Kevala Documentation

Overview

Kevala is a focused, self-hosted GRC (Governance, Risk, and Compliance) platform designed for organizations needing to comply with international and regional frameworks including ISO 27001, SOC 2, NIST CSF, HIPAA, PCI-DSS, NCA, and PDPL.

Key capabilities include:

Automated Control Mapping : Keyword-based engine that maps assets to relevant compliance controls based on asset type, CIA ratings, and data classification
Automated Risk Suggestions : Context-aware risk templates based on asset type, with one-click creation
Structured AI Analysis : AI analysis with JSON output, historical trend analysis, and enriched control implementation guidance
Multi-Framework Compliance : Real-time visibility into compliance status across various frameworks

Tip: Kevala is designed for small to medium organizations. For enterprise deployments with multiple sites, consider the Professional or Enterprise editions.

Installation

Prerequisites

Virtualization platform (VMware ESXi 6.7+, VMware Workstation 15+, VirtualBox 6.0+, Proxmox VE 7.0+, or KVM/QEMU 4.0+)
System requirements: 8 vCPU, 16 GB RAM, 100 GB SSD

Deployment Steps

Download the Appliance : Download the OVA (for VMware/VirtualBox) or QCOW2 (for KVM/Proxmox) from the download page.
Import the Virtual Appliance : Import the downloaded appliance file into your hypervisor.
Configure Network Adapter : Set the network adapter to bridged mode.
Power On the VM : Start the virtual machine.
Note the IP Address : The IP address will be displayed on the VM console after boot.
Access the Web Interface : Open your browser and navigate to https://<ip-address>

Default Credentials: Username: admin / Password: admin

Configuration

After deploying the virtual appliance, configure Kevala through the web interface.

First Login and Password Change

Upon first login with the default credentials (admin/admin), you will be prompted to change your password. Choose a strong, unique password for production use.

Application Settings

Additional settings can be configured under Settings:

User management and access control
LDAP/Active Directory integration
Audit log configuration and retention
AI engine configuration (Ollama URL, model selection)

Security Note: Always change the default admin password immediately after first login.

After deploying the Kevala virtual appliance, you can access the web interface through your browser. This section walks you through your very first login and the initial security steps you should take immediately.

Accessing Kevala

1Open your web browser and navigate to https://<appliance-ip>. The IP address is displayed on the VM console after boot.
2Enter the default credentials: username admin and password admin.
3Click Sign In to access the platform. You will be redirected to the onboarding wizard on your first login.

Important: Change the default admin password immediately after your first login. Navigate to your profile icon in the top-right corner, select Profile, and update your password. Use a strong password with at least 12 characters, mixing letters, numbers, and symbols.

Changing Your Password

1Click your username or profile icon in the top-right corner of the navigation bar.
2Select Profile from the dropdown menu.
3Enter your current password, then enter and confirm your new password.
4Click Update Password. You will remain logged in with your new credentials.

Tip: Bookmark the Kevala URL in your browser for quick access. If you lose the IP address, log into the VM console directly to retrieve it.

Onboarding Wizard

The onboarding wizard helps you configure Kevala for your organization in just a few steps. It sets your country, market segment, and automatically enables the compliance frameworks most relevant to you. The wizard runs once for new deployments and can be revisited from Settings.

Step 1: Country Selection

Choose your organization's primary country of operation. This determines which regulatory frameworks are recommended. For example, selecting Saudi Arabia will recommend NCA ECC, DCC, OTCC, and PDPL frameworks. Selecting a European country will recommend GDPR, NIS2, and DORA.

Step 2: Market Segment

Select the industry or sector that best describes your organization. Available segments include:

Government : Public sector entities and agencies
Financial Services : Banks, insurance, investment firms
Healthcare : Hospitals, clinics, pharmaceutical companies
Energy : Oil and gas, utilities, renewable energy
Telecommunications : Carriers, ISPs, service providers
Technology : Software, SaaS, IT services
Other : General commercial organizations

Step 3: Framework Selection

Kevala automatically suggests the compliance frameworks relevant to your country and sector. Review the list, toggle any additional frameworks on or off, and confirm your selection. You can always change this later under Settings > Framework Management.

Step 4: Organization Profile

Enter your organization name, primary contact, and any additional details. These details appear on exported reports and audit documentation. Click Complete Setup to finish. Kevala will enable the selected frameworks and redirect you to the dashboard.

Tip: You can change your enabled frameworks at any time by going to Settings > Framework Management. Disabling a framework hides its controls from the compliance views but does not delete any assessment data.

Dashboard Overview

The dashboard is your central command center. It provides a real-time snapshot of your organization's risk posture, compliance status, and pending action items. Every metric on the dashboard is interactive : click any card or chart to drill down into the underlying data.

Stat Cards

The top row displays summary metrics at a glance: total open risks, overall compliance percentage, active incidents, overdue tasks, and asset count. Each card is color-coded and clickable, linking directly to the relevant module.

Compliance Progress

A horizontal progress bar for each enabled framework shows your current compliance percentage. Color-coded indicators show whether you are on track (green, above 80%), need attention (amber, 50-80%), or have critical gaps (red, below 50%). Click any framework bar to jump directly to its control list.

Risk Heat Map

The interactive 5x5 heat map displays the distribution of open risks by likelihood and impact. Each cell shows a count of risks at that intersection. Cells are clickable : clicking a cell drills down to a filtered list of risks at that specific likelihood/impact combination. The heat map also overlays your configured risk appetite threshold, with risks above appetite displayed with an "Above Appetite" badge.

Risk Trend Chart

A line chart showing the movement of open risks over the past 12 months, broken down by severity level. Use this to identify whether your overall risk posture is improving or deteriorating over time.

Recent Activity

A timeline of the most recent changes across all modules, including new risks created, control assessments updated, incidents reported, tasks completed, and policy approvals. Each entry links to the relevant item for quick navigation.

Tip: The dashboard refreshes automatically. You can also force a refresh by pressing F5 or clicking the refresh icon in the top-right corner of each widget.

Creating Risks

The risk register is the backbone of your GRC program. Risks can be created manually, generated from automated risk suggestions based on asset profiles, or imported from external sources. Each risk entry captures the threat, affected assets, likelihood, impact, and linked compliance controls.

Adding a Risk Manually

1Navigate to Risks from the left sidebar menu.
2Click the + Add Risk button in the top-right corner.
3
Fill in the risk details:
- Title : A concise description (e.g., "Unpatched web server vulnerable to CVE-2024-XXXX").
- Description : Detailed explanation of the risk, root cause, and potential consequences.
- Category : Select the appropriate category (Technical, Operational, Compliance, Strategic).
- Likelihood : Rate from 1 (Rare) to 5 (Almost Certain).
- Impact : Rate from 1 (Negligible) to 5 (Catastrophic).
- Owner : Assign the person responsible for managing this risk.
- Linked Asset : Associate the risk with one or more assets from your inventory.
- Linked Control : Link to a compliance control that this risk relates to.
- Treatment Plan : Describe the planned approach (mitigate, accept, transfer, or avoid).
4Click Save to add the risk to the register. It will appear with status Open by default.

Tip: Use the automated risk suggestions feature on any asset's detail page to generate risk entries tailored to the asset type. Kevala pre-populates the title, description, and linked asset. Review and adjust the likelihood and impact scores based on your organization's context.

Risk Scoring

Kevala uses a standard 5x5 risk matrix to calculate risk scores. The score determines the risk severity level and drives prioritization across the platform. Kevala supports both inherent risk scoring (before controls) and residual risk scoring (after controls are applied).

The Risk Matrix

Each risk is scored on two dimensions:

Likelihood (1-5) : 1 = Rare, 2 = Unlikely, 3 = Possible, 4 = Likely, 5 = Almost Certain.
Impact (1-5) : 1 = Negligible, 2 = Minor, 3 = Moderate, 4 = Major, 5 = Catastrophic.

Risk Score = Likelihood x Impact
Inherent Score = Raw likelihood x Raw impact (before any controls)
Residual Score = Adjusted likelihood x Adjusted impact (after controls applied)

Severity Levels

Risk Score	Severity	Response
20 – 25	Critical	Immediate action required. Escalate to senior management. Target remediation within 24-48 hours.
15 – 19	High	Prompt action needed. Assign an owner and create a remediation plan within one week.
8 – 14	Medium	Monitor and plan. Schedule remediation within the current quarter.
1 – 7	Low	Accept or monitor. Review during the next periodic risk assessment cycle.

