Skip to content
Crosswalker
🚧 Early alpha — building the foundation. See the roadmap →

For GRC / ISRM (operational compliance)

Updated

What you own in the unified risk model

Section titled “What you own in the unified risk model”

GRC/ISRM is the system-of-record owner for the spine: authorities/frameworks, requirements, the control library, risk scenarios, and evidence. Everyone else reads these; you maintain them.

EntityYour role
Authority / Framework (CRI + crosswalked CSF/800-53/ISO)◎ own
Requirement / Diagnostic Statement◎ own
Control (reference + applied)◎ own
Evidence◎ own (collect once)
Risk / Risk Scenario◎ own (ERM co-owns)
Asset◎ own (with IT)

How you get into it

Section titled “How you get into it”
  1. Stand up the spine. Import your top-of-house authority (CRI Profile) and the frameworks you map to (NIST CSF 2.0, 800-53, ISO 27001) via Crosswalker: Import structured data → concept notes per framework.
  2. Import the crosswalks. Bring in CRI ↔ CSF ↔ 800-53 mappings via Crosswalker: Import SSSOM mapping filejunction notes carrying typed STRM relationships. This is the “assess once, comply many” wiring: one control hangs off many requirements.
  3. Build coverage + gap views. Crosswalker: Insert query into note → pick a coverage-matrix recipe → see which CRI statements are covered (and which controls are missing) across frameworks. Anti-join recipes surface “controls with no evidence.”
  4. Collect evidence once. Attach evidence to the control; the crosswalk means it answers every framework that control maps to.

Where the line is

Section titled “Where the line is”

Crosswalker is the relatable control/crosswalk backbone — not a full GRC platform. Evidence-automation pipelines, risk quantification, and BCP/IR workflows live in your other tools (see related tooling); they connect to Crosswalker at the shared control.

Section titled “Related”