Risk Management


K2 Compliance was built on an flexible open source platform that allows the application to serve an organization's compliance and IT security needs regardless of its industry or vertical market. The application supports a variety of risk frameworks and methodologies for calculating both inherent and mitigated risks. Those methodologies or frameworks include but are not limited to FAIR, ISO and NIST. Additionally, K2 Compliance provides an organization with the ability to incorporate its own unique methodology for calculating risk that may fall outside the parameters of those that are more commonly used.


The information request feature of K2 Compliance provides users with the ability to electronically distribute particular questionnaires to external parties through a secure link embedded within an email or text message. These questionnaires are linked to and sent from a specific record within K2 Compliance. Responses feed back into the application for review and can be attached as supporting evidence to an assessor's summary or their findings. They can also be exported for other related activities or to share with individuals without access to the application. Status charts on the record where the information requests were sent provide a summary of requests that have been returned, started or unattended to.


Whether asset records are inherently created and stored within K2 Compliance or record details are imported from an outside resource, the application supports asset based risk assessments. While each asset will always have a calculated inherent and mitigated risk scores, the application provides functionality to assess an entire group of like assets to reduce project timelines.

For example a group of 10 desktop workstations within a particular business unit may be assessed at once; applying all threats and controls to the group. If an assessor chooses, they can further assess an individual asset within the group, identifying additional vulnerabilities that may impact the calculated risk for that asset but not the entire group.