Tip: Use the risk matrix consistently across your organization. Document your scoring criteria so different team members arrive at similar scores for similar risks.

Risk Heat Map

The interactive risk heat map provides a visual overview of your entire risk landscape on a single 5x5 grid. Each cell represents a specific likelihood-impact combination, with color intensity indicating severity.

Using the Heat Map

Cell counts : Each cell displays the number of open risks at that likelihood/impact intersection.
Click to drill down : Click any cell to view a filtered list of risks at that exact scoring position. This makes it easy to review all Critical risks or investigate a specific cluster.
Risk appetite overlay : If risk appetite thresholds are configured, the heat map displays a visual boundary line. Risks above the appetite line are flagged with an "Above Appetite" badge.
Color coding : Cells are color-coded from green (Low) through amber (Medium) and orange (High) to red (Critical).

Tip: Use the heat map during management review meetings to quickly communicate your risk posture. The visual layout makes it easy for non-technical stakeholders to understand risk distribution.

Risk Appetite

Risk appetite defines how much risk your organization is willing to accept. Kevala allows you to configure appetite thresholds globally and per risk category, so you can have different tolerances for technical risks versus compliance risks.

Configuring Risk Appetite

1Navigate to Settings > Risk Appetite.
2Set the Global Appetite Threshold : the maximum acceptable risk score (e.g., setting it to 12 means any risk scoring above 12 is above appetite).
3Optionally configure Per-Category Thresholds to override the global setting. For example, set a lower threshold of 8 for Compliance risks while keeping Technical risks at 12.
4Click Save. The heat map and risk register will immediately reflect the new appetite boundaries.

Important: Risks that exceed appetite thresholds are flagged throughout the platform with an "Above Appetite" badge. These risks require formal acknowledgment or escalation. Ensure your appetite thresholds are reviewed and approved by senior management.

Risk Lifecycle

Every risk in Kevala follows a defined lifecycle from identification through resolution. Managing risks through their lifecycle ensures nothing falls through the cracks and provides an auditable trail.

Risk Statuses

Status	Description	When to Use
Open	Identified and awaiting treatment.	Default for all new risks.
Mitigated	Controls implemented to reduce the risk.	After remediation actions are completed and verified.
Closed	No longer applicable or fully remediated.	When the underlying condition no longer exists.
Accepted	Management has formally accepted the residual risk.	When mitigation cost exceeds potential impact, with documented rationale.

Updating Risk Status

1Open the risk from the risk register by clicking its title.
2Click the Status dropdown and select the new status.
3Add a note explaining the status change (e.g., "Patch applied to all affected servers on 2026-02-15").
4If mitigating, update the Residual Likelihood and Residual Impact scores to reflect the post-mitigation risk level.
5Click Update to save. Linked control statuses will recalculate automatically.

Treatment Plans

Every risk should have a documented treatment plan. Kevala supports four treatment strategies:

Mitigate : Implement controls to reduce likelihood or impact to an acceptable level.
Accept : Formally acknowledge and accept the risk at its current level.
Transfer : Shift the risk to a third party through insurance, outsourcing, or contractual agreements.
Avoid : Eliminate the risk by discontinuing the activity that creates it.

Important: Closing or mitigating a risk linked to compliance controls will automatically improve the compliance score. Make sure the risk is genuinely resolved before changing its status.

Risk Score History

Kevala automatically tracks every change to a risk's score over time, providing a historical record that demonstrates whether risks are being effectively managed.

Viewing Score History

1Open any risk from the risk register by clicking its title.
2Scroll to the Score History section on the risk detail page.
3Review the trend visualization showing how the risk score has changed over time.

Each history entry records the date, the user who made the change, the old and new likelihood/impact values, and the resulting score. This audit trail is invaluable during compliance audits.

Tip: A risk whose score has remained unchanged for several months may indicate it is not being actively managed. Use score history to identify stale risks during periodic reviews.

Adding Assets

Assets are the foundation of your risk and compliance program. Every device, system, application, and data store that supports your business operations should be inventoried in Kevala. Once added, Kevala's mapping engine can automatically suggest relevant compliance controls and risk templates based on each asset's type, CIA ratings, and data classification.

Manual Asset Entry

1Navigate to Assets from the left sidebar.
2Click + Add Asset in the top-right corner.
3
Fill in the asset details:
- Name : A recognizable name (e.g., "Production Web Server 01").
- IP Address : The primary IP address, if applicable.
- MAC Address : Hardware address for network-connected devices.
- Hostname : The network hostname of the asset.
- Type : Select from Server, Workstation, Network Device, Application, Database, Cloud Service, IoT Device, or Other.
- Criticality : Rate from 1 (Low) to 5 (Critical) based on business impact.
- Owner : The person or team responsible for this asset.
- Location : Physical or logical location of the asset.
- Status : Active, Inactive, Decommissioned, or Under Maintenance.
4Click Save to add the asset to your inventory.

Tip: Set asset criticality based on its impact to business operations if compromised. Critical assets (5) support core business functions, while low-criticality assets (1) have minimal operational impact. This rating directly influences risk scoring when risks are linked to assets.

CIA Triad Rating

Every asset in Kevala can be rated across the three pillars of information security: Confidentiality, Integrity, and Availability. These ratings, combined with data classification, provide a comprehensive view of each asset's security requirements.

Setting CIA Ratings

1Open an asset from the asset inventory and click Edit.
2
In the Security Classification section, rate each dimension from 1 to 5:
- Confidentiality : How sensitive is the data? 1 = Public information, 5 = Top-secret or regulated data.
- Integrity : How critical is data accuracy? 1 = Minor impact if altered, 5 = Life-safety or financial impact if corrupted.
- Availability : How critical is uptime? 1 = Can tolerate days of downtime, 5 = Must be available 24/7 with zero tolerance.
3
Select the Data Classification level:
- Public : Information intended for public disclosure.
- Internal : General internal use, not sensitive.
- Confidential : Sensitive business information, restricted access.
- Restricted : Highly sensitive, regulatory or contractual restrictions apply.
4Click Save. CIA ratings are displayed on the asset detail page and factored into risk assessments.

Tip: CIA ratings help prioritize security controls. An asset with high Confidentiality but low Availability needs strong access controls but may not require redundant infrastructure. Use these ratings to align your security investments with actual requirements.

Automated Control Mapping

Kevala's mapping engine automatically suggests compliance controls that are relevant to each asset based on its type, CIA ratings (Confidentiality, Integrity, Availability), and data classification. This eliminates manual guesswork and ensures comprehensive control coverage from the moment an asset is added.

How the Mapping Engine Works

The engine uses a keyword-based matching algorithm that considers:

Asset Type : Different asset types trigger different control families. A database triggers data protection and access control requirements, while a network device triggers network security controls.
CIA Ratings : High confidentiality ratings prioritize encryption and access controls. High availability ratings prioritize redundancy and backup controls. High integrity ratings prioritize change management and audit controls.
Data Classification : Restricted and confidential assets receive stricter control suggestions than internal or public assets.

Each suggested control includes a relevance score and a reason explaining why it was recommended, so you can make informed decisions about which mappings to accept.

Viewing Suggested Controls

1Open any asset from the asset inventory.
2In the Mapped Controls section, click Suggest Mappings.
3Review the scored suggestions. Each suggestion shows the control name, framework, relevance score, and the reason for the recommendation.
4Select individual controls to map, or click Auto-Map to accept all suggestions above the relevance threshold at once.

Managing Mapped Controls

Mapped controls appear on the asset detail page in the Mapped Controls table. You can unmap a control at any time by clicking the remove icon next to it. Mapping an asset to a control creates a bidirectional link : the control's detail page will also show which assets it is mapped to.

Tip: For the most accurate suggestions, fill in the asset's CIA ratings and data classification before running the mapping engine. The more context you provide, the more relevant the suggested controls will be.

Automated Risk Suggestions

Kevala can automatically suggest risks relevant to each asset based on its type. The mapping engine includes built-in risk templates for common asset categories, helping you build a comprehensive risk register quickly.

How Risk Suggestions Work

Each asset type has a set of pre-defined risk templates that represent common threats. For example:

Servers : Unpatched vulnerabilities, unauthorized access, hardware failure, data breach.
Databases : SQL injection, data leakage, backup failure, privilege escalation.
Cloud Services : Misconfiguration, account compromise, data residency violations, vendor lock-in.
Workstations : Malware infection, data loss, unauthorized software, physical theft.
Network Devices : Configuration drift, unauthorized access, denial of service, firmware vulnerabilities.

