KCM GRC: Frequently Asked Questions – Knowledge Base

Below are some commonly-asked questions about the KCM Governance, Risk, and Compliance (GRC) platform. If you don't see the answer you need, submit a ticket to our Support team.

General Questions

Jump to:

Can I incorporate my existing compliance efforts and processes into KCM GRC?

What modules are available in the KCM GRC console and what do they do?

What are the differences between the various user types in KCM GRC?

How do I determine whether a user is counted against my KCM GRC user count license?

If I add my organization's logo under my Account Settings, where will it appear?

How can I enable/disable support access to my account?

How do you remove account admin permissions from a user?

How do I request a new feature, template, or improvement?

Working with Scopes

This section is for questions related to working with scopes including questions about requirements, controls, and evidence which are managed within scopes.

Jump to:

What is the difference between a template and a scope?

I’ve converted my scope. What should I do next?

How can I map references to my scope?

How do I add additional scope permissions for my Contributor user types?

What is the difference between a control and a task?

Are Scope Administrators able to create controls?

What is the difference between archiving and deleting a control?

How do I create and assign a task schedule?

What is the KCM GRC task reminder email schedule?

When is a control task considered "Past Due" or "Failed"?

How will my scope evidence and my policy management module policies be stored?

Is there a character limit for doculinks submitted as evidence, or links to policies for the Policy Management module?

Are there limitations for the various files uploaded to KCM GRC?

What MIME types (media types) are allowed to be uploaded as control documents or evidence?

Can I download a report of my scope with control, task, and evidence details?

How do I see which tasks are not 100% compliant?

I have a user who left our organization, how do I transfer their responsibilities?

How do I completely remove all scopes and controls in our account?

Question: Can I incorporate my existing compliance efforts and processes into KCM GRC?

Answer: Absolutely. KCM GRC allows you to easily upload any existing processes you may have in place via a CSV file. Once uploaded, these controls can be mapped to one or more requirements, and therefore, compliance frameworks.

Question: What modules are available in the KCM GRC console and what do they do?

Answer: The following modules are available in the KCM GRC console. You may not have access to all of these modules, depending on your subscription level. Contact your Customer Success Manager if you'd like to add an additional module to your account.

Compliance Management (CM) Module - Compliance is a module included with your KCM GRC subscription. It allows you to manage compliance initiatives and audits by assigning control tasks, creating auditor reports, and storing evidence. For more information on getting started with your compliance module, see our Getting Started article, here.
Policy Management (PM) Module - Policy Management is a module included with your KCM GRC subscription. It allows you to manage, distribute, and track acknowledgments of your organization's required policies. With automatic reminder notifications and functionality to nudge those users who haven't acknowledged, you no longer need to chase your users to fulfill your policy requirements. For more information, see our Policy Management article, here.
Risk Management (RM) Module - Risk Management is a module that can be added to your KCM GRC subscription. It allows you to manage risk by creating risk assessments and establishing and implementing mitigation efforts. For more information, see our Risk Management article, here.
Vendor Risk Management (VRM) Module - Vendor Risk Management is a module that can be added to your KCM GRC subscription. The VRM module lets you centralize your third-party risk management processes by prequalifying risk, assessing your vendors, and conducting remediation efforts in your KCM GRC platform. You can even set a frequency for how often your vendors are assessed to continually monitor the associated risk. For more information, see our VRM Introduction Guide, here.

Question: What are the differences between the various user types in KCM GRC?

Answer: The KCM GRC platform consists of four different modules: The Compliance Management, Policy Management, Risk Management, and the Vendor Risk Management module. There are different user types for each module, see our KCM GRC: User Types guide for more information.

Question: How do I determine whether a user is counted against my KCM GRC user count license?

Answer: The following user types are counted against your user limit: Account Administrators, Contributors (i.e., Users Responsible and Approving Managers), Scope Administrators, Policy Administrators, Campaign Managers, and Vendor Administrators. If a user fills more than one of these roles, they're only counted once.
Auditors, Vendor Users, and policy management end users (added within the Policy Management module) are considered soft licenses and therefore, do not count against your KCM GRC user count license.

Question: If I add my organization's logo under my Account Settings, where will it appear?

Answer: Adding your organization's logo under your Account Settings is a great way to personalize your KCM GRC environment. The logo will display at the top-left corner of your console and in any emails that are generated from your KCM GRC platform.

Question: How can I enable/disable support access to my account?

Answer: You can decide whether or not you'd like to allow KnowBe4's KCM GRC Support team to view your account data so they can better assist you. You can shut this feature on or off from your account settings. For more information, see our Managing Account Settings article.

Question: How do you remove account admin permissions from a user?

