Questions About KCM GRC

In this article, you will find questions that are commonly-asked about the KCM Governance, Risk, and Compliance (GRC) platform. You will find general questions about your account and questions related to working with templates and scopes in the Compliance Management module. To learn more, see the following sections of questions.

Jump to:

General Questions
Working with Scopes and Templates

General Questions

Below are some commonly-asked general questions about KCM GRC. If you don't see the answer you need, submit a ticket to our Support team.

Jump to: 

Can I incorporate my existing compliance efforts and processes into KCM GRC?

What modules are available in the KCM GRC console and what do they do?

How will my control evidence and other files be stored when uploaded to KCM GRC?

What are the differences between the various user roles in KCM GRC?

How do I determine whether a user is counted against my KCM GRC user count license?

If I add my organization's logo under my Account Settings, where will it appear?

How can I enable or disable support access to my account?

How do you remove Account Administrator permissions from a user?

How do I request a new feature, template, or improvement?

Question: Can I incorporate my existing compliance efforts and processes into KCM GRC? 

Answer: Absolutely. KCM GRC allows you to use CSV files to easily upload existing processes. For example, you can import compliance requirements and import the controls that your organization already has in place. Once imported, you can map controls to one or more requirements and, therefore, compliance frameworks (called scopes in KCM GRC).

Back to top

Question: What modules are available in the KCM GRC console and what do they do?

Answer: The following modules are available in the KCM GRC console. You may not have access to all of these modules, depending on your subscription level. Contact your Customer Success Manager if you'd like to add an additional module to your account. 

• Compliance Management (CM) Module - Compliance is a module included with your KCM GRC subscription. It allows you to manage compliance initiatives and audits by assigning control tasks, creating auditor reports, and storing evidence. For more information on getting started with your compliance module, please see our Getting Started with the Compliance Management article.  
• Policy Management (PM) Module - Policy Management is a module included with your KCM GRC subscription. It allows you to manage, distribute, and track acknowledgments of your organization's required policies. For more information, please see our Policy Management article.  
• Risk Management (RM) Module - Risk Management is a module that can be added to your KCM GRC subscription. It allows you to manage risk by conducting risk assessments and establishing and implementing mitigation efforts. For more information, please see our Risk Management: Overview article.  
• Vendor Risk Management (VRM) Module - Vendor Risk Management is a module that can be added to your KCM GRC subscription. The VRM module lets you centralize your third-party risk management processes by prequalifying risk, assessing your vendors, and conducting remediation efforts in your platform. You can even set a frequency for how often your vendors are assessed, to continually monitor the associated risk. For more information, please see: Vendor Risk Management: Introduction Guide. 

Back to top

Question: How will my control evidence and other files be stored when uploaded to KCM GRC? 

Answer: You can either upload evidence files directly to your account or provide links to external data or files that are stored on your organization's intranet or a file sharing service. You have the option to limit the format in which your users can submit evidence for your controls. To learn more, please see: How Can I Limit the Type of Evidence Submitted by my Users?.

For files that are uploaded to your account, KCM GRC uses Amazon S3 for storage. Therefore, KCM GRC leverages AWS for data encryption in transit (TLS) and at rest (AES-GCM 256). To learn more about the security of KnowBe4's products, please see here. 

Back to top

Question: What are the differences between the various user roles in KCM GRC?

Answer: The KCM GRC platform has user roles for each of our four different modules. Please see our KCM GRC: User Roles guide for more information.

Back to top

Question: How do I determine whether a user is counted against my KCM GRC user count license?

Answer: The following user roles are counted against your user limit: Account Administrator, Contributor, Scope Administrator, Policy Administrator, Campaign Administrator, Risk Administrator, and Vendor Administrator.

The Auditor and Vendor User user roles, and policy management end-users (added within the Policy Management module) are considered soft licenses and do not count against your KCM GRC user count license. 

Back to top

Question: If I add my organization's logo under my Account Settings, where will it appear?

Answer: Adding your organization's logo under your Account Settings is a great way to personalize your KCM GRC environment. The logo will display at the top-left corner of your platform and in any emails that are generated from your KCM GRC platform.

Back to top

Question: How can I enable or disable support access to my account?

Answer: You can decide whether or not you'd like to allow KnowBe4's KCM GRC Support team to view your account data so they can better assist you. You can shut this feature on or off from your Account Settings. For more information, please see our Managing Account Settings article. 