Generating Risk Suggestions

1Open an asset from the asset inventory.
2In the Risks section, click Suggest Risks.
3Review the suggested risks. Each suggestion includes a title, description, and recommended likelihood/impact scores.
4Click Create All to add all suggestions to the risk register at once, or select individual risks to create.

Tip: Risk suggestions provide a strong starting point, but always review and adjust the likelihood and impact scores based on your specific environment. A risk that is critical for one organization may be low-priority for another depending on existing controls and context.

Asset-Risk Linking

Linking assets to risks creates a clear picture of exposure. When a risk is linked to an asset, you can immediately see which systems are affected and prioritize remediation based on asset criticality.

Linking an Asset to a Risk

1Open a risk from the risk register.
2In the Linked Assets section, click + Link Asset.
3Search for and select the asset(s) to link. You can link multiple assets to a single risk.
4Click Save. The asset detail page will now show this risk, and vice versa.

Asset Risk Dashboard

Navigate to Assets > Risk Dashboard for an aggregate view of risk exposure across your asset inventory. This view shows each asset alongside its linked risks, overall risk score, and criticality rating, making it easy to identify the most exposed assets in your environment.

Tip: When risks are created from automated risk suggestions, asset links are established automatically. For manually created risks, always link the affected assets to maintain a complete risk-to-asset mapping for audit purposes.

Frameworks Overview

Kevala ships with a comprehensive set of pre-built compliance frameworks covering international standards, regional regulations, and industry-specific requirements. Each framework is broken down into domains, subdomains, and individual controls. Frameworks can be toggled on and off in Settings > Framework Management.

Supported Frameworks

Framework	Description
ISO 27001	Information security management system, full Annex A control set.
ISO 22301	Business Continuity Management System.
ISO 31000	Risk Management Guidelines.
SOC 2	Trust Services Criteria for service organizations.
PCI-DSS	Payment Card Industry Data Security Standard (current version).
HIPAA	Health Insurance Portability and Accountability Act.
NIST CSF	Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover).
NIST SP 800-53	Security and Privacy Controls for Information Systems.
GDPR	General Data Protection Regulation (EU).
DORA	Digital Operational Resilience Act (EU financial sector).
NIS2	Network and Information Security Directive (EU).
COBIT 2019	Governance and Management of Enterprise IT.
CIS Controls	Center for Internet Security Critical Security Controls.
NCA ECC	Essential Cybersecurity Controls (Saudi Arabia).
NCA CSCC	Cloud Cybersecurity Controls (Saudi Arabia).
NCA DCC	Data Cybersecurity Controls (Saudi Arabia).
NCA OTCC	Operational Technology Cybersecurity Controls (Saudi Arabia).
NCA NCNICC	National Cybersecurity Network & Information Controls (Saudi Arabia).
SAMA CSF	Saudi Central Bank Cyber Security Framework (banking sector).
Saudi PDPL	Personal Data Protection Law, regulating the collection, processing, storage, and transfer of personal data, supervised by the Saudi Data and AI Authority (SDAIA).
CBE Cybersecurity Framework	Central Bank of Egypt cybersecurity requirements for banks, payment service providers, and financial technology companies operating in Egypt.
Egyptian Data Protection Law	Law 151/2020 personal data protection framework, regulating the collection, processing, and transfer of personal data under the Personal Data Protection Center (PDPC).

Custom frameworks can also be added via CSV import or implemented on request. Contact support for details.

Navigating Frameworks

1Click Compliance in the sidebar to see all enabled frameworks with their overall compliance percentages.
2Click a framework name to expand it and view domains, subdomains, and individual controls.
3Click a specific control to view its description, assessment status, linked risks, and evidence.

Tip: Use the framework filter at the top of the compliance page to focus on a single framework at a time. This is especially useful when preparing for a specific audit.

ISO 27001:2022

Kevala includes the complete ISO 27001:2022 Annex A organized into four themes. You can seed the full control set from Settings if it was not enabled during onboarding.

Annex A Structure

Theme	Description
A.5 Organizational	Policies, roles, responsibilities, asset management, access control, supplier relationships.
A.6 People	Screening, terms of employment, awareness, training, disciplinary process, termination.
A.7 Physical	Physical perimeters, entry controls, securing offices, equipment, cabling, maintenance.
A.8 Technological	User devices, access rights, authentication, cryptography, development, monitoring, network security.

Seeding ISO 27001:2022 Controls

1Navigate to Settings > Framework Management.
2Locate ISO 27001:2022 in the framework list.
3Click Seed Controls to populate the full Annex A control set.
4Enable the framework toggle. The controls will now appear under Compliance.

Important: Seeding controls is a one-time operation. If the framework already has controls, the seed action will skip duplicates. Existing assessment data is never overwritten.

Assessing Controls

Control assessment is the process of evaluating whether your organization meets the requirements of each compliance control. Kevala supports individual and bulk assessment workflows.

Control Statuses

Status	Meaning	Impact on Score
Compliant	Fully implemented and effective.	Counts as 1.0 toward compliance.
Partially Compliant	Partially implemented, gaps remain.	Counts as 0.5 toward compliance.
Non-Compliant	Not implemented or ineffective.	Counts as 0 toward compliance.
Not Assessed	No evaluation performed yet.	Counts as 0 (treated as a gap).
Not Applicable	Control does not apply to this organization.	Excluded from the denominator.

Individual Assessment

1Navigate to the specific control within a framework.
2Click Assess to open the assessment form.
3Select the compliance status from the dropdown.
4Assign an Owner responsible for this control.
5Set a Due Date for achieving compliance if the control is not yet compliant.
6Add assessment notes explaining your rationale. Reference policies, configurations, or evidence.
7Click Save Assessment. The framework compliance percentage will update immediately.

Bulk Status Update

1From the framework view, use the checkboxes to select multiple controls.
2Click Bulk Update in the action bar that appears.
3Select the status to apply to all selected controls, set an owner and due date if desired, and click Apply.

Tip: For a thorough assessment, work through one domain at a time. This gives you a complete picture of each area before moving to the next and makes it easier to identify systemic gaps.

Statement of Applicability (SoA)

The Statement of Applicability is a key ISO 27001 document that lists every control, states whether it is applicable, and provides justification for any exclusions. Kevala auto-generates the SoA from your control assessments.

Generating the SoA

1Navigate to the framework view for the relevant framework (e.g., ISO 27001:2022).
2Click the Statement of Applicability tab.
3
The SoA is auto-populated from your existing control assessments. Each row shows:
- Control ID and Name : The control reference.
- Applicable : Yes/No based on whether the control is marked Not Applicable.
- Justification for Exclusion : Required for any control marked Not Applicable.
- Implementation Status : The current assessment status.
- Evidence References : Links to uploaded evidence for this control.
4Review and edit justifications for any excluded controls. Auditors will scrutinize these entries.
5Click Export CSV to download the complete SoA as a spreadsheet for external use or audit submission.

Important: Do not mark controls as "Not Applicable" without proper justification. Auditors will expect documented rationale for every excluded control. Use the justification field to record specific reasons (e.g., "Control A.7.3 : No secure areas; organization operates fully remote with no physical office").

Compliance Scoring

Kevala uses a consistent formula across all views to calculate compliance percentages. Understanding this formula ensures you interpret the numbers correctly.

The Formula

Compliance % = (Compliant + Partially Compliant x 0.5) / (Total Controls - Not Applicable) x 100

Key Points

Compliant controls count as 1.0 (full weight).
Partially Compliant controls count as 0.5 (half weight), reflecting progress but acknowledging remaining gaps.
Non-Compliant controls count as 0 : they reduce your compliance percentage.
Not Assessed controls also count as 0 : unassessed controls are treated as gaps, not excluded.
Not Applicable controls are excluded from the denominator entirely, so they do not inflate or deflate your score.

Tip: To maximize your compliance score, prioritize assessing all controls first (even as Non-Compliant) over leaving them as Not Assessed. This gives you an accurate baseline to measure improvement against.

Compliance Roadmap

The compliance roadmap helps you plan and track your journey from current state to full compliance. It organizes non-compliant controls into phased implementation stages.

Roadmap Phases

Phase	Description	Typical Timeline
Quick Wins	Low-effort controls that can be addressed immediately with policy changes or configuration updates.	0-30 days
Foundation	Core controls requiring process design, tooling, or moderate investment.	1-3 months
Advanced	Complex controls requiring significant implementation effort, organizational change, or capital investment.	3-12 months

Each control in the roadmap includes an effort rating (Low, Medium, High) to help you estimate resource requirements and plan capacity. Use the roadmap view to create remediation tasks directly from non-compliant controls.

