Action Items

April 11, 2026

Track and manage the tasks needed to implement controls, fix failures, and advance your organization's compliance program.

Action items are tasks automatically generated by the platform or created manually to track the work needed to implement controls, fix failures identified in tests, or fulfill compliance requirements. They are the central mechanism for turning identified gaps into concrete progress.

How Action Items Are Created

Action items can come from different sources:

  • Automated tests — When an integration test fails (for example, MFA disabled on an account), the platform automatically creates an action item linked to the affected control
  • Unimplemented controls — When adding a framework, controls without evidence or with pending status generate action items to guide implementation
  • Manual creation — Any team member with permission can create an action item to track work related to specific controls or risks
  • Assessments — Gaps identified in readiness or vendor assessments can be automatically converted into action items with a due date and owner assigned

Action Item Structure

Each action item contains:

  • Title and description — What needs to be done and why
  • Priority — Critical, high, medium, or low
  • Owner — Who in the organization is responsible for resolving it
  • Due date — Deadline for completion
  • Linked control — The compliance control that will benefit from resolution
  • Status — Open, in progress, resolved, or accepted as risk

Resolving an Action Item

When working on an action item, update the status to In Progress and add comments with updates. When the fix is implemented, mark it as Resolved and attach the relevant evidence — a screenshot, audit log, or document proving the correction.

Resolved action items with evidence directly contribute to the status of linked controls, advancing your compliance program's progress in a traceable way.

Accept as Risk

In cases where remediation is not feasible in the short term — due to cost, operational impact, or a strategic decision — you can mark the item as Accepted as Risk, documenting the justification. This record is kept as evidence that the decision was made consciously and documented, which is an explicit requirement in ISO 27001 and SOC 2 audits.