Skip to main content
Probo organizes your compliance program around a hierarchy of objects that map directly to the structure of recognized security and privacy standards. Understanding this hierarchy helps you know where to record work, link evidence, and track progress toward certification.

Supported frameworks

Probo ships with built-in content for the following frameworks:
FrameworkDescription
SOC 2Service Organization Control 2 — trust service criteria for security, availability, processing integrity, confidentiality, and privacy
ISO 27001International standard for information security management systems
ISO 27701Extension to ISO 27001 covering privacy information management
ISO 42001AI management system standard
GDPRGeneral Data Protection Regulation — EU data privacy law
HIPAAHealth Insurance Portability and Accountability Act — US healthcare data rules
You can also create custom frameworks for internal standards or other regulations.

The compliance hierarchy

Every compliance program in Probo follows the same five-level hierarchy: 
Framework
└── Control
    └── Measure
        └── Task
            └── Evidence
A framework is the top-level container for a compliance standard (e.g. “SOC 2 Type II”). It holds a set of controls and can be linked to audits and snapshots.Each framework has a name, optional description, and optional light/dark logo images. You can import a framework from a JSON definition, export it as a ZIP archive, or delete it entirely.
A control is a specific requirement within the framework, identified by a section title (e.g. “CC6.1”). Controls have:
  • Name and description — what the control requires
  • Section title — the clause identifier used in the standard
  • Implementation stateIMPLEMENTED or NOT_IMPLEMENTED
  • Not-implemented justification — required when a control is marked not implemented
  • Best practice flag — whether the control is considered a best practice
Controls link to measures (many-to-many), documents, audits, snapshots, and obligations.
A measure is a security or operational control you have put in place to satisfy one or more framework controls (e.g. “Access reviews are performed quarterly”). Measures have:
  • Name, description, and category
  • StateNOT_STARTED, IN_PROGRESS, NOT_APPLICABLE, or IMPLEMENTED
A single measure can be linked to multiple controls across different frameworks, avoiding duplication.
Tasks are the discrete work items within a measure. You assign tasks to team members, and evidence is attached at the task level. Task states are TODO and DONE.
Evidence is proof that a task has been completed. See Evidence collection for full details on evidence types and states.

Managing frameworks

Importing a framework

You can import a framework from a JSON definition file. This populates the framework with its controls in a single operation and is the recommended way to onboard a new standard.
1

Prepare the import definition

Create a JSON file describing your framework. The structure must include a top-level framework object with id, name, optional logo (light and dark SVG strings), and a controls array.
{
  "framework": {
    "id": "soc2",
    "name": "SOC 2",
    "logo": {
      "light": "<svg>...</svg>",
      "dark": "<svg>...</svg>"
    },
    "controls": [
      {
        "id": "CC1.1",
        "name": "Control Environment",
        "description": "The entity demonstrates a commitment to integrity and ethical values.",
        "best_practice": true,
        "implemented": "IMPLEMENTED"
      }
    ]
  }
}
2

Run the import

Submit the import request through the GraphQL API or CLI. Probo creates the framework record and inserts each control in a single transaction.

Exporting a framework

You can export a framework as a ZIP archive. The archive contains:
  • A directory per control (named by section title)
  • A subdirectory per measure within each control
  • All fulfilled FILE-type evidence files for each measure
  • PDF exports of all published documents linked to each control
The export is generated asynchronously and delivered to a recipient email address when ready.

Audits

An audit represents a formal review of your compliance against a framework, typically conducted by an external auditor or internal team.

Audit states

StateMeaning
NOT_STARTEDAudit created but review has not begun
IN_PROGRESSAuditor is actively reviewing controls and evidence
COMPLETEDAudit finished with a passing outcome
REJECTEDAudit concluded with non-conformities that prevent certification
OUTDATEDAudit predates significant changes and is no longer current

Audit findings

During an audit, the auditor may raise findings. Each finding has:
  • KindMINOR_NONCONFORMITY, MAJOR_NONCONFORMITY, OBSERVATION, or EXCEPTION
  • StatusOPEN, IN_PROGRESS, CLOSED, RISK_ACCEPTED, MITIGATED, or FALSE_POSITIVE
  • PriorityLOW, MEDIUM, or HIGH
Findings are linked to specific audits. You track remediation by updating finding status as you work through each item.

Audit reports

You can upload the final audit report file to an audit record, and optionally share it through the trust center.

Statement of Applicability (ISO 27001)

For ISO 27001, Probo supports a Statement of Applicability (SoA). Each applicability statement covers a specific control and records:
  • Whether the control is applicable
  • The justification for inclusion or exclusion
  • The implementation status
You can export the full SoA as a document to include in your ISO 27001 certification package.

Snapshots

A snapshot captures the state of your compliance program at a specific point in time. When you create a snapshot, Probo copies your current controls, measures, risks, vendors, and evidence into an immutable record. This is useful for:
  • Retaining evidence of your compliance posture at the time of an audit
  • Comparing current state against a prior period
  • Providing auditors with a consistent reference point
Snapshots are linked to controls and audits through mapping records.

Evidence collection

Learn how to upload and manage evidence for measures and tasks.

Risk management

Track risks and link them to measures and controls.

Policies and documents

Manage policies that map to framework controls.

Trust center

Share your compliance posture publicly or with specific customers.

Build docs developers (and LLMs) love

Get started for freeTalk to us