Workflow and Status Reference
Use this reference to understand what each status means, what the owner should do next, and when a customer administrator or accountable leader should step in. Status names may vary slightly by workspace, but the decision logic should remain the same.
Assessments
| Status | Meaning | Owner action | When to escalate |
|---|---|---|---|
| Not Started | The assessment has been assigned but work has not begun. | Confirm scope, due date, and responsible contributors. | Escalate if the owner is unclear or the start date has passed. |
| In Progress | Responses, evidence, or reviews are being prepared. | Track completion and remind contributors before the due date. | Escalate if key evidence is missing or progress is stalled. |
| Submitted | The assessment is ready for review. | Review responses and decide whether changes are needed. | Escalate if the reviewer is unavailable or the decision is overdue. |
| Changes Requested | The reviewer needs corrections or more evidence. | Update the requested items and resubmit. | Escalate if the request is unclear or cannot be completed on time. |
| Approved | The assessment has passed review. | File supporting notes and monitor any follow-up actions. | Escalate only if approval conflicts with known issues. |
| Closed | The assessment cycle is complete. | Keep the record for reference and future planning. | Escalate if closure happened before required actions were finished. |
Risks
| Status | Meaning | Owner action | When to escalate |
|---|---|---|---|
| Draft | The risk is being described and scored. | Complete the description, impact, likelihood, owner, and treatment proposal. | Escalate if ownership or severity cannot be agreed. |
| Open | The risk is active and needs management. | Monitor exposure and keep the treatment plan current. | Escalate if the risk exceeds agreed tolerance. |
| Treatment Planned | A response has been selected. | Assign actions, dates, and accountable owners. | Escalate if resources or dates are not committed. |
| Pending Acceptance | The risk requires a formal acceptance decision. | Route to the appropriate decision owner. | Escalate if acceptance is overdue or outside the owner authority. |
| Accepted | The risk has been accepted by an accountable owner. | Review periodically and reopen if conditions change. | Escalate if acceptance lacks business justification. |
| Closed | The risk is no longer active or has been resolved. | Preserve the decision history. | Escalate if closure is disputed or unsupported. |
Policies
| Status | Meaning | Owner action | When to escalate |
|---|---|---|---|
| Draft | The policy is being written or updated. | Complete content, owner details, and review plan. | Escalate if ownership or scope is unclear. |
| In Review | Reviewers are checking accuracy and applicability. | Collect feedback and resolve comments. | Escalate if reviewers do not respond by the target date. |
| Pending Approval | The policy is ready for a final decision. | Send to the authorized approver. | Escalate if approval is delayed or the approver is not appropriate. |
| Published | The policy is active and available to users. | Communicate expectations and track acknowledgements if required. | Escalate if users report conflicting instructions. |
| Due for Review | The policy needs scheduled review. | Confirm whether it remains valid or requires updates. | Escalate if the review owner is unavailable. |
| Retired | The policy is no longer active. | Keep retirement rationale and replacement details where applicable. | Escalate if users are still relying on retired guidance. |
Exceptions
| Status | Meaning | Owner action | When to escalate |
|---|---|---|---|
| Requested | A user has asked for temporary deviation from a requirement. | Confirm business need, risk, expiry date, and compensating actions. | Escalate if the request is urgent, broad, or poorly justified. |
| Under Review | The exception is being assessed. | Gather input from risk, compliance, and business owners as needed. | Escalate if reviewers disagree on impact. |
| Approved | The exception is allowed for a defined period. | Monitor conditions and expiry date. | Escalate if the exception is used outside the approved scope. |
| Rejected | The exception is not allowed. | Communicate the decision and required alternative. | Escalate if the requester disputes the decision. |
| Expiring Soon | The approved period is near its end. | Renew with justification or prepare to close. | Escalate if continued use is business critical. |
| Closed | The exception is no longer active. | Confirm the normal requirement is being followed again. | Escalate if the exception remains in practice after closure. |
Issues
| Status | Meaning | Owner action | When to escalate |
|---|---|---|---|
| New | An issue has been identified. | Validate details, owner, severity, and target date. | Escalate if severity is high or ownership is unclear. |
| Assigned | An owner is responsible for resolution. | Confirm the action plan and expected completion date. | Escalate if the owner does not accept responsibility. |
| In Remediation | Corrective work is underway. | Track progress and update blockers. | Escalate if the due date is at risk. |
| Pending Validation | The owner says the issue is fixed and needs confirmation. | Check evidence and confirm whether the fix is sufficient. | Escalate if evidence is missing or validation fails repeatedly. |
| Closed | The issue has been resolved and confirmed. | Keep closure notes and evidence. | Escalate if the issue reappears. |
| Overdue | The target date has passed. | Update the recovery plan and new expected date. | Escalate to the accountable leader if delay affects commitments. |
Findings
| Status | Meaning | Owner action | When to escalate |
|---|---|---|---|
| Draft | The finding is being documented. | Complete facts, impact, evidence, and suggested action. | Escalate if facts are disputed. |
| Open | The finding has been confirmed. | Assign an owner and remediation plan. | Escalate if severity is high or ownership is unresolved. |