Tip: Start with Quick Wins to build momentum and demonstrate early progress to stakeholders. This approach improves your compliance score quickly while you plan and resource the more complex Foundation and Advanced controls.

Compliance Trends

Kevala tracks your compliance percentage for each framework on a monthly basis, providing a 12-month trend chart that shows your improvement trajectory.

Viewing Trends

1Navigate to Compliance and select a framework.
2Click the Trends tab to view the 12-month compliance trend chart.
3Monthly snapshots are recorded automatically. Each data point shows the compliance percentage at the end of that month.

Trend data is invaluable for management reporting and audit evidence. A steadily increasing trend demonstrates active compliance management, while plateaus or declines indicate areas needing attention.

Cross-Framework Mappings

Many compliance controls overlap across different frameworks. Kevala's cross-framework mapping feature lets you define relationships between controls, reducing duplicate effort when managing multiple frameworks simultaneously.

Mapping Types

Equivalent : Controls that are functionally identical. Assessing one effectively assesses the other.
Partial : Controls that partially overlap. Assessing one provides partial coverage for the other.
Related : Controls that address similar topics but from different perspectives.

Creating Mappings

1Open a control from any framework.
2In the Mappings section, click + Add Mapping.
3Select the target framework and control, then choose the mapping type (Equivalent, Partial, or Related).
4Click Save. The mapping is bidirectional : it appears on both controls.

Coverage Matrix

Navigate to Compliance > Coverage Matrix for a cross-framework view showing how controls map across all your enabled frameworks. This matrix helps identify gaps where a control exists in one framework but has no equivalent in another you are also managing.

Tip: If you are managing both ISO 27001 and NCA ECC, leverage mappings extensively. Many NCA ECC controls map directly to ISO 27001 Annex A controls, meaning one assessment can satisfy both requirements.

Uploading Evidence

Evidence files support your compliance assessments with tangible proof of control implementation. Kevala provides a centralized evidence repository where files can be uploaded and linked to controls, risks, assets, and vendors.

Uploading Files

1Open any control, risk, or asset detail page.
2In the Evidence section, click + Upload Evidence.
3Select one or more files from your computer. Supported formats include PDF, DOCX, XLSX, PNG, JPG, CSV, and TXT.
4Add a description for each file explaining what it demonstrates.
5Click Upload. Files are stored securely and linked to the current entity.

Tip: Name evidence files descriptively (e.g., "Access_Control_Policy_v2.1_Approved_2026-01.pdf") so auditors can quickly identify documents without opening every file. Include version numbers and dates in filenames.

Evidence Linking

A single piece of evidence can support multiple entities across Kevala. For example, an access control policy PDF might serve as evidence for several compliance controls across different frameworks, and may also be relevant to specific risks and vendor assessments.

Multi-Entity Linking

Kevala supports linking evidence to four entity types:

Controls : Demonstrate compliance with specific requirements.
Risks : Provide documentation for risk treatment or acceptance decisions.
Assets : Attach configuration documentation, license certificates, or maintenance records.
Vendors : Store vendor certifications, audit reports, and contract documents.

To link existing evidence to additional entities, open the evidence file from any detail page and click Link to Additional Entity. Select the entity type and the specific item to link.

Reporting Incidents

The incident management module lets you record, track, and respond to operational, security, privacy, and compliance events. Proper incident documentation is required by most compliance frameworks and provides valuable data for improving your overall risk posture.

Creating an Incident Report

1Navigate to Incidents from the sidebar and click + Report Incident.
2
Fill in the incident details:
- Title : Brief description (e.g., "Phishing email targeting finance department").
- Description : Detailed account of what happened, when detected, and immediate actions taken.
- Severity : Select Critical, High, Medium, or Low based on actual or potential impact.
- Category : Choose the incident type (Data Breach, Malware, Phishing, Unauthorized Access, Denial of Service, Other).
- Affected Assets : Link any assets involved in the incident.
- Assigned Responder : Assign the team member responsible for investigating and resolving the incident.
3Click Submit to create the incident. It will be assigned a unique incident ID for tracking.

Tip: When an incident reveals a new risk, create a corresponding entry in the risk register and link it to the relevant compliance controls. This ensures your risk posture reflects real-world events.

Incident Lifecycle

Incidents progress through defined stages that align with standard incident response frameworks.

Incident Statuses

Status	Description
Open	Initial report submitted, awaiting triage and investigation.
Investigating	Actively being analyzed. Root cause analysis in progress.
Contained	Threat has been contained. Immediate impact halted. Containment actions documented.
Resolved	Root cause identified and remediation actions completed.
Closed	Post-incident review completed and lessons learned documented.

Updating Incident Status

1Open the incident from the incident list.
2Click the Status dropdown and select the new status.
3Add a note describing containment actions taken, root cause findings, or resolution steps.
4If applicable, update the Affected Records Count to document the scope of data impact.
5Click Update to save. SLA timers adjust automatically based on status transitions.

SLA Tracking

Kevala tracks Service Level Agreements for incident response and resolution times. Each incident displays SLA compliance status based on its severity and configured targets.

SLA Metrics

Response Time SLA : The maximum time from incident creation to when investigation begins (status changes from Open to Investigating).
Resolution Time SLA : The maximum time from incident creation to when the incident is resolved or closed.

Each incident displays a Met or Breached badge for each SLA, making it immediately visible whether response targets are being achieved.

Important: SLA targets are configured in Settings based on severity level. Typical targets: Critical incidents should be responded to within 1 hour and resolved within 24 hours. Adjust these to match your organization's incident response policy.

MTTR Dashboard

The Mean Time to Resolve (MTTR) dashboard provides aggregate metrics across all incidents, giving you visibility into your incident response program's effectiveness.

Dashboard Metrics

Average MTTR : The average time from incident creation to resolution, calculated across all resolved/closed incidents.
MTTR by Severity : Breakdown of average resolution time per severity level (Critical, High, Medium, Low).
Incident Distribution : Pie chart showing the proportion of incidents by severity over the selected time period.
SLA Compliance Rate : Percentage of incidents that met both response and resolution SLAs.
Trend Charts : Month-over-month MTTR trends showing whether resolution times are improving.

Tip: Use the MTTR dashboard for executive reporting. A decreasing MTTR trend demonstrates that your incident response capability is maturing. Include these metrics in board-level security reports.

Incident-Task Linking

Kevala allows you to create remediation tasks directly from incidents, establishing a bidirectional link that is visible on both the incident and task detail pages.

Creating a Task from an Incident

1Open an incident from the incident list.
2In the Linked Tasks section, click + Create Remediation Task.
3The task form opens pre-populated with the incident reference. Fill in the title, description, assignee, priority, and due date.
4Click Save. The task appears in the Tasks module and is linked back to the originating incident.

This bidirectional linkage ensures that when viewing a task, you can trace it back to the incident that prompted it. Similarly, the incident view shows all associated remediation tasks and their completion status.

Creating Tasks

Tasks help you track remediation actions, audit follow-ups, and general to-do items. Tasks can be linked to risks, controls, or incidents and assigned to specific team members with due dates and priorities.

Creating a Task

1Navigate to Tasks and click + Add Task.
2
Fill in the task details:
- Title : Clear, actionable description of what needs to be done.
- Description : Detailed instructions or context for the assignee.
- Priority : Low, Medium, High, or Critical.
- Assignee : The team member responsible for completing the task.
- Due Date : The target completion date.
- Linked Control : Optionally link to a compliance control.
- Linked Incident : Optionally link to an incident for remediation tracking.
3Click Save. The assignee will see the task in their dashboard.

Task Lifecycle

Tasks progress through defined statuses that track their completion.

Task Statuses

Status	Description
Open	Task created but work has not yet begun.
In Progress	Assignee is actively working on the task.
Completed	Work is finished and verified.
Cancelled	Task is no longer needed.

Tasks that pass their due date without being completed are automatically flagged as overdue and appear prominently on the dashboard.

Tip: Use task filters to view only your own tasks, overdue items, or tasks linked to a specific framework. This keeps your workload manageable and ensures nothing slips through the cracks.

Recurring Tasks

For periodic compliance activities such as quarterly access reviews, annual policy reviews, or monthly vulnerability scans, Kevala supports recurring task scheduling.

Setting Up Recurrence

1Create a new task or edit an existing one.
2In the Recurrence section, set the interval (e.g., every 30 days, every 90 days, annually).
3When a recurring task is marked as Completed, Kevala automatically creates the next instance with a new due date based on the configured interval.

