Nirosh Jayaratnam recently published two pieces that cut through a lot of the noise in the GRC space: Compliance Is Broken. Here’s How We Got Here and Stop Buying Compliance Theater: A Practical Checklist. If you haven’t read them, they’re worth your time.
The core argument is that too many compliance automation platforms are, in Jayaratnam’s words, “template packs with a thin SaaS wrapper.” You sign up, adopt pre-written policies, click through forms, and get a certificate. The policies don’t reflect your organization. The evidence isn’t real. And when something goes wrong, the people who signed off on management assertions carry personal liability for a program that was never actually implemented.
We deploy and manage CISO Assistant for clients, so we have obvious skin in the game. But the evaluation checklist he published is good, and we think it’s worth running our own tool through it honestly. Not everything will be flattering.
1. Do your homework on the vendor
The checklist says: don’t trust marketing. Check independent reviews, ask peers who’ve gone through a full audit cycle with the tool, look at how the vendor handles criticism.
How CISO Assistant stacks up: CISO Assistant is open-source under AGPLv3. The source code is on GitHub with public issues, pull requests, and commit history. You can read every line of code before you deploy it. The community edition has no sales team, no aggressive demos, no pressure to sign. You just use it.
That said, open source doesn’t automatically mean “good.” You still need to evaluate whether the tool actually fits your needs. The project is relatively young (started in 2023), and the community is smaller than established commercial platforms. Check the GitHub issues, read the discussions, deploy a test instance and actually use it with your real frameworks before committing.
Honest gap: There’s no G2 page full of enterprise reviews. Most feedback lives in GitHub discussions and niche security communities. If you need a long track record with hundreds of verified enterprise deployments, CISO Assistant doesn’t have that yet.
2. How does it collect evidence?
This is where the checklist draws the sharpest line. Real integrations that pull actual data vs. form fields where you paste screenshots.
How CISO Assistant stacks up: Let’s be direct. CISO Assistant is not a compliance automation platform in the Vanta/Drata sense. It does not have one-click integrations with AWS, GCP, or your HRIS that automatically pull evidence.
What it does have is a REST API that lets you build those integrations yourself. You can write scripts or middleware that pull configurations from your cloud provider, your SSO, your SIEM, and push that data into CISO Assistant as evidence attached to specific controls. We’ve built these for clients - pulling IAM policies from AWS, configuration exports from Azure AD, vulnerability scan results from tools like Trivy or Snyk.
But this is custom work. You need to write code or hire someone to do it. If your team doesn’t have that capacity, this is a real limitation.
What you get instead: Manual evidence upload with metadata. You attach files, screenshots, or documents to specific controls with descriptions and timestamps. The platform tracks which controls have evidence and which don’t. It’s honest about what’s there and what’s missing.
Honest gap: If automated evidence collection from cloud providers is your top priority, a commercial platform like Vanta or Drata will do that better out of the box. CISO Assistant’s strength is in framework management and risk assessment, not in automated evidence pulling. The API makes automation possible, but you build it yourself.
3. Auditor independence
The checklist warns about structural conflicts of interest: platforms that lock you into their auditor partner, audit firms that are owned by the same entity as the platform, and auditors who don’t design their own test procedures.
How CISO Assistant stacks up: This is where open-source GRC has a structural advantage. CISO Assistant has no auditor partnerships. No certification mill relationships. No bundled audit services. No “recommended auditor” that gets a referral fee.
You choose your own auditor. The auditor designs their own test procedures. The auditor writes their own conclusions. CISO Assistant is just the platform where your compliance data lives. Any competent auditor can review it.
There is zero financial relationship between CISO Assistant (or Intuitem, the company behind it) and any audit firm. The platform doesn’t generate draft reports. It doesn’t pre-fill auditor conclusions. It doesn’t write test procedures.
Honest gap: The flip side of “no bundled auditor” is that you need to find and vet your own audit firm. If you’re a startup going through your first SOC 2 or ISO 27001, navigating the auditor market is an additional task. Commercial platforms that guide you through the auditor selection process do provide value there, even if the bundling creates structural risks.
4. Can you trust the evidence?
The checklist focuses on evidence integrity: timestamps, chain of custody, tamper detection, separation between automated and manual evidence.
How CISO Assistant stacks up: Every piece of evidence in CISO Assistant has metadata - who uploaded it, when, which control it’s attached to. The platform tracks assessment history and status changes over time. If you self-host (which most CISO Assistant users do), you control the database directly, which means you can implement whatever backup, audit logging, and access control policies you want at the infrastructure level.
The API-based approach means that when evidence comes from an integration you built, there’s a clear chain: the script pulled data from source X at time Y and attached it to control Z. This is traceable and verifiable.
Honest gap: CISO Assistant doesn’t have built-in cryptographic hashing or blockchain-style immutable evidence logs. If someone with database access wanted to modify evidence, they technically could. For most organizations, standard database access controls and backup policies handle this. But if you need cryptographic evidence integrity guarantees, that’s not a native feature today.
5. Real policies or template theater?
This is the core of Jayaratnam’s critique. Template-driven platforms hand you generic documents that reference tools you don’t use, processes you haven’t implemented, and controls you can’t explain. Then they call it “compliance.”
How CISO Assistant stacks up: CISO Assistant doesn’t generate policies for you. At all. There’s no “generate my information security policy” button. There’s no template pack that auto-fills with your company name.