Answer: Our Support team can do this for you. Reach out to support@knowbe4.com for assistance.

Question: How do I request a new feature, template, or improvement?

Answer: We recommend reaching out to your Customer Success Manager, the KnowBe4 support team, or posting on our KCM Community Board for Feature Requests. We base a lot of our development on customer feedback and requests, so we appreciate your input.

Question: What is the difference between a template and a scope?

Answer: A template is a framework or collection of requirements that relate to one another. A scope describes the boundaries of the project or audit framework. You must convert your template to a scope before you can begin to create and assign the appropriate controls. For more information, see our Getting Started with the Compliance Management Module article.

Question: I’ve converted my scope. What should I do next?

Answer: Now that you have converted your scope, the next step is to do a Self-Assessment of the requirements to see exactly where your organization stands for your selected framework. This information can help you figure out which requirements you can quickly create controls for and which requirements your organization will need to work on.

For more information, please see our Getting Started with the Compliance Management Module article.

Question: How can I map references to my scope?

Answer: If you're using our managed templates, or if you've created custom templates in your account, you can map references from these templates to additional scopes. When you map references to a scope they will be converted to requirements.

To map references to your scope, please follow these steps:

Navigate to Compliance > Scopes > View Scopes from the navigation panel on the left-hand side of your account.
Click the scope name, then click the Requirements tab.
Click the Add Requirement button (shown below) to map an existing reference to your scope.
Search for the desired Reference(s), and click the + button in the Add Requirement column for each reference you'd like added to the Scope.
Once you've added all necessary references, click the Done Mapping button.

If you need to create requirements for your scope, see Step 1 in our Getting Started guide, here.

Question: How do I add additional permissions for my Contributor user types?

Answer: Please see the Managing Users section of our Working with Users guide to learn more about updating user profiles and adding additional user roles.

For more information on Contributors and the other KCM GRC user types, see our User Roles article here.

Question: What is the difference between a control and a task?

Answer: A control is an action or procedure that you are taking to ensure that you are meeting the associated requirement.

You assign a task frequency to a control. The task frequency determines how often your organization must provide evidence that you're meeting the control, and therefore the requirement. For example, if you set a task to a monthly frequency, you will have 12 tasks per year for the associated control.

Task reminder notifications are automatically generated by the platform and sent to the user (User Responsible) who you've assigned to the task. To learn more about when these task reminder notifications are sent, see here.

Question: Are Scope Administrators able to create controls?

Answer: Yes, as long as they have Scope Administrator access to the Scope in question. Please see our User Roles article for more information.

Question: What is the difference between archiving and deleting a control?

Answer: You may want to archive a control if you believe it could be used again with a different requirement. If the control is a mistake, or if it is not sufficient for any further compliance efforts, you would delete it.

Note:

Deleting Controls is an irreversible action.

Question: How do I create and assign a task schedule?

Answer: In order to assign a task schedule, you must have a scope that contains requirements. You'll also need to create or map a control to a requirement in order to assign a task. To learn more about creating task schedules for controls, please see this article: Working with One-Time Tasks, Task Schedules, and Effective Date Range.

Question: What is the KCM GRC task reminder email schedule?

Answer: When you've assigned a User Responsible to a task, the console will automatically send reminder emails to this user before the task evidence is due. Reminder emails are determined by both the due date for the task and the frequency set for the task schedule.

When you've assigned an Approving Manager to a task, they'll receive an email notification on a daily basis under two occasions:

Once a task is awaiting approval.
- When User Responsible has submitted evidence and/or changed the Task status to Complete the task will be awaiting approval.
Once the task has reached Past Due status.

See this article for more information about approving Control Tasks.

The table below defines when the User Responsible will receive a reminder email about their upcoming Tasks.

If...	Then...	Applicable to the following frequencies
The Task is due in 365 days or 1 year.	The user will be sent a reminder that their task is due on this day of the following year.	One Time Every Five Year Every Three Year Every Two Year
The Task is due in 30 days.	The user will be sent a reminder that their task is due in 30 days.	All frequencies listed above Annually Semi-Annually Quarterly Bi-Monthly
The Task is due in 14 days.	The user will be sent a reminder that their task is due in 14 days.	All frequencies listed above
The Task is due in 7 days.	The user will be sent a reminder that their task is due in 7 days.	All frequencies listed above Monthly
The Task is due in the next day.	The user will be sent a reminder that their task is due in one day.	All frequencies listed above Weekly
The Task is due today.	The user will be sent a reminder email that their task is due today.	All frequencies listed above
The Task is past due.	The user will be sent a reminder email that their task is past due.	All frequencies listed above

Question: When is a control task considered "Past Due" or "Failed"?