Tip: Use recurring tasks for all periodic compliance requirements: firewall rule reviews, backup testing, access recertification, policy reviews, and business continuity exercises. This ensures nothing is forgotten.

Adding Policies

The policy module maintains a centralized library of your organization's security and compliance policies. Each policy can be linked to the compliance controls it satisfies, creating a direct mapping between documented procedures and regulatory requirements.

Creating a Policy

1Navigate to Policies from the sidebar and click + Add Policy.
2
Enter the policy details:
- Title : The official policy name (e.g., "Information Security Policy").
- Content : The full policy text. Supports rich text formatting.
- Category : Group by area (Access Control, Data Protection, Incident Response, etc.).
- Owner : The person responsible for maintaining the policy.
- Review Date : The next scheduled review date.
3Link the policy to relevant compliance controls.
4Click Save to add the policy. It is created in Draft status by default.

Policy Versioning

Every time a policy is edited, Kevala automatically creates a version history entry. This provides a complete audit trail of how your policies have evolved over time.

How Versioning Works

Each version records the author, date, and a change summary describing what was modified.
You can view any previous version by clicking its entry in the version history table.
Version history cannot be deleted, ensuring a tamper-proof audit trail.
When editing a policy, you will be prompted to enter a brief change summary before saving.

Policy Acknowledgment

Kevala tracks which users have acknowledged (read and accepted) each policy. This is essential for demonstrating compliance with employee awareness requirements.

Acknowledgment Tracking

Each policy displays a compliance rate showing the percentage of required users who have acknowledged it.
Progress bars provide a visual indicator of acknowledgment completion.
Administrators can view which specific users have or have not acknowledged a policy.
Users receive a notification when a new or updated policy requires their acknowledgment.

Policy Approval

Policies in Kevala follow an approval workflow. When a policy is submitted for approval and subsequently approved, Kevala automatically transitions its status.

Approval Workflow

1Create or edit a policy. It starts in Draft status.
2When ready, change the status to Under Review to submit it for approval.
3The designated approver reviews the policy content.
4When the approver clicks Approve, the policy status automatically transitions to Approved. This auto-transition ensures the policy is immediately active and visible to all users for acknowledgment.

Tip: Set review dates for all policies and use the recurring task system to schedule annual reviews. Most compliance frameworks require periodic policy reviews. Kevala flags policies nearing their review date on the dashboard.

Adding Vendors

Third-party risk management is a key component of compliance. The vendor module helps you track third-party relationships, assess their security posture, and ensure they meet your requirements.

Creating a Vendor Record

1Navigate to Vendors and click + Add Vendor.
2
Enter vendor information:
- Name : Company or service provider name.
- Category : What the vendor provides (Cloud Hosting, SaaS, Consulting, Hardware, Managed Services, etc.).
- Criticality : How critical this vendor is to your operations (Low, Medium, High, Critical).
- Status : Active, Under Review, Suspended, or Terminated.
- Data Access Level : What level of access the vendor has to your data (None, Limited, Full).
- Contact Info : Primary contact person, email, and phone number.
- Contract Start / End Dates : The contract period for tracking expirations.
3Click Save to add the vendor to your registry.

Important: Compliance frameworks require regular assessment of third-party vendors. High-criticality vendors handling sensitive data should be assessed at least annually. Use contract end dates to track upcoming renewals.

Vendor Assessments

Vendor assessments allow you to evaluate and score each vendor's security posture on a regular basis.

Conducting an Assessment

1Open a vendor record and click + New Assessment.
2Score the vendor from 1 (Poor) to 5 (Excellent) across relevant security dimensions.
3Add detailed Assessment Notes documenting findings, gaps, and recommendations.
4Set the Next Review Date to schedule the follow-up assessment.
5Upload any supporting evidence (vendor SOC 2 reports, ISO certificates, penetration test results).
6Click Save Assessment. The vendor's overall risk score updates to reflect the latest assessment.

Vendor Self-Service Portal

Kevala includes a vendor self-service portal that allows vendors to complete security questionnaires externally, without needing a Kevala account.

Setting Up the Portal

1Open a vendor record and click Generate Portal Link.
2
Select the questionnaire template to use:
- Security Questionnaire : Covers access control, encryption, incident response, vulnerability management.
- Privacy Questionnaire : Covers data handling, retention, consent, cross-border transfers.
- General Questionnaire : Covers organizational controls, business continuity, compliance certifications.
3A unique token-based URL is generated. Share this URL with the vendor's security contact.
4The vendor accesses the portal without needing to log in, completes the questionnaire, and submits their responses.
5Submitted responses appear in Kevala under the vendor's assessment history for your review.

Tip: The vendor portal URL is secured with a unique token. Each link works for a single vendor and can be regenerated if needed. Vendors do not have access to any other data in your Kevala instance.

Vendor Risk Report

The vendor risk report provides an executive-level summary of your third-party risk landscape.

Report Contents

Criticality Distribution : Breakdown of vendors by criticality level (Critical, High, Medium, Low).
Expiring Contracts : List of vendors with contracts expiring within the next 90 days, requiring renewal action.
Overdue Assessments : Vendors whose assessment review date has passed without a new assessment.
Risk Score Overview : Average and distribution of vendor risk scores across your portfolio.

Exporting the Report

1Navigate to Reports > Vendor Risk Summary.
2Review the report on screen or click Export CSV to download the data.

Business Processes

The BCM module starts with identifying and documenting your critical business processes. Each process record captures recovery objectives and dependencies.

Defining a Business Process

1Navigate to BCM from the sidebar.
2
Click + Add Process and enter:
- Process Name : Clear, descriptive name (e.g., "Customer Order Processing").
- Owner : The person or department responsible.
- RTO (Recovery Time Objective) : Maximum acceptable downtime (e.g., 4 hours).
- RPO (Recovery Point Objective) : Maximum acceptable data loss (e.g., 1 hour).
- MTPD (Maximum Tolerable Period of Disruption) : The absolute limit before business survival is threatened.
3Click Save to add the process to your BCM register.

Continuity Plans

Each critical business process should have an associated continuity plan documenting how to maintain or restore operations during a disruption.

Creating a Continuity Plan

1From the BCM module, click + Add Plan.
2Link the plan to one or more business processes.
3Select the Plan Type (Business Continuity Plan, Disaster Recovery Plan, Crisis Management Plan, etc.).
4Document the Activation Procedures : the conditions under which this plan is activated and who has authority to activate it.
5Detail the recovery steps, roles and responsibilities, communication procedures, and resource requirements.
6Click Save.

BCM Exercises

Regular exercises validate that your continuity plans work in practice. Kevala helps you schedule, record, and track exercise results.

Recording an Exercise

1From the BCM module, click + Schedule Exercise.
2Select the exercise type (Tabletop, Walkthrough, Simulation, Full Test).
3Link the exercise to one or more continuity plans.
4After conducting the exercise, record the Findings, including what worked well, what failed, and what needs improvement.
5Create follow-up tasks for any identified improvements.

Gap Analysis

The BCM gap analysis identifies critical business processes that lack continuity plans, providing a prioritized view of where your BCM program needs attention.

Running a Gap Analysis

1Navigate to BCM > Gap Analysis.
2Kevala automatically scans your business processes and identifies those without linked continuity plans.
3Review the Coverage Assessment showing the percentage of critical processes that are covered by plans.
4Review the Prioritized Action Items list, which ranks uncovered processes by criticality (RTO/RPO targets) to help you address the most critical gaps first.
5Click Create Plan next to any uncovered process to start building its continuity plan directly from the gap analysis view.

Tip: Run gap analysis after each BCM review cycle to track coverage improvement. Aim for 100% plan coverage of all critical and high-priority business processes.

Risk Summary Report

The risk summary report provides a comprehensive view of your risk register for management review and audit purposes.

Report Contents

Risk Distribution by Severity : Breakdown of open risks across Critical, High, Medium, and Low categories.
Risk Distribution by Status : Counts of Open, Mitigated, Closed, and Accepted risks.
Risk Register Table : Complete listing with title, category, owner, likelihood, impact, score, and status.
Trend Analysis : How the risk landscape has changed over the reporting period.

Exporting

Click Export CSV for spreadsheet analysis or Export PDF for a formatted report suitable for management distribution.

Asset Summary Report

The asset summary report provides an inventory overview organized by type, status, and criticality rating.