Back to top

Question: How do you revoke Account Administrator permissions from a user?

Answer: For security reasons, the KnowBe4 Support team must revoke these permissions for you. Please reach out to support@knowbe4.com for assistance.

Back to top

Question: How do I request a new feature, template, or improvement?

Answer: We recommend reaching out to your Customer Success Manager, the KnowBe4 support team, or posting on our KCM Community Board for Feature Requests. We base a lot of our development on customer feedback and requests, so we appreciate your input.

Back to top

Working with Scopes and Templates

This section is for questions related to working with templates and scopes. This includes questions about requirements, controls, tasks, and evidence. If you don't see the answer you need, submit a ticket to our Support team.

Jump to: 

What is the difference between a template and a scope?

What types of templates can I use in my KCM GRC platform?

I’ve converted my template to a scope. What should I do next?

How can I map requirements to my scope?

How do I add additional scope permissions for my Contributor user types?

What is the difference between a control and a task?

Are Scope Administrators able to create controls?

What is the difference between archiving and deleting a control?

How do I create and assign a task schedule?

What is the KCM GRC task reminder email schedule?

When is a control task considered "Past Due" or "Failed"?

Is there a character limit for links that are submitted as evidence, or links to policies for the Policy Management module?

Are there limitations for the various files uploaded to KCM GRC?

What MIME types (media types) are allowed to be uploaded as control documents or evidence?

How can I see a list of which tasks are not 100% compliant?

I have a user who left our organization, how do I transfer their responsibilities?

How do I completely remove all scopes and controls in our account?

When uploading or creating a new requirement, what is the "default" ID Separator?

Can I download a report of my scope with control, task, and evidence details?

Question: What is the difference between a template and a scope? 

Answer: A template is a framework, or collection, of requirements that relate to one another. A scope is a framework, or collection, of requirements that relate to one another and describe the boundaries of a project or audit framework. We recommend creating a scope from a template. You must have a scope in your account before you can begin to create and assign the appropriate controls for your requirements.

For more information, please see the following articles:  

• Glossary of Compliance Terms
• Getting Started with the Compliance Management Module
• Creating Custom Templates for Scopes
• Converting Templates to Scopes

Back to top

Question: What types of templates can I use in my KCM GRC platform?

Answer: KCM GRC has four types of templates that you can use in your platform. See the bullet points below to learn how to use each template. 

• Custom Templates: You can use custom templates in the Compliance Management module to select requirements that you will work toward under a scope. Custom templates are most useful if your organization has unique compliance objectives that our managed templates do not cover. For information about creating custom templates, see our KCM GRC: Creating Custom Templates for Scopes article. 
• Managed Templates: You can use a managed template in the Compliance Management module to convert the template into a scope. Managed templates already include requirements, so they are a simple alternative to creating a custom template. After you convert a managed template to. a scope, you can create or map additional requirements, or you can unmap requirements that do not apply to your organization. For information about the managed templates that we offer, see our KCM GRC: Managed Templates article. 
• Policy Templates: You can use policy templates in the Policy Management module to document your organization's policies. Your KCM GRC account offers ten policy templates that you can download and customize for your organization. For information about customizing policy templates and the policy templates that we offer, see our KCM GRC: Policy Templates article. 
• Risk Templates: You can use risk templates to add risks from our master risk repository to your Risk Register. Risk templates have pre-populated names and descriptions, and you can customize details such as the risk status, likelihood, and impact. Risks that you import to or create from your Risk Register also appear in the Risk Templates area of your platform. For more information about risk templates, see our KCM GRC Risk Management: Risk Templates article. 

Question: I’ve converted my template to a scope. What should I do next?

Answer: Now that you have converted your template to a scope, the next step is to complete a Scope Self-Assessment of the scoped requirements. The Scope Self-Assessment helps you see how far along your organization is, in meeting the requirements under the selected framework (scope). This information can help you figure out which requirements you can quickly create controls for in your platform and which requirements your organization will need to work on.  

For more information, please see our Completing a Scope Self-Assessment article.

Back to top

Question: How can I map requirements to my scope?

Answer: Regardless of whether you're working in a custom scope or a scope that you've created from one of our Managed Templates, you can map any requirement in your account to a scope. 

