, you can access a log of which controls were accessed.

At CERRIX, we value transparency in how our pricing is determined. A key component in our pricing structure is based on user roles and the level of functionality they access within the platform. This document outlines how we define light and heavy users to provide clarity on which metrics are used in your subscription.

Only users that are in status active and that have login credentials are counted as users for billing purposes.

What Are Heavy and Light Users?

In CERRIX, a user’s classification as light or heavy is determined by the roles assigned to them. These roles reflect the actions and responsibilities users have across the different modules of the system.

• Heavy users have one or more roles that involve administrative, editorial, or decision-making access. They perform tasks such as configuring modules, managing risks and controls, reviewing or testing data, and overseeing compliance workflows.

• Light users only have roles with limited responsibilities. These typically include viewing data, reporting events, uploading evidence, or participating in processes without administrative or strategic involvement.

Role Classification Table

The following table lists all roles in CERRIX that classify a user as a Heavy user. If a user holds one or more of these roles, they are considered a Heavy user for licensing purposes, regardless of any other Light roles they may have.

The Finding Reports module in CERRIX enables users to generate actionable insights and reports based on organizational data. With integrated PowerBI tools, this module helps stakeholders make informed decisions.

Key Features

Report Generation

• Create custom reports tailored to your organization’s needs.

• Use predefined templates for quick reporting.

Data Visualization

• Leverage PowerBI integration for advanced visualizations.

• View trends, summaries, and detailed breakdowns.

Sharing Insights

• Share reports with stakeholders or export them in multiple formats.

• Set access permissions to control report visibility.

Tip: Regularly review reports to identify areas of improvement and track progress.

How to Use the Finding Reports Module

1. Accessing the Module

1. Navigate to the Finding Reports module.

2. Choose between creating a new report or viewing existing ones.

2. Generating a Report

1. Select a predefined template or start with a blank report.

2. Customize the report by selecting relevant data sources and fields.

3. Add visualizations such as charts, graphs, or tables.

4. Save the report for future reference.

3. Sharing a Report

• Use the share option to send reports to team members or stakeholders.

• Export the report in formats like PDF, Excel, or PowerBI dashboards.

Continue exploring other modules in the or learn more about .

Introduction

This Service Level Agreement ("SLA") sets forth the terms and conditions under which CERRIX ("Service Provider") commits to deliver its Governance, Risk Management and Compliance ("GRC") SaaS platform ("the Service") to its customers ("Customer"). This SLA is an integral part of the agreement between the Service Provider and the Customer, ensuring clarity, accountability, and a shared understanding of service expectations.