Azerbaijan's First Dedicated GRC Platform

Compliance is No Longer
a Spreadsheet Problem

GRCLab replaces manual audit spreadsheets with a structured, multi-user platform. Six frameworks, real-time risk scoring, vendor management, and integrations — built for Azerbaijan's financial sector.

Start Free 15-Day Trial See All Features
6
Audit Frameworks
976
Total Controls
405
CBAR Requirements
100%
Azerbaijan-Native
6 Audit Templates

Every Framework Your Organisation Needs

From CBAR's mandatory cybersecurity requirements to international standards — fully loaded with controls, implementation guides, and risk scoring out of the box.

🏦
CBAR Audit
Central Bank of Azerbaijan
All 405 CBAR cybersecurity requirements with step-by-step implementation guides. Mandatory for every CBAR-supervised institution — banks, fintechs, payment companies.
405 Requirements
Controls AuditRisk RegisterImpl. GuidesPDF/Excel
🌐
ISO 27001:2022
Information Security Management
93 Annex A controls across 4 domains. Full assessment with gap analysis, evidence notes, analytics charts, and certification readiness scoring.
93 Controls
Controls AuditAnalyticsRisk RegisterReports
🛡️
NIST CSF 2.0
Cybersecurity Framework 2024
106 controls across 6 functions: Govern, Identify, Protect, Detect, Respond, Recover. Aligned to the 2024 NIST framework revision.
106 Controls
GV·ID·PR·DE·RS·RCAnalyticsImpl. Guide
🔐
CIS Controls v8
18 Control Groups · IG1/IG2/IG3
153 safeguards across 18 control groups, filtered by Implementation Group. Asset inventory, configuration, vulnerability management, logging, and pen testing.
153 Safeguards
IG1/IG2/IG3 FilterRisk RegisterAnalytics
🇪🇺
GDPR
EU Data Protection Regulation
99 controls across 10 categories: Lawful Basis, Data Subject Rights, Privacy by Design, Data Governance, Security, Breach Management, DPIA, Transfers, DPO, Special Categories.
99 Controls
LB·DR·PD·DG·SE·BRArticle RefsReports
💳
PCI DSS v4.0
Payment Card Industry Standard
120 controls across all 12 PCI DSS v4.0 requirements. For banks and payment processors. References specific PCI DSS section numbers throughout.
120 Controls
R1–R12QSA-ReadyReports
Inside Every Framework

Built for Auditors, Not Administrators

Every framework ships with the same powerful toolset — configured for that standard's specific structure and article references.

🏦
CBAR Compliance Dashboard
Network Security
82%
Access Control
67%
Incident Response
45%
Cryptography
91%
Risk Management
58%
Overall Compliance68%
Compliance Scoring

Real-time scores across every control category

Implemented = full weight. Partial = 50%. N/A = excluded. Your percentage updates the moment you change a control status — no page reload.

Live Ring Charts
Animated score ring per framework on home screen
Category Breakdown
Score per domain, function, or requirement group
4 Chart Types
Status doughnut, risk bar, category horizontal bar, progress ring
Multi-user Isolation
Each user sees only their own audit data
📘
ISO 27001 — Implementation Guide
A.8.1 · High Risk · Non-Compliant
User Endpoint Devices
Policies and security measures shall protect information accessed, processed, or stored on user endpoint devices.
1
Enable full-disk encryption (BitLocker/FileVault) on all endpoints via MDM.
2
Configure automatic screen lock after 10 minutes via Group Policy.
3
Deploy EDR endpoint protection with central management console.
Implementation Guides

5 concrete steps for every single control

Opens in a designed modal card — not a browser alert — with prev/next navigation across all controls. Written from real audit experience, not from theory.

Modal Card Design
Prev/next navigation, status badge, risk badge, article reference
Auto Risk Register
Non-compliant controls populate risk register automatically
Inline Notes
Add audit notes directly in the controls table
Export Everything
Excel, CSV, and PDF per framework independently
📋
Readiness Report — All Frameworks
68%
CBAR
82%
ISO
41%
PCI
Top Priority Gaps
MFA not enforced on admin accessCritical
Penetration test overdue 6 monthsHigh
GDPR DPA missing for 3 vendorsHigh
Est. prep time to audit-readiness
3–5 months
Readiness Report

One PDF across all six frameworks

Compiles your live compliance scores into a single branded PDF — RAG status ring, top 10 critical gaps, estimated prep timeline, and a certification prerequisites checklist.