If you need to add an existing requirement to a scope, you can do so from the View Scope page. Follow the steps below: 

1. Navigate to Compliance > Scopes from the navigation panel on the left-hand side of your account.
2. Click the scope name.
3. From the View Scope page, click the Requirements tab.
4. Click the Map Requirements to Scope button.
5. Search for the desired requirement, and then, click the checkbox on the left-hand side of each requirement that you would like to add to the scope. 
6. Once you've selected the desired requirements, click the Map button.

If you need to create requirements for your scope, click the Create Requirement button on the View Scope page.

Back to top

Question: How do I add additional permissions for my Contributor user types?

Answer: Please see the Managing Users section of our Working with Users guide to learn more about updating user profiles and adding additional user roles. 

For more information on Contributors and other KCM GRC user roles, see our User Roles article.

Back to top

Question: What is the difference between a control and a task? 

Answer: A control is an action or procedure that you are taking to ensure that you are meeting the associated requirement or requirements.

You assign a task schedule to a control. The task schedule determines how often your organization must provide evidence to prove that you're meeting the control. By meeting a control, you are proving that your organization is either partially or fully satisfying the requirement or requirements that are mapped to the control.

To learn more, please refer to our explanations of Controls and Tasks in our KCM GRC: Glossary of Compliance Terms. Additionally, please see our Working with Task Schedules for Controls article. 

Back to top  

Question: Are Scope Administrators able to create controls?

Answer: Yes, Scope Administrators can create controls for the requirements that are included in their allowed scopes. From a Scope Administrator's user profile, the Allowed Scopes field is where you can add or remove access to the scopes in your account. To learn more about adding or removing a user's allowed scopes, please see this section of our Working with Users article. 

To create a new control, Scope Administrators will navigate to a scope and then, open the requirement that they want to create a control for. For further instructions, please see the Creating Controls One-By-One section of our Creating and Importing Controls article. 

Back to top

Question: What is the difference between archiving and deleting a control? 

Answer: You may want to archive a control if you'd like to keep a record of the control evidence or if you believe it could be used again with a different requirement. If you are archiving a control, its task schedules will be deleted from the Task Schedules tab, but the following items will return if you choose to unarchive the control: tasks, evidence, control documents, requirement mappings, risk mappings, and the control's health score.

If the control was created by accident or if it is not sufficient for any further compliance efforts, you can delete it.

Back to top

Question: How do I create and assign a task schedule?

Answer: Please see our Working with Task Schedules for Controls article to learn how to create and assign task schedules, and to see the necessary prerequisites.

Back to top

Question: What is the KCM GRC task reminder email schedule?

Answer: When you've assigned a user to a task, the console will automatically send reminder notifications to the User Assigned before the task evidence is due. To learn more about the task reminder emails, please see the Control Task Notifications section of our Email Notifications and the Email Digest article. 

Back to top

Question: When is a control task considered "Past Due" or "Failed"?

Answer: You can create and assign various types of tasks to ensure that you are maintaining your organization's compliance controls. For both one-time tasks and recurring task schedules, if the assigned user does not mark a task as complete before the task's due date, the following will occur:

• One day past the due date: The task's status will change to Past Due.
• Seven days past the due date: The task's status will change to Failed.

For more information about completing tasks, see: Monitoring and Completing Tasks (a Guide for Contributors).
For more information about approving tasks, see: Monitoring and Approving Tasks (a Guide for Approving Managers).
For more information about creating one-time tasks and task schedules, see: Working with Task Schedules for Controls.

Back to top

Question: Is there a character limit for links that are submitted as evidence or links to policies for the Policy Management module? 

Answer: If you submit a link as evidence for a control task or add a policy to your account using an external link, the Link field has a maximum character limit of 2000 characters.

Back to top

Question: Are there limitations for the various files uploaded to KCM GRC?

Answer: Please see the file requirements specified for each module, below: 

• Control Task Evidence Files (Compliance Management module):
  • File Size: Minimum of 1B, maximum of 50MB
  • File Name: Maximum of 250 characters (including the file extension)
  • Accepted File Types: .png, .jpg, .jpeg, .gif, .bmp, .tif, .tiff, .pdf, .txt, .rtf, .eml, .msg, .csv, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .zip, .gzip, .7z, .gz, .tar, .tgz, .nrl
• Policy Management Files (Policy Management module):
  • File Size: PDF files must be a minimum of 1B and maximum of 50MB
    All other accepted file types must be a minimum of 1B and a maximum of 10MB. See here for more information on the accepted file types.
  • File Name: Maximum of 250 characters (including the file extension)
• Questionnaire Attachment Files (Vendor Risk Management module):
  • File Size: Minimum of 1B, maximum of 5 MB (for each question)
  • File Name: Maximum of 250 characters (including the file extension)
  • Accepted File Types: .png, .jpg, .jpeg, .gif, .bmp, .tif, .tiff, .pdf, .txt, .rtf, .eml, .msg, .csv, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .zip, .gzip, .7z, .gz, .tar, .tgz, .nrl

Back to top

Question: What MIME types (media types) are allowed to be uploaded as control documents or evidence?