| Management Response | The responsible owner is preparing a response. | Provide commitment, target date, and action plan. | Escalate if the response is late or incomplete. |
| Remediation in Progress | The action plan is underway. | Track milestones and update evidence. | Escalate if milestones are missed. |
| Ready for Verification | The owner believes remediation is complete and has submitted the finding for auditor verification. | Auditor validates remediation evidence and linked issue/risk context. | Escalate if evidence is missing or a material finding has no linked issue or risk. |
| Verified | Auditor has verified the remediation. | Confirm any linked assessment control has been flagged for targeted reassessment. | Escalate if the affected control owner does not reassess on time. |
| Closed | The finding has been verified and resolved or accepted with rationale. | Preserve closure rationale, evidence, and reassessment outcome. | Escalate if the same finding returns. |
Finding closure gates:
| Gate | Meaning | Owner action | When to escalate |
|---|---|---|---|
| Material linkage | Material findings need a linked issue or risk. | Link the remediation issue or exposure risk before submitting for verification. | Escalate if the business refuses ownership. |
| Evidence required | Remediation evidence is required before verification. | Attach evidence showing the corrective action was completed. | Escalate if evidence cannot be produced. |
| Targeted reassessment | Verified assessment-control findings reopen only the failed control. | Control owner reassesses the affected control and uploads updated evidence. | Escalate if the parent assessment remains blocked. |
Vendors
| Status | Meaning | Owner action | When to escalate |
|---|---|---|---|
| Proposed | A vendor is being considered. | Confirm business need and required review level. | Escalate if the service is urgent or high impact. |
| Under Review | Due diligence is underway. | Collect required questionnaires, documents, and owner input. | Escalate if critical information is missing. |
| Approved | The vendor may be used within approved conditions. | Monitor review dates and required obligations. | Escalate if use changes beyond approved scope. |
| Active | The vendor is currently in use. | Keep ownership, contacts, and review dates current. | Escalate if performance, security, or compliance concerns arise. |
| Suspended | Use is temporarily paused or restricted. | Communicate restrictions and next steps to affected owners. | Escalate if business operations are affected. |
| Offboarded | The relationship has ended. | Confirm return, removal, or retention of required information. | Escalate if closure obligations are incomplete. |
Assets
| Status | Meaning | Owner action | When to escalate |
|---|---|---|---|
| Proposed | An asset is being added for tracking. | Confirm owner, purpose, classification, and criticality. | Escalate if ownership or classification is unclear. |
| Active | The asset is in use. | Keep owner, location, classification, and review details current. | Escalate if the asset supports critical services and details are incomplete. |
| Under Review | Asset details need confirmation. | Validate accuracy and update missing information. | Escalate if the owner does not respond. |
| Change Pending | A material change is planned. | Review impact and update related records. | Escalate if change may affect risk or compliance obligations. |
| Retired | The asset is no longer in use. | Confirm retirement date and any required record retention. | Escalate if the asset still appears active elsewhere. |
| Unknown Owner | No accountable owner is recorded. | Assign the correct owner quickly. | Escalate if no team accepts ownership. |
Incidents
| Status | Meaning | Owner action | When to escalate |
|---|---|---|---|
| Reported | A potential incident has been raised. | Confirm basic facts, severity, and response owner. | Escalate immediately if harm, disruption, or sensitive information may be involved. |
| Triage | The incident is being assessed. | Determine priority, scope, and next actions. | Escalate if severity is uncertain or time-sensitive decisions are needed. |
| Containment | Steps are being taken to limit impact. | Coordinate actions and document key decisions. | Escalate if impact is spreading or containment is blocked. |
| Investigation | Root cause and full impact are being reviewed. | Gather evidence, timeline, and affected parties. | Escalate if legal, customer, or regulatory commitments may apply. |
| Recovery | Normal operations are being restored. | Confirm recovery steps and remaining risks. | Escalate if recovery affects critical business activity. |
| Closed | Response is complete and lessons learned are recorded. | Capture follow-up actions and owners. | Escalate if required follow-up is not assigned. |
Approvals
| Status | Meaning | Owner action | When to escalate |
|---|---|---|---|
| Pending | A decision is waiting for an approver. | Remind the approver and confirm the due date. | Escalate if the decision blocks time-sensitive work. |
| Approved | The request has been accepted. | Notify the requester and proceed under approved conditions. | Escalate if approval appears outside the approver authority. |
| Rejected | The request has been declined. | Communicate the reason and next available option. | Escalate if the rejection conflicts with business direction. |
| Changes Requested | The approver needs more information or corrections. | Update the request and return it for decision. | Escalate if requested changes are unclear or unreasonable. |
| Delegated | The decision has been reassigned to another approver. | Confirm the new approver understands the request. | Escalate if delegation causes delay or weakens independence. |
| Cancelled | The request is no longer needed. | Record the reason and inform affected users. | Escalate if cancellation affects a required commitment. |