Overall RAG Score
Red/Amber/Green ring covering all frameworks combined
Priority Gap Table
Top 10 critical/high-risk gaps across all frameworks
Prep Timeline
Calculated estimate from gap count and current score
Cert Checklist
Prerequisites checklist — already-met items are checked
Vendor Risk Management

Third-party risk under full control

A complete view of every supplier's security posture — scored, assessed, and monitored. Send questionnaires, track certifications, generate portfolio-wide reports.

📋
Token-based questionnaires
28–75 questions sent via link — no vendor login required. Automatic risk scoring on submission.
📊
Risk score 0–100
Weighted scoring across Governance, Access Control, Data Protection, Vulnerability, IR, BCP, and Certs.
📁
Portfolio reports
4-sheet Excel workbook or full PDF with risk distribution, priority actions, and complete vendor register.
⚠️
PII & payments flagging
Instantly see which vendors handle personal data or payment information — with GDPR DPA reminders.
🏢
Vendor Risk Portfolio
8 vendors
CloudInfra Ltd
Cloud · Critical Tier
Critical28/100
PayGate Systems
Payment · PII 💳
High52/100
AuditPro Group
Audit · Medium Tier
Medium71/100
LexCounsel Baku
Legal · Low Tier
Low88/100
1 critical-risk vendor requires immediate review
Integration Marketplace

Connect to the tools your team already uses

GRCLab fires real-time events to Slack, Jira, Teams, and your SIEM — a non-compliant control automatically creates a ticket, sends an alert, and logs to your security stack.

Slack
Rich Block Kit alerts for control changes, high-risk gaps, weekly digest, and breach notifications
Live
Microsoft Teams
Adaptive card messages to any Teams channel via Incoming Webhook — same events as Slack
Live
Jira
Auto-creates tickets when controls are non-compliant. Maps risk level to Jira priority and project
Live
Custom Webhook
POST JSON payloads to any URL — n8n, Zapier, Make.com, or your own API with HMAC signature
Live
AWS Security Hub
Pull findings and auto-map to CIS Controls v8 and NIST CSF controls — eliminates manual entry
Beta
Azure Defender
Import Azure Secure Score and map recommendations to CIS and PCI DSS requirements
Beta
Splunk
Forward all compliance events via HTTP Event Collector for SIEM dashboards and correlation
Coming Soon
Microsoft Sentinel
Bidirectional — push GRC events in, pull security incidents out to trigger GDPR breach workflows
Coming Soon
Who It's For

Built for everyone who carries compliance risk

🏦

Banks & Fintechs

CBAR-supervised institutions meeting mandatory cybersecurity requirements. Includes CBAR audit, ISO 27001, PCI DSS for payment processing, and VRM for supplier oversight.

CBAR AuditISO 27001PCI DSS
🏢

Enterprises & Telecom

Large organisations handling personal data, processing payments, or subject to EU regulations. Full multi-framework assessment with vendor risk management and integrations.

GDPRCIS ControlsNIST CSF
🔍

Auditors & Consultants

External ISO 27001 Lead Auditors and GRC consultants conducting client audits. Readiness Report generation and audit-as-a-service delivery from a single platform.

All FrameworksReadiness Report
Pricing

Simple, transparent pricing

15-day free trial on all plans. No credit card required to start.

Solo
Professional
For individual compliance officers and auditors working independently.
$59
per month
  • All 6 audit frameworks
  • CBAR · ISO · NIST · CIS · GDPR · PCI
  • Readiness Report PDF
  • Vendor Risk Management
  • Slack + Jira integrations
  • Excel / CSV / PDF export
  • 1 user account
Start Free Trial
Most Popular
Institution
Enterprise
For banks, fintechs, and compliance teams needing multi-user access and full integrations.
$249
per month
  • Everything in Professional
  • Up to 10 user accounts
  • Role-based access (Admin / Auditor / Viewer)
  • All integrations incl. Teams, AWS, Azure
  • VRM — unlimited vendors
  • VRM portfolio Excel + PDF reports
  • Priority support
Start Free Trial
Custom
Bespoke
For large banks, holding companies, or organisations needing custom configuration or on-premise deployment.
Custom
contact us for a quote
  • Everything in Enterprise
  • Unlimited users
  • Custom framework configuration
  • On-premise or private cloud option
  • Dedicated onboarding and support
  • SLA-backed uptime
  • Custom integrations on request
Contact Us
Get Started Today

Replace your spreadsheets.
Start your first audit in minutes.

15-day free trial. All 6 frameworks. No credit card required.
Azerbaijan's financial sector is already complying — be part of it.

Start Free Trial Talk to Us