Requirement Management
From regulatory text to auditable evidence, in one system.
Most organizations track requirements across 5 to 10 frameworks using spreadsheets, shared drives, and tribal knowledge. vucavoid replaces that patchwork with a structured model that separates source documents from actionable obligations, maps them to your organizational scope, and detects when coverage goes stale.
Two-layer architecture
References and Requirements are separate on purpose.
Most GRC tools treat regulatory documents and individual obligations as one flat list. vucavoid separates them into two layers. References are source documents: contracts, laws, standards, internal policies. Requirements are the actionable obligations extracted from those sources. This separation lets you consolidate, reuse, and trace requirements back to their origin without duplication.
- References as source documents
- A reference is a contract, regulation, standard, or internal policy. It groups the requirements that originate from it. When a document is updated, you update one reference and all linked requirements reflect the change.
- Requirements as obligations
- A requirement is a single, testable obligation. It carries its own owner, criticality, review cycle, and fulfillment status. Requirements exist independently of the reference they came from, so they can be shared across frameworks.
- Full traceability
- Every requirement links back to its source reference. Auditors can follow the chain from a specific obligation to the regulatory text that mandates it, without ambiguity.
Organization
Group, filter, and slice requirements your way.
A compliance program with hundreds of requirements is only useful if you can navigate it. vucavoid provides manual grouping through references and dynamic filtering so you can focus on exactly the requirements that matter right now.
- Group by reference
- Requirements inherit their parent reference structure. Filter by standard, contract, or policy to see only the obligations from a specific source document.
- Domain and category filters
- Assign requirements to domains and categories that reflect your organizational structure. Slice across frameworks by topic rather than by source.
- Owner-based views
- Every requirement has an owner. Filter by owner to see exactly what a specific team or person is accountable for, across all frameworks.
- Dynamic criteria
- Combine filters for criticality, fulfillment status, staleness, and review cycle. Build views that surface the requirements that need attention first.
Scope mapping
Baselines make your compliance scope explicit and auditable.
A requirement without scope is a checkbox exercise. Baselines map requirements to the specific assets, processes, and locations they apply to. vucavoid auto-generates matches, detects when mappings go stale, and aggregates evidence at the baseline level.
- Requirement-to-asset mapping
- Link requirements to IT assets, information assets, physical assets, processes, locations, legal entities, teams, and persons. The baseline defines exactly what is in scope for each obligation.
- Automatic match generation
- When you add new assets or new requirements, vucavoid proposes baseline matches based on existing patterns. You approve or dismiss, keeping the mapping accurate without starting from scratch.
- Stale detection with 8+ triggers
- A baseline match can go stale when the requirement changes, the asset changes, the owner changes, a control is modified, evidence expires, the review cycle lapses, a linked finding is opened, or an incident is reported. vucavoid flags each trigger independently.
- Coverage metrics
- See what percentage of your organizational model is covered by baselines. Identify assets with no applicable requirements and requirements with no applicable assets. Gaps become visible before auditors find them.
- Evidence aggregation
- Evidence attached to controls, challenge assessments, or baseline matches rolls up to the baseline level. Auditors see a consolidated view of all supporting documentation for a given requirement-asset pair.
- Review cycles
- Define how often each baseline match needs to be reviewed. vucavoid tracks the last review date and flags matches that are overdue, so your compliance scope stays current.
Most compliance tools track what you told them. vucavoid tracks what actually changed.
Compliance status
Dual fulfillment gives you the real picture.
vucavoid calculates requirement fulfillment at two levels: global and scoped. The global level comes from challenge assessments against the requirement itself. The scoped level comes from baseline matches against specific assets. The final fulfillment status uses a conservative calculation, so you never overstate compliance.
-
Global fulfillment
- Challenge assessments evaluate the requirement as a whole. This captures organization-wide compliance that does not depend on a specific asset or process.
-
Scoped fulfillment
- Baseline matches evaluate compliance per asset. A requirement might be fully met for your cloud infrastructure but partially met for your on-premises systems. Scoped fulfillment surfaces that distinction.
-
Conservative calculation
- The overall fulfillment status always reflects the weakest link. If one baseline match is non-compliant, the requirement is not marked as fully compliant. No false positives.
-
VUCA score integration
- Unfulfilled requirements feed directly into your VUCA scores. The requirement-related generators measure how many requirements lack fulfillment, how many have no baseline coverage, and how references without requirements affect your posture.
Multi-framework
One requirement, multiple standards.
When ISO 27001, SOC 2, and a client contract all demand access control, you should not create three separate requirements. vucavoid lets a single requirement address multiple frameworks. Criticality, expiry, and review criteria pool across all linked references.
- Shared requirements
- Link one requirement to multiple references. Work done to fulfill it counts across every framework that references it. No duplicate effort.
- Pooled criticality and expiry
- When a requirement spans multiple references, vucavoid pools their criticality levels and uses the most conservative values. If one framework demands annual review and another demands quarterly, the requirement inherits the quarterly cycle.
- Per-framework reporting
- Even though requirements are shared, you can still report compliance per framework. Filter by standard or reference to see fulfillment from a specific regulatory perspective.
Connected data
Requirements do not live in isolation.
Every requirement in vucavoid connects to the broader GRC model. Controls implement them. Evidence supports them. Findings challenge them. Risks justify them. The connections are bidirectional, so changes propagate automatically.
- Controls
-
Link controls to requirements. When a control's effectiveness changes, the impact on requirement fulfillment is recalculated. See which requirements lack implementing controls.
- Evidence
-
Attach evidence to requirements, controls, or baseline matches. Evidence rolls up across levels, giving auditors a consolidated view of supporting documentation.
- Findings
-
Audit findings link to the requirements they affect. Open findings flag the requirement as at risk until remediation is complete and verified.
- Risks
-
Map risks to the requirements they relate to. When a risk materializes, trace which requirements and compliance obligations are impacted.
- Processes & assets
-
Through baselines, requirements connect to your full organizational model: IT assets, information assets, physical assets, processes, locations, teams, and persons.
- Baseline matches
-
Baselines are the bridge between requirements and your organizational scope. Each match is independently assessable, reviewable, and auditable.
Stop managing requirements in spreadsheets.
Start a free trial and see how structured requirement management changes your compliance posture.