Report Contents

Asset Inventory by Type : Distribution across Servers, Workstations, Network Devices, Applications, etc.
Asset Inventory by Status : Active, Inactive, Decommissioned, Under Maintenance counts.
Criticality Distribution : Breakdown of assets by criticality rating (1-5).
Asset Register Table : Complete listing with name, type, IP, owner, criticality, and status.

Compliance Summary Report

The compliance summary report breaks down your compliance posture per framework, ideal for audit preparation and management reporting.

Report Contents

Per-Framework Breakdown : Compliance percentage, total controls, compliant count, partially compliant count, non-compliant count, and not assessed count for each enabled framework.
Non-Compliant Control Listing : Detailed list of all Non-Compliant and Not Assessed controls across all frameworks, with owner and due date.
Gap Summary : Prioritized view of the most significant compliance gaps.

Exporting

Click Export CSV for detailed data analysis or Export PDF for a formatted compliance report.

Vendor Risk Summary

The vendor risk summary provides an executive view of your third-party risk exposure.

Report Contents

Vendor Distribution : Breakdown by criticality level and status.
Expiring Contracts : Vendors with contracts expiring within 30, 60, and 90 days.
Risk Scores : Assessment scores across all vendors with trend indicators.
Overdue Assessments : Vendors past their scheduled review date.

Exporting

Click Export CSV to download the full vendor risk data for external analysis or board reporting.

Executive Summary

The executive summary provides a cross-module overview designed for board-level reporting. It consolidates the most important metrics from risk, compliance, incidents, and vendor management into a single page.

Report Contents

Overall Risk Posture : Summary of open risks by severity with trend direction.
Compliance Overview : Headline compliance percentages per framework.
Incident Summary : Active incidents, MTTR metrics, SLA compliance rate.
Key Action Items : Critical and overdue tasks requiring management attention.

Audit Log

The audit log records every significant action performed in Kevala, providing a complete activity trail for compliance and forensic purposes.

Viewing the Audit Log

1Navigate to Audit Log from the sidebar (admin access required).
2
Use the filters to narrow results:
- Action : Filter by action type (Create, Update, Delete, Login, Export).
- Entity Type : Filter by module (Risk, Asset, Control, Incident, User, etc.).
- Date Range : Specify start and end dates to focus on a specific period.
- User : Filter by the user who performed the action.
3Each log entry shows the timestamp, user, action, entity type, entity ID, and a description of what changed.

Exporting the Audit Log

1Apply the desired filters (especially date range) to scope the export.
2Click Export CSV to download the filtered audit log as a spreadsheet.

Tip: Export the audit log before compliance audits to provide auditors with evidence of your GRC activities. Filter by date range to match the audit period and export the results as CSV.

User Management

Kevala supports multiple user accounts with role-based access control. Administrators can create and manage user accounts, assign roles, and control who has access to sensitive GRC data.

Creating a New User

1Navigate to Settings > Users (admin access required).
2Click + Add User.
3
Enter the user's details:
- Username : A unique login identifier.
- Full Name : The user's display name.
- Email : Email address for notifications.
- Role : Select the appropriate role (see table below).
- Password : Set an initial password. The user should change it on first login.
4Click Save to create the account.

User Roles

Role	Permissions
Admin	Full access to all features including user management, settings, LDAP configuration, framework management, and system administration.
Auditor	Read-only access to all modules. Can view risks, assets, compliance, reports, and audit logs but cannot modify data.
Analyst	Full access to risks, assets, compliance, and reports. Can create and edit items but cannot manage users or system settings.
Manager	Access to risks, compliance, tasks, and reports. Can approve policies and accept risks. Cannot modify system settings.
Viewer	Read-only access to dashboards, reports, and high-level summaries. No access to detailed records.
Operator	Access to incidents, tasks, and asset management. Designed for operational security team members.

Managing Users

Toggle Active Status : Disable a user account without deleting it. The user cannot log in while inactive, but all their historical data and assignments are preserved.
Edit User : Change a user's name, email, role, or password from the user list.
Delete User : Permanently remove a user account. This action cannot be undone.

Important: Always maintain at least one local admin account as a fallback, even if you are using LDAP authentication. This ensures you can always access the system if the directory server becomes unavailable.

LDAP Configuration

Kevala supports hybrid LDAP/local authentication. When LDAP is configured, users can log in with their directory credentials. LDAP users are automatically created in Kevala on their first login.

Setting Up LDAP

1Navigate to Settings > LDAP (admin access required).
2Enable LDAP authentication by toggling the switch to On.
3
Configure the connection settings:
- Server URL : Your LDAP server address (e.g., ldap://dc01.example.com or ldaps://dc01.example.com).
- Port : Default 389 for LDAP or 636 for LDAPS.
- Base DN : The search base for user lookups (e.g., dc=example,dc=com).
- Bind DN : The distinguished name of the service account (e.g., cn=svc-kevala,ou=service-accounts,dc=example,dc=com).
- Bind Password : The password for the bind account.
4Configure Attribute Mapping to map LDAP attributes to Kevala user fields (username, email, full name).
5Click Test Connection to verify the settings.
6If the test succeeds, click Save to activate LDAP authentication.

How LDAP Login Works

When a user logs in, Kevala first checks if the account exists locally. Local accounts always authenticate against the local database.
If no local account exists, Kevala attempts LDAP authentication.
On successful LDAP authentication, a local user record is created with auth_source=ldap.
LDAP group membership is checked on each login to keep roles synchronized.
The local admin account always works as a fallback, regardless of LDAP configuration.

Tip: Use LDAPS (LDAP over SSL) for production deployments to encrypt credentials in transit. The bind account should have read-only access to the directory.

Settings & Integrations

The Settings area lets administrators configure system-wide options, manage frameworks, set up email notifications, and maintain the organization profile.

Organization Profile

1Navigate to Settings > Organization.
2Update your organization name, country, market segment, and contact information. These details appear on exported reports.
3Click Save to update the profile.

Framework Management

1Navigate to Settings > Framework Management.
2Toggle frameworks on or off using the switches. Enabled frameworks appear in the Compliance module.
3Use the Seed Controls button to populate a framework with its full control set (e.g., ISO 27001:2022 Annex A).
4Changes take effect immediately. Disabling a framework preserves all assessment data.

Email / SMTP Configuration

1Navigate to Settings > Notifications.
2Configure SMTP server settings: server hostname, port (587 TLS / 465 SSL), username, password, and from address.
3Click Send Test Email to verify the configuration.
4Click Save to activate email notifications.

License Management

The Community edition requires no license. For Professional and Enterprise editions, navigate to Settings > License and enter the license key provided by your account manager. The license unlocks additional features based on your subscription tier.

AI Assistant Configuration

Configure the AI assistant under Settings > AI Assistant. Set the API key, select the model, and configure which analysis features are enabled. See the AI Assistant section below for details on available capabilities.

Tip: After making changes to settings, especially SMTP and network configurations, always use the Test buttons to verify everything works before saving.

AI-Powered Analysis

Kevala includes an AI assistant that provides intelligent analysis and recommendations across your GRC program. The assistant can analyze risks, identify compliance gaps, recommend controls, and suggest technology requirements.

Available AI Capabilities

Risk Analysis : Provide a risk description and the AI will suggest appropriate likelihood/impact scoring, identify related risks in your register, and recommend mitigation strategies.
Compliance Gap Analysis : The AI reviews your current control assessments and identifies the most critical gaps, prioritized by risk impact and effort required.
Control Recommendations : Based on your risk profile and industry, the AI suggests specific controls and policies to implement.
Technology Requirements : The AI analyzes your compliance requirements and recommends tools, technologies, and configurations needed to achieve compliance.

Using the AI Assistant

1Click the AI Assistant icon in the navigation bar or sidebar.
2Select the analysis type from the available options.
3Provide context or a specific question. The more detail you provide, the more relevant the analysis.
4Review the AI's response. Recommendations include actionable steps you can implement directly in Kevala.

Important: AI recommendations are advisory and should always be reviewed by a qualified professional before implementation. The AI provides suggestions based on best practices and your data, but human judgment is essential for final decisions.

Structured AI Output

Kevala's AI assistant returns structured JSON output that is rendered as rich, interactive content rather than plain text. This makes AI analysis results easier to read, compare, and act upon.

Output Components

Summary Tables : Key findings are presented in sortable tables with columns for metric name, current value, trend direction, and recommended action. Tables make it easy to scan results at a glance.
Status Badges : Color-coded badges indicate severity levels, compliance statuses, and priority rankings. Green for healthy/compliant, amber for attention needed, red for critical gaps.
Trend Indicators : Arrow icons show whether metrics are improving, stable, or declining compared to previous analysis periods.
Actionable Recommendations : Each recommendation includes a priority level, estimated effort, and a direct link to the relevant entity in Kevala (risk, control, or asset) so you can take action immediately.

