Help & User Guide

Everything you need to know to get the most from ShieldIQ.

Getting Started

ShieldIQ is a Governance, Risk, and Compliance (GRC) platform that helps organisations assess, manage, and improve their compliance posture across multiple frameworks. Here's how to get started:

  1. Create an account — Register with your email and company name. You'll receive a verification email to confirm your address.
  2. Seed your control library — Go to Dashboard, expand the Control Library section, and click "Seed" to populate 196 controls across 9 frameworks.
  3. Run an assessment — Select a framework and answer the questions based on your current practices.
  4. Sync results to GRC — From the results page, click "Update Controls" to sync scores to your control library, and "Generate Risks" to create risks from gaps.
  5. Track and remediate — Use Policies, Risk Register, and Actions to manage your compliance programme.
Tip: When you first log in, a guided tour will walk you through the main features. You can restart it anytime from the menu by clicking "Take a Tour".

Choosing a Framework

ShieldIQ supports 9 compliance frameworks. Choose the one that best matches your regulatory requirements or business needs:

  • NIST CSF 2.0 — The gold standard for cybersecurity posture. Suitable for any organisation.
  • NIS2 Directive — Required for essential and important entities operating in the EU.
  • GDPR — Mandatory if you process personal data of EU/EEA residents.
  • ISO 27001 — International standard for Information Security Management Systems.
  • DORA — Digital operational resilience for financial services in the EU.
  • SOC 2 — The standard for SaaS and cloud service providers.
  • Cyber Essentials — UK government scheme covering 5 technical controls.
  • EU AI Act — EU regulation for AI systems.
  • PCI DSS 4.0 — Required if you store, process, or transmit payment card data.
Tip: You can assess against multiple frameworks. The Control Library maps controls across all frameworks — when you implement a control for one framework, it automatically counts toward compliance in all mapped frameworks.

Taking an Assessment

Each assessment is divided into sections covering different domains of the framework. For each question:

  • Select the option that best describes your organisation's current practice, not your aspirational state.
  • Look for the info icon next to questions for guidance on what each maturity level means.
  • Your answers are auto-saved as you go — you won't lose progress if you navigate away.
  • Some questions are conditional — they only appear based on your previous answers.

After Completing an Assessment

Once you receive your results, you can connect them to the GRC modules:

  • Update Controls — Syncs your assessment scores to the Control Library. Scores ≥70% mark controls as "implemented", 40-70% as "in progress", and <40% as "not started".
  • Generate Risks — Creates risk entries for categories scoring below 70%, with severity calculated from the score.
  • Generate Actions — Creates remediation actions from AI-generated recommendations.

Re-taking Assessments

You can duplicate any completed assessment to re-take it with your previous answers pre-filled. This is useful for periodic reassessments to track improvement.

Understanding Results

After submitting an assessment, Claude AI analyses your responses and generates a detailed compliance report.

Executive Summary

Shows your overall score (0-100%), your strongest and weakest categories, and the top priority actions.

Risk Heatmap

A colour-coded grid showing each category's risk level. Red = high risk, amber = moderate, green = strong compliance.

Spider Graph

Your scores plotted across all domains in a radar chart. If you've set target levels, they appear as an overlay.

Compliance Dashboard

The unified dashboard brings together all your compliance data in one view:

Overall Compliance Ring

The central ring shows your overall compliance percentage across all frameworks, calculated from control implementation status. Colour-coded: green (≥70%), amber (40-70%), red (<40%).

GRC Summary Cards

Quick-glance counts of your total Controls, active Policies, open Risks, and registered Assets.

Risk Severity Bar

A proportional bar showing the distribution of your risks by severity (Critical, High, Medium, Low).

Framework Cards

Each framework shows both the control compliance percentage (from the Control Library) and the latest assessment score. Click "View Results" to drill into assessment details.

Score Trends

Bar charts showing how your assessment scores have changed over time for frameworks with multiple assessments.