Answer: Only the following MIME types are allowed:

• application/msword
• application/cdfv2-encrypted
• application/cdfv2-unknwon
• application/gip
• application/octet-stream
• application/rtf
• application/tar
• application/tar+gzip
• application/vnd.mms-excel
• application/vnd.ms-outlook
• application/vnd.ms-powerpoint 
• application/vnd.msoutlook
• application/vnd.openxmlformats-officedocument.spreasdheetml.sheet
• application/vnd.openxmlformats-officedocument.wordpressingml.document
• application/x-7z-compresssed
• application/x-gzip
• application/x-zip-compressed
• application/zip
• application/vnd.openxmlformats-officedocument.presentationml.presentation
• applicaton/pdf
• image/bmp
• image/gif
• image/jpeg
• image/png
• image/tiff
• image/x-bmp
• image/x-ms-bmp
• image/x-tiff
• image/x-windows-bmp
• message/rfc822
• text/csv
• text/html
• text/plain
• text/rtf

For more information on MIME types, you can read the Wikipedia entry on Media Types here.  

Back to top

Question: How can I see a list of which tasks are not 100% compliant? 

Answer: To see a list of all the tasks that have not been satisfied and closed, follow the steps below:

1. Navigate to the Tasks page by clicking Tasks from the navigation panel on the left-hand side of your account.
2. From the Status column, click the drop-down menu and select the following statuses:
   • Active
   • Failed
   • Past Due
3. The page will show all incomplete tasks that are either coming due or have passed their due date.
   
   Tip: If you would also like to see the tasks that are complete but are still awaiting approval from a manager, from the Approval Stage column, click the drop-down menu and then select Awaiting Approval.

Back to top

Question: I have a user who left our organization, how do I transfer their responsibilities?

Answer: Please see the Disabling Users and Transferring Responsibilities section of our Working with Users article.

Back to top

Question: How do I completely remove all scopes and controls in our account? 

Answer: To remove controls and scopes from your account, use the following steps:

First, follow these steps to delete your controls:

1. Navigate to the Controls area by clicking Controls from the left-hand side of your account. 
2. Click on a control name to open a control. 
   
   Tip: When deleting multiple controls, we recommend right-clicking the control name and opening the control in a new tab or window, instead.
3. Click the Delete button at the top of the page. Once prompted, click Delete.
4. Repeat these steps as needed.

Next, follow these steps to delete your scopes:

1. From the navigation panel on the left-hand side, click Compliance > Scopes. 
2. From the View All Scopes page, under the Actions column, click the trash can icon for a scope that you want to delete. Once prompted, click Delete. 
3. Repeat these steps as needed.

You also have the option to archive your controls and scopes, which would allow you to retain information while still hiding the controls and scopes from your account. To archive instead, follow the steps above but click the Archive button or icon, instead of the Delete button or icon.

Back to top

Question: When uploading or creating a new requirement, what is the "default" ID Separator?

Answer: When adding new requirements to your console, you can determine the type of character that you want to use between the numbers or letters that make up your Requirement ID. This character is known as the ID Separator. The Requirement ID is a combination of the requirement's Primary ID and Sub ID. The ID Separator will be placed between these two values.

To set the ID separator character, you will select one of the following options from the ID Separator drop-down menu:

• Space Separated ( )
• Comma Separated (,)
• Dash Separated (-)
• Dot Separated (.)

If you do not make a selection from this drop-down menu, the default separator will be used. See below for details: 

• If your Primary IDs and Sub IDs only contain numbers: The default separator will be a period (.)
• If your Primary IDs or Sub IDs contain numbers and letters: The default separator will be a space ( ) 

Back to top

Question: Can I download a report of my scope with control, task, and evidence details? 

Answer: Yes. Please see our Scope Exports article for more information.

Back to top