Tip: Structured AI output is designed for inclusion in management reports. The tables and badges render cleanly when exported, making it easy to share AI-driven insights with stakeholders who do not have direct access to Kevala.

Historical Trend Analysis

The AI assistant can analyze your GRC data over time, identifying trends and patterns that may not be obvious from point-in-time snapshots. Historical trend analysis leverages your risk score history, compliance assessment changes, and incident data to provide forward-looking insights.

What the AI Analyzes

Risk Score Trends : Identifies risks that are trending upward (worsening) or downward (improving) and flags risks whose scores have been static for an extended period, suggesting they may not be actively managed.
Compliance Trajectory : Projects your compliance percentage forward based on current assessment velocity. Estimates when you will reach target compliance levels if the current pace continues.
Incident Patterns : Detects recurring incident types, seasonal patterns, and correlations between incidents and specific asset categories or risk domains.
Remediation Effectiveness : Evaluates whether implemented controls are actually reducing residual risk scores over time, highlighting controls that may need reinforcement.

Running a Trend Analysis

1Open the AI Assistant and select Trend Analysis.
2Select the scope: all data, a specific framework, or a specific risk category.
3Review the trend report, which includes tables of improving and deteriorating metrics, along with specific recommendations for areas needing attention.

Tip: Run trend analysis monthly or before management review meetings. The AI can surface insights that would take hours of manual data analysis, such as a slowly increasing risk in a non-obvious area.

Control Implementation Guidance

The AI assistant provides enriched implementation guidance for compliance controls, going beyond the standard control description to offer practical, context-aware advice for your specific environment.

Guidance Components

Implementation Steps : A sequenced list of specific actions to achieve compliance with the control, tailored to your organization's size and industry.
Evidence Requirements : What auditors typically expect to see as evidence for this control, including document types, configuration screenshots, and process artifacts.
Common Pitfalls : Mistakes organizations frequently make when implementing the control, and how to avoid them.
Tool Recommendations : Specific technologies, configurations, or open-source tools that can help satisfy the control requirement.
Effort Estimate : Approximate time and resource commitment needed, categorized as Quick Win, Moderate Effort, or Significant Investment.

Accessing Implementation Guidance

1Navigate to any compliance control within a framework.
2Click the AI Guidance button on the control detail page.
3Review the structured guidance, which includes implementation steps, evidence requirements, and tool recommendations presented in an easy-to-follow format.

Tip: Use implementation guidance when planning your compliance roadmap. The effort estimates help you sequence controls by complexity, and the evidence requirements ensure you collect the right artifacts from the start rather than scrambling before an audit.

Tier Restrictions

AI features are available based on your Kevala license tier.

Feature	Community	Professional	Enterprise
Risk Analysis	Available	Available	Available
Compliance Gap Analysis	Locked	Available	Available
Control Recommendations	Locked	Available	Available
Technology Requirements	Locked	Available	Available
Structured AI Output	Available	Available	Available
Historical Trend Analysis	Locked	Available	Available
Control Implementation Guidance	Locked	Available	Available

Tip: Community tier users can still use AI-powered risk analysis to get intelligent scoring suggestions and mitigation recommendations. Upgrade to Professional to unlock the full AI feature set including compliance gap analysis and control recommendations.

Need more technical details?

View Technical Documentation

Ready to get started?

Download Kevala Free

API Reference

Kevala provides a REST API for integration with other tools:

# Get all risks

GET /api/risks

# Get dashboard stats

GET /api/stats/dashboard

# Get compliance frameworks

GET /api/compliance/frameworks

# Get controls for a framework

GET /api/compliance/frameworks/<id>/controls

Systemd Service

The Kevala virtual appliance comes pre-configured with automatic startup. No manual systemd configuration is required.

Auto-Start Behavior

The Kevala service starts automatically when the VM boots
The service is configured to restart automatically if it encounters an error

Checking Service Status

sudo systemctl status kevala-lite

Viewing Logs

sudo journalctl -u kevala-lite -f

Troubleshooting

Control Mapping Returns No Suggestions

Ensure the asset has a type, CIA ratings, and data classification set
Verify that compliance frameworks with controls have been loaded
Check that the asset type matches one of the supported categories

Compliance Score Not Updating

Verify that controls have been mapped to assets
Check that control statuses are set correctly
Formula: (Compliant + Partial × 0.5) / (Total - Not Applicable) × 100

AI Engine Not Responding

Verify Ollama is running: curl http://localhost:11434/api/tags
Check the model is installed: ollama list
Ensure AI is enabled in Settings > AI Settings

Cannot Access Web Interface

Verify the service is running: sudo systemctl status kevala-lite
Check firewall allows port 5000
Try accessing from the VM itself: curl -k https://localhost

In-App Updates

Apply signed update packages directly from the app at Settings > Updates, the supported way to upgrade your appliance without SSH or scripts. Admin-only.

Applying an Update

1Download the update tarball (.tar.gz or .tgz) for your installed version.
2On the Updates page, upload the tarball. Kevala verifies the cryptographic signature against the embedded release-signing public key and confirms the package's from version matches what you have installed.
3If validation passes, the update is staged and a sentinel file is written. A systemd path-unit triggers the applier, which stops the service, swaps in the new files, backs up the database, and restarts the service. The flow typically completes in a few seconds.
4The page polls update status and shows whether the update committed successfully or rolled back. Every update is recorded in the audit log.

Safety Guarantees

Cryptographic signing : tarballs without a valid Ed25519 signature are rejected before staging. The release-signing public key is embedded in the application.
Operator state protection : tarballs that touch instance/ (database, certificates, license) are rejected. Updates only ever modify application code.
Automatic database backup : a fresh SQLite copy is taken before files are swapped.
Automatic rollback : if the post-swap smoke test fails, the previous version is restored.
Cancellable : pending updates can be cancelled from the Updates page before the service restarts.

Tip: Some updates may require a host reboot. Kevala flags this on the Updates page when applicable so you can schedule maintenance windows accordingly.

Languages & RTL Support

Kevala ships with full English and Arabic interfaces. Arabic is rendered right-to-left throughout: navigation, forms, tables, charts, and the AI Assistant output all flip layout direction when the language is switched.

Switching Language

1Click the language selector in the top bar (globe icon).
2Choose English or العربية. The choice persists across sessions for your user account.
3The page reloads in the chosen direction. Subsequent navigation continues in the chosen language.

Coverage

Interface : every page, menu, button, label, validation message, and notification template is translated.
Reports : exported PDF and CSV reports honor the user's language.
Help Center : the in-app help center is fully translated with the same content in both languages.
AI Assistant output : when the language is set to Arabic, the AI Assistant generates responses in Arabic.
Data : user-entered data (risk titles, asset names, policies) is stored as-typed in any language; the application does not translate user content.

RTL Layout

Arabic mode flips the entire layout: the sidebar moves to the right, tables order right-to-left, form labels align right, and charts mirror their axes. Bilingual mixed-content (e.g. an Arabic risk title with English vendor names) renders correctly thanks to bidirectional text support.

Tip: Language is a per-user preference, so different users can work in different languages simultaneously against the same database.

Governance: Objectives, Initiatives, and Projects

The Governance module provides a three-level hierarchy to plan and track strategic GRC work, tying high-level outcomes back to the risk register and framework controls that move when the work ships.

The Hierarchy

Objectives: high-level outcomes (e.g. "Achieve NCA ECC certification"). Each carries a status (draft, active, completed, archived), a priority, a target date, and an optional KPI metric, target, and current value that drive a progress bar.
Initiatives: programs of work that roll up to an objective. Track status, start and end dates, budget, and progress percentage. An initiative can be linked to one or more compliance frameworks so it surfaces on those framework views.
Projects: concrete deliverables under an initiative. Each project links to specific risks and controls, so progress on a project shows up as movement against the risk register and the framework score.

Workflow

1Create an Objective from Governance > New Objective. Set a KPI if you want a measurable target.
2Add one or more Initiatives under the objective. Link the relevant frameworks so the initiative shows up on those framework views.
3Add Projects under each initiative. Link the risks it mitigates and the controls it implements. This is what makes the module trace back to the rest of the GRC data.

The Governance landing page rolls up status counts and KPI progress across all objectives, so leadership can see strategic posture at a glance without drilling into individual risks or controls.