Control Library

Expand the collapsible Control Library section at the bottom to view, filter, and update individual control statuses. Use the "Seed" button to populate controls from framework data, "Actions" to generate remediation actions for unimplemented controls, and "Export" to download an audit package.

Control Library

The Control Library is the foundation of your GRC programme. It contains security controls mapped across all 9 frameworks.

How It Works

  • Cross-framework mapping — Each control maps to one or more framework categories. When you mark a control as "implemented", it counts toward compliance in ALL mapped frameworks simultaneously.
  • Seeding — Click "Seed" on the Dashboard to populate 196 controls from all framework category data.
  • Status tracking — Each control has a status: Not Started, In Progress, Implemented, or Not Applicable. Update inline from the Dashboard.
  • Custom controls — Add your own controls for requirements not covered by the built-in frameworks.

Syncing from Assessments

After completing an assessment, click "Update Controls" on the results page. This automatically updates control statuses based on your scores — high scores mark controls as implemented, low scores as not started.

Generating Actions

Click "Actions" on the Control Library to create remediation actions for all unimplemented controls. When you complete an action, the linked control is automatically marked as "implemented".

Policies

Manage your organisation's security and compliance policies with version control and employee acknowledgment tracking.

Policy Templates

ShieldIQ includes 8 ready-to-use policy templates that you can adopt and customise:

  • Information Security Policy
  • Acceptable Use Policy
  • Data Classification Policy
  • Incident Response Policy
  • Access Control Policy
  • Change Management Policy
  • Business Continuity Policy
  • Data Retention & Disposal Policy

Policy Lifecycle

  • Draft — Write or edit your policy content in Markdown format.
  • Active — Publish the policy. This records the approver and approval date.
  • Archived — Retire old policies. They remain accessible for audit purposes.

Version History

Every content change creates a new version. The full history is preserved for audit trails.

Employee Acknowledgment

Team members can acknowledge (accept) active policies. Track who has and hasn't acknowledged each policy.

Risk Register

Formally identify, assess, and treat compliance and security risks.

Risk Scoring

Each risk is scored on two dimensions (1-5 scale):

  • Likelihood — Rare (1) to Almost Certain (5)
  • Impact — Insignificant (1) to Critical (5)
  • Risk Score — Likelihood × Impact (auto-calculated)

Severity levels: Critical (20-25), High (12-19), Medium (6-11), Low (1-5).

Risk Treatment

  • Mitigate — Implement controls to reduce the risk. Use "Generate Actions" to create remediation tasks.
  • Accept — Acknowledge the risk and take no action.
  • Transfer — Shift the risk to a third party (e.g., insurance).
  • Avoid — Eliminate the activity that causes the risk.

Auto-Generation from Assessments

Click "Generate Risks" on the assessment results page to automatically create risks from low-scoring categories (<70%). Severity is calculated from the assessment score.

Linking to Actions

Click "Generate Actions" on the Risk Register to create remediation actions for all open risks with treatment set to "mitigate". When the action is completed, the risk is automatically marked as "mitigated".

Asset Register

Track and classify your organisation's information assets.

Asset Types

  • Hardware — Servers, laptops, network equipment, mobile devices
  • Software — Applications, operating systems, databases
  • Data — Databases, file stores, backups, customer data
  • Service — Cloud services, SaaS platforms, third-party APIs
  • People — Key personnel, contractors, roles
  • Facility — Offices, data centres, physical locations

Data Classification

Classify each asset according to its sensitivity:

  • Public — No restrictions on access
  • Internal — For internal use only
  • Confidential — Restricted access, encryption required
  • Restricted — Highest sensitivity, strictest controls

Criticality

Rate each asset's criticality to the business: Low, Medium, High, or Critical. This helps prioritise risk treatment and incident response.

Remediation Actions

Track remediation tasks from identification through to completion. Actions can be generated from multiple sources or created manually.