What it does: you create applied controls - specific security measures your organization has actually implemented. You describe what each control does in your context. You map those controls to framework requirements. You track implementation status, assign evidence, and monitor compliance over time.
This means your compliance program reflects what you actually do. If you haven’t implemented encryption at rest, that shows up as a gap, not as a checked box with a template policy you never read.
The downside is that this takes real work. You can’t achieve “100% compliance” in days. You need someone who understands your organization’s security posture to define controls, write policy language, and map everything correctly. That’s the point - compliance work should be actual work.
Honest gap: The lack of templates means a higher barrier to entry. If you’re building your first ISMS and have never written an information security policy, CISO Assistant gives you the structure (frameworks, requirements, control categories) but not the content. You need security expertise - either in-house or hired - to fill in the substance. This is by design, but it’s still a barrier for smaller teams.
6. Cross-framework mapping
The checklist asks: if you pursue multiple frameworks, can controls map across without duplicating effort?
How CISO Assistant stacks up: This is where CISO Assistant is strongest. The platform ships with 80+ frameworks and maintains cross-framework mappings. When you implement a control for ISO 27001 A.8.9 (Configuration Management), CISO Assistant shows you that the same control also satisfies NIS2 Article 21(2)(e) and parts of SOC 2 CC6.1.
In practice, this means an organization running ISO 27001 and NIS2 simultaneously doesn’t do double the work. A single applied control can satisfy requirements across multiple frameworks, and the compliance dashboard shows progress for each framework independently.
We’ve used this with clients who need ISO 27001 + NIS2 + GDPR. The overlap is significant (70-80% between ISO 27001 and NIS2), and CISO Assistant makes that overlap visible and actionable. See our multi-framework compliance guide for a practical walkthrough.
7. The bigger picture: compliance theater vs. real security
The strongest point in both articles is that compliance has become performative for too many organizations. Management treats it as a cost center. They buy the cheapest solution. They staff it with people who aren’t empowered to push back. They stack certifications while the actual security posture stays hollow.
Open-source GRC doesn’t solve all of this. If your management doesn’t care about real security, no tool will fix that. But open-source tools change the economics and the incentives in ways that matter:
No “SOC 2 in weeks” marketing. CISO Assistant doesn’t promise fast certifications because that’s not what it does. It gives you a platform to manage real compliance work. The speed depends on how much work you actually do.
No vendor lock-in on your compliance data. Your assessments, controls, risk registers, and evidence live in a PostgreSQL database you control. If you decide CISO Assistant isn’t right for you, your data doesn’t disappear behind a canceled subscription.
Source code is public. When your auditor asks “how does this platform work?” you can point them to the source code. When a client asks “what does your compliance program actually contain?” you can show them real controls mapped to real requirements, not a trust center generated from templates.
Lower financial pressure to cut corners. When you’re paying $15,000-50,000 per year for a commercial platform, there’s pressure to justify that cost by getting certified fast. When the platform is free, the pressure shifts to getting it right - because the only cost is your team’s time, and you want that time to produce real security outcomes.
Where CISO Assistant falls short
We’d be doing exactly the thing the articles criticize if we pretended CISO Assistant is perfect. Here’s where it honestly doesn’t match up:
Automated evidence collection. Commercial platforms win here. If you want one-click integrations that pull AWS configs, GitHub PR reviews, and Okta access logs without writing code, CISO Assistant doesn’t do that natively. The API makes it possible, but you build it.
Guided onboarding. There’s no step-by-step wizard that walks you through your first SOC 2. You need to understand compliance frameworks enough to configure the platform yourself, or hire someone who does.
Enterprise polish. CISO Assistant’s UI is functional and improving, but it doesn’t have the polish of a funded SaaS product. If executive-facing dashboards and slick reporting are important to your stakeholders, manage expectations.
Support. The community edition relies on GitHub issues and community forums. If you need guaranteed SLA-backed support, you need the commercial edition or a managed service provider (like us).
The bottom line
The practitioner checklist asks the right questions. When you apply them to open-source GRC, the results are mixed but honest:
| Criterion | CISO Assistant | Commercial platforms |
|---|---|---|
| Vendor transparency | Full source code, public development | Closed source, marketing-driven |
| Evidence collection | API-based, build your own | One-click cloud integrations |
| Auditor independence | No auditor relationships | Often bundled/partnered |
| Evidence integrity | Metadata + self-hosted control | Varies by platform |
| Policy quality | You build real policies | Often template-driven |
| Cross-framework mapping | 80+ frameworks, native mapping | Varies, often limited |
| Onboarding ease | Higher barrier, more manual | Guided wizards, faster start |
| Cost | Free (community), hosting costs only | $15,000-50,000+/year |
If you want compliance done fast and don’t have security expertise in-house, a good commercial platform with a reputable auditor might be the right choice. Just apply the evaluation checklist rigorously. Not all commercial platforms are compliance theater.
If you want compliance done right and have (or can hire) the expertise to build a real security program, open-source GRC gives you the transparency, independence, and control to do it without the structural conflicts that the articles describe.
Either way, read the full evaluation checklist. It will make you a better buyer regardless of which direction you go.
Want to see how CISO Assistant handles real compliance work? Explore our live demo with pre-loaded ISO 27001 and NIS2 frameworks, or check out the free ISO 27001 Gap Analysis tool to assess where you stand today. If you want help setting up CISO Assistant for your organization, book a free call and we’ll go through your situation.
