Where we're headed.

Customer administrators tailor the risk approval workflow to their organisational hierarchy — selecting who approves which type of risk, at what severity, and how many approval stages each severity warrants.

Each Annex A control and each risk decision can carry attached evidence — documents, owner attestations, freshness indicators — that travel inside every immutable Statement of Applicability and Risk Assessment snapshot. Auditors receive a single, self-contained evidence package per release.

Map one control implementation across multiple frameworks — ISO/IEC 27001, SOC 2, NIS2, DORA, NIST CSF — so a customer's audit work counts once and applies to every certification target.

Microsoft Entra ID and Google Workspace added as sign-in options alongside the existing email + two-factor flow, simplifying onboarding for organisations standardised on those identity providers.

Subscribe to lifecycle events — risk transitions, mitigation deadlines, exception expiry, Joiner-Mover-Leaver state changes — through signed HTTPS webhooks delivered to customer endpoints, enabling integration with ticketing systems, SIEMs and custom automations.

Sign-in via platform-bound and roaming authenticators — Touch ID, Face ID, Windows Hello and hardware security keys — added alongside the existing multi-factor methods to give organisations an additional, phishing-resistant option.

Three additional GDPR-specific modules — Data Protection Impact Assessment (Art. 35), Record of Processing Activities (Art. 30) and a data-breach notification workflow (Art. 33–34, 72-hour timer) — joining the right-to-erasure capability shipped in April.

Interactive 5×5 likelihood-by-impact heat map across the Risk Register, with click-through to the underlying risks and per-treatment comparison views.

A public REST API for the platform's main resources, documented through an OpenAPI specification, with per-tenant API keys, scopes and rate limits — for building custom workflows on top of the ISMS data.

First-class support for the NIS2 directive (essential and important entities) and DORA (financial-sector ICT third-party risk), with the respective incident-reporting workflows and control overlays mapped onto the existing ISO/IEC 27001 foundation.

Each control's live state — owner attestation cycles, freshness indicators and a per-control evidence repository — surfaced in a dedicated dashboard inside the platform.

Automated user lifecycle synchronisation from the customer's identity provider via SCIM 2.0; first-class Okta integration; the ability for one tenant to authenticate users from multiple identity providers concurrently (employees, contractors and partners).

Built-in support for climate-related risks within the risk-assessment context — capturing climate considerations as part of the broader risk picture, in line with the 2024 amendment to ISO/IEC 27001:2022.

Two-way Slack and Microsoft Teams integrations — notifications, approval prompts from the channel, slash commands and digest summaries — so daily ISMS work happens where teams already work.