Sources of Actions

  • From Assessments — Click "Generate Actions" on the results page to create actions from AI-generated recommendations.
  • From Risks — Click "Generate Actions" on the Risk Register to create actions for risks with treatment set to "mitigate".
  • From Controls — Click "Actions" on the Dashboard's Control Library to create actions for unimplemented controls.
  • Manual — Create actions directly from the Actions page.

Cascading Status Updates

When you mark an action as "done":

  • If linked to a control — the control status changes to "implemented"
  • If linked to a risk — the risk status changes to "mitigated"

This creates a closed loop: assessment → controls → risks → actions → controls updated → compliance improves.

Action Properties

  • Effort — Low, Medium, or High implementation effort
  • Impact — Low, Medium, or High impact on compliance
  • Priority — Normal, High, or Critical
  • Status — To Do, In Progress, Done
  • Assignee — Assign to a team member
  • Due date — Set a deadline

Reports & Exports

  • PDF Report — Board-ready compliance report with executive summary, spider graph, heatmap, and recommendations.
  • CSV Export — Raw assessment scores and analysis in spreadsheet format.
  • Email Report — Send the PDF report directly to your inbox.
  • Compliance Certificate — Verifiable certificate with a unique code.
  • Audit Package — Download a ZIP containing control status matrix, active policies, risk register, and evidence index per framework. Available from the Dashboard's Control Library section.

Network Scanner

The built-in network scanner uses Nmap to identify open ports and potential vulnerabilities.

Scan Types

  • Quick Scan — Most common ports, under a minute. Available on all plans.
  • Standard Scan — Top 1000 ports with service detection. Professional and Enterprise.
  • Deep Scan — Comprehensive scan with OS detection. Enterprise only.

Limits

  • Free tier: 1 quick scan per month
  • Professional: 10 scans per month
  • Enterprise: Unlimited
Important: Only scan systems you own or have explicit permission to scan. Your email must be verified before using the scanner.

Target Levels

Set target maturity scores for each category within a framework. These targets appear as an overlay on your spider graph, making it easy to visualise the gap between your current state and your goals.

Reassessment Scheduling

Set up automated reminders to reassess at regular intervals (e.g., every 90 days). When a reassessment is due, you'll receive an email reminder. You'll also see a notification when you log in.

Teams & Organisations

Create an organisation to collaborate on compliance with your team.

  • Invite members — Add by email. Existing users are added immediately. New users receive an invitation and are added automatically when they register.
  • Shared data — All GRC data (controls, policies, risks, assets, actions) is scoped to your organisation. Team members share the same compliance workspace.
  • Roles — Owner, Admin, and Member with different permissions.

Plans & Billing

  • Starter (Free) — 1 NIST CSF assessment per quarter, view-only control library, 1 quick scan/month.
  • Individual (€69/month) — NIST CSF + 2 more frameworks, full control library, 10 risks, PDF reports.
  • Professional (€99/month) — Any 3 frameworks, unlimited assessments, 3 policies, 50 risks, 5 team members.
  • Business (€249/month) — Any 6 frameworks, unlimited GRC, asset register, audit-ready exports, 15 team members.
  • Enterprise (€499/month) — All 9 + custom frameworks, unlimited everything, deep scans, dedicated support.

All paid plans available with annual billing — pay for 10 months, get 12 (~17% discount). Billing is handled securely through Stripe.

Account & Security

Email Verification

A verification email is sent when you register. This is required to use the network scanner.

Password Requirements

Passwords must be at least 8 characters and include uppercase, lowercase, a number, and a special character.

Password Reset

Click "Forgot password?" on the login page. You'll receive an email with a reset token.

Dark Mode

Toggle dark mode using the moon icon in the navigation bar.

Support

Need help? Contact us at info@shieldiqcyber.com

Visit our Trust Center for policies, security documentation, and compliance commitments.