Answer: You can create and assign various types of tasks to ensure you're meeting your organization's compliance controls. Regarding both one-time tasks and recurring task schedules, if a task status is not updated to "Completed" before the task's Due Date, the following will occur:

One day past the Due Date: The task will change to "Past Due" status
Seven days past the Due Date: The task will change to "Failed" status.

For more information about completing tasks and updating a task's status, see: How Do I Satisfy/Complete Tasks?
For more information about approving tasks, see: How Do I Approve Tasks?
For more information about creating one-time tasks and task schedules, see: Working with One-Time Tasks, Task Schedules, and Effective Date Range

Question: How will my scope evidence, Policy Management module policies, and other files be stored?

Answer: You can either upload files directly to your KCM GRC account or use the doculink option to link policies or evidence from your intranet or a file sharing service.

Question: Is there a character limit for doculinks submitted as evidence or links to policies for the Policy Management module?

Answer: The DocuLink hyperlink field and the policy hyperlink field have a maximum character count of 2000.

Question: Are there limitations for the various files uploaded to KCM GRC?

Answer: Please see the details below for the files you can upload to your KCM GRC platform.

Control Evidence Files (Compliance Management module):
- File Size: Maximum of 50MB.
- File Name: Maximum of 250 characters (including file extension).
Policy Management Files (Policy Management module):
- File Size: PDF files are a maximum of 50MB.
  All other accepted file types have a maximum size of 10MB. See here for more information on the accepted file types.
- File Name: Maximum of 250 characters (including file extension).
Questionnaire Attachment Files (Vendor Risk Management module):
- File Size: Maximum of 5 MB (for each question)
- File Name: Maximum of 250 characters (including the file extension)

Question: What MIME types (media types) are allowed to be uploaded as control documents or evidence?

Answer: Only the following MIME types are allowed:

applicaiton/msword
application/cdfv2-encrypted
application/cdfv2-unknwon
application/gip
application/octet-stream
application/rtf
application/tar
application/tar+gzip
application/vnd.mms-excel
application/vnd.ms-outlook
application/vnd.ms-powerpoint
application/vnd.msoutlook
application/vnd.openxmlformats-officedocument.spreasdheetml.sheet
application/vnd.openxmlformats-officedocument.wordpressingml.docuent
application/x-7z-compresssed
application/x-gzip
application/x-zip-compressed
application/zip
applicatoin/vnd.openxmlformats-officedocument.presentationml.presentation
applicaton/pdf
image/bmp
image/gif
image/jpeg
image/png
image/tiff
image/x-bmp
image/x-ms-bmp
image/x-tiff
image/x-windows-bmp
message/rfc822
text/csv
text/html
text/plain
text/rtf

For more information on MIME types, you can read the Wikipedia entry on Media Types here.

Question: Can I download a report of my scope with control, task, and evidence details?

Answer: Yes. Please see our KCM GRC: Reports and Exporting Scopes article for more information.

Question: How do I see which tasks are not 100% compliant?

Answer: To see a list of all the tasks that have not been satisfied, follow the steps below:

Navigate to the View All Tasks page by clicking Tasks from the navigation panel on the left-hand side of your account.
From the Status column, click the drop-down menu and select the following statuses:
- Active
- Failed
- Past Due

Question: I have a user who left our organization, how do I transfer their responsibilities?

Answer: Please see the Disabling Users and Transferring Responsibilities section of our Working with Users article for instructions.

Note: This action will only transfer Scope Controls and their associated Task Schedules. Policy campaigns that were created by the disabled user will need to be assigned to a new Campaign Owner, or the Account Admin will be responsible, by default.

Question: How do I completely remove all scopes and controls in our account?

Answer: To clear out your account, use the following steps:

First, clear out the Controls:

Navigate to Compliance > Scopes > View Scopes from the navigation panel on the left-hand side of your account.
Select a Scope the click Controls.
From the Controls Library, select a Control.
In the upper right corner, click the Delete Control button and then click OK.
Repeat these steps as needed.

Next, clear out the scopes:

Navigate to Compliance > Scopes > View Scopes from the navigation panel on the left-hand side of your account.
Select Scope then click Delete Scope from the upper right corner and click OK.
Repeat these steps as needed.

Lastly, you may want to clear out control documents and evidence:

Navigate to the Evidence Repository from the navigation panel on the left-hand side of your account.
Select evidence by clicking on the name then click Delete DocuLink or Delete Document (depending on the type of evidence).
Click OK.

You also have the option of archiving your controls and scopes, which would allow you to retain the information while cleaning out your account. To archive instead, follow the steps above but click the Archive buttons instead of Delete.

General Questions

Working with Scopes

Note:

Related articles