EU AI Act Compliance

The EU AI Act module helps you inventory the AI systems your organization uses or provides, classify them under Article 6 of the AI Act, and track the obligations that apply to each. Professional and Enterprise tier.

The module appears in the sidebar only when the EU AI Act framework is enabled (Settings > Frameworks).

Adding an AI System

1Go to EU AI Act in the sidebar and click Classify.
2Enter the system name, an optional description and intended purpose, and whether you are the Provider (you build it) or Deployer (you use it).
3Select a risk category: Prohibited, High-risk, Limited-risk, or Minimal-risk.
4For high-risk systems, pick the relevant Annex III category (employment, education, law enforcement, critical infrastructure, etc.).
5Indicate whether the system is a General-Purpose AI (GPAI) model and whether it carries systemic risk.
6Submit. Kevala creates the system record and automatically attaches the EU AI Act controls that apply to your classification.

Per-System Compliance Report

Each AI system has its own view page that lists every applicable obligation grouped by domain: Risk Management, Data Governance, Technical Documentation, Transparency, Human Oversight, and others. Statuses on the underlying controls drive the system's compliance posture, and updating a control's status from the EU AI Act framework view reflects automatically on every system that obligation applies to.

Tip: Start with a complete inventory before classifying. Many organizations underestimate the AI footprint: vendor-embedded models, in-house analytics, and third-party SaaS features all count.

Approval Workflows

Sensitive actions can be gated behind an approval workflow so that no single user can quietly delete records or accept high-severity risks. Professional and Enterprise tier.

Gated Actions

Action	When Approval is Required
Delete a risk, control, vendor, incident, or policy	Always
Accept or close a high-score risk	Score ≥ 15
Downgrade a previously high-score risk	Old score ≥ 15
Close or resolve an incident	Always

The Approval Flow

1When you attempt a gated action, a popup appears asking you to nominate an approver and add optional comments.
2The approver receives an in-app notification (and email if SMTP is configured). They can approve or reject from the notifications bell or the dedicated Approvals page in the sidebar.
3Once approved, retry the original action. It will now proceed and is recorded in the audit log with the approver's identity.
4If rejected, the action is blocked and the requester is notified with the rejection comment.

Every approval request and decision is captured in the audit log, providing an immutable trail of who approved what and when.

Scheduled Reports

Schedule any standard report to be generated and emailed on a recurring cadence so stakeholders receive consistent updates without manual export work. Admin-only, Professional tier or higher.

Manage schedules from Settings > Scheduled Reports.

What Can Be Scheduled

Risk Summary: risk register snapshot with scoring and status breakdown
Asset Summary: asset inventory grouped by type and criticality
Compliance Summary: framework scores across all enabled frameworks
Executive Summary: combined high-level snapshot for leadership review

Cadence Options

Daily at a chosen hour
Weekly on a chosen day-of-week and hour
Monthly on a chosen day-of-month and hour

Delivery & Run History

Pick one or more user recipients per schedule. Toggle Include PDF attachment if you want the report file alongside the inline email summary. The schedules index page shows the last run timestamp and result (success, error, pending) for each entry; failures display the underlying error so you can fix SMTP or template issues quickly.

Tip: Email delivery requires SMTP configured in Settings > Email. Test the SMTP connection before creating schedules to avoid silent failures.

Notification Preferences

Kevala emits notifications for events across User Management, Risk, Compliance, Tasks, Incidents, Approvals, Vendors, Policies, and Evidence modules. Each category exposes fine-grained toggles so users can opt in or out of individual event types.

Where to Configure

Per-user preferences : every user can tailor their own notification preferences from Profile > Notification Preferences.
Global defaults : admins configure system-wide defaults from Settings > Notifications, which apply to new users and to any users who haven't customized their preferences.

Delivery Channels

In-app : the bell icon in the top bar shows unread notifications. No SMTP required.
Email : optional per-event; requires SMTP configuration in Settings > Email.

Example Events

Risk assigned to you, or your assigned risk changes status
Compliance control fails its assessment cadence
Task due date approaching or overdue
Incident reported in a category you own
Approval request awaiting your decision
Vendor assessment expiring
Policy due for re-acknowledgment
Evidence document expiring

Custom Fields

Extend the built-in entity schema with attributes specific to your organization, without code changes or database migrations. Admin-only, configured from Settings > Custom Fields.

Supported Entities

Custom fields can be attached to: risks, assets, incidents, vendors, policies, and compliance controls.

Field Types

Text: single-line free text
Textarea: multi-line free text for longer descriptions or notes
Number: numeric input with validation
Date: date picker
Select: dropdown with custom options you define
Checkbox: yes/no flag

Per-Field Settings

Each field definition has a field name (internal key used in CSV import/export), a label (displayed in forms), a required flag, and a sort order controlling display position. Once defined, the field appears automatically on the create and edit forms for that entity type, on the entity's view page, and in CSV exports.

Tip: Removing a field definition cascades a delete of its values across existing records. Export your data before deleting a custom field if you need a record of past values.

Data Import & Export

Bulk-move data in and out of Kevala via CSV. Useful for first-time onboarding from spreadsheets, periodic exports for archive or external analysis, and migrating between Kevala instances.

Run imports and exports from Settings > Import / Export.

Exporting

Risks: CSV with subject, description, likelihood, impact, status, category, treatment, mitigation plan, and any custom fields
Assets: CSV with name, type, description, hostname, IP, MAC, location, owner, status, criticality value, and CIA ratings
Compliance Controls: CSV per framework with control IDs, descriptions, statuses, and notes

Importing

1Download the template CSV for the entity type so the headers match exactly. Custom field columns are included automatically.
2Fill in your rows and save as CSV (UTF-8 encoding to preserve non-ASCII characters such as Arabic).
3Upload via the import page. Rows that fail validation are reported back with row number and reason; valid rows are committed.

Database Backup

Admins can download the full SQLite database file from Settings > Backup for off-host archival. Combine this with the automatic daily backups in instance/backups/ for full protection. Database backups are a complete snapshot. Restore by stopping the service, replacing instance/kevala.db, and restarting.

In-App Help Center

Every Kevala installation ships with a context-sensitive help center reachable from the Help link in the sidebar or via the question-mark icons sprinkled across the app.

What's Inside

The help center covers every module (Getting Started, Governance, Risk Management, Compliance, Asset Management, Incidents, Vendors, Policies, BCM, AI Assistant, EU AI Act, Approvals, Reporting, Integrations, and Administration) with how-to articles organized by section. Each article walks through the feature with screenshots-style step lists, workflow diagrams, and tier-restriction notes where applicable.

Bilingual Content

The full help center is available in English and Arabic. The language follows the user's app language preference; switching languages from the top bar swaps the help articles too, with the same coverage in both languages.

Search

The help center has its own search box that matches against article titles and body content, so you can jump directly to the right article without scrolling through the section list.

Tip: Help content is shipped with each release and works fully offline: no external lookup, no analytics, no tracking. The same content travels with your appliance.

Documentation

Deployment

Getting Started

Governance

Risk Management

Asset Management

Compliance

Evidence

Incidents

Tasks

Policies

Vendors

BCM

Reports & Analytics

Administration

AI Assistant

Reference

Guides

Overview

Installation

Prerequisites

Deployment Steps

Configuration

First Login and Password Change

Application Settings

First Login

Accessing Kevala

Changing Your Password

Onboarding Wizard

Step 1: Country Selection

Step 2: Market Segment

Step 3: Framework Selection

Step 4: Organization Profile

Dashboard Overview

Stat Cards

Compliance Progress

Risk Heat Map

Risk Trend Chart

Recent Activity

Creating Risks

Adding a Risk Manually

Risk Scoring

The Risk Matrix

Severity Levels

Risk Heat Map

Using the Heat Map

Risk Appetite

Configuring Risk Appetite

Risk Lifecycle

Risk Statuses

Updating Risk Status

Treatment Plans

Risk Score History

Viewing Score History

Adding Assets

Manual Asset Entry

CIA Triad Rating

Setting CIA Ratings

Automated Control Mapping

How the Mapping Engine Works

Viewing Suggested Controls

Managing Mapped Controls

Automated Risk Suggestions

How Risk Suggestions Work

Generating Risk Suggestions

Asset-Risk Linking

Linking an Asset to a Risk

Asset Risk Dashboard

Frameworks Overview

Supported Frameworks

Navigating Frameworks

ISO 27001:2022

Annex A Structure

Seeding ISO 27001:2022 Controls

Assessing Controls

Control Statuses

Individual Assessment

Bulk Status Update

Statement of Applicability (SoA)

Generating the SoA