Operate is your team's execution layer. Tasks, treatment plans, annual planning, BIA. Everything needed to keep your compliance program running without context switching.
Get AccessWhat Operate does
Switch between table view (sort and filter) and board view with drag-and-drop. Use My Tasks to focus your own workload. Done or Completed items open the detail panel instead of moving on the board. Tasks move through Not Started, In Progress, Done (recurring tasks regenerate) or Cancelled / Not Applicable, and you can link them to controls, treatment plans, risks, corrective actions, and measures.
Each recurring task gets a health score from its status and due date (for example, done and not past due scores as healthy; late or in-progress patterns score as at risk). That score feeds control health and cascades upward through measures and requirements to risks, so recurring execution is visible in the control line, not only in a task list.
Create objectives under Comply with title, description, status, owner, and target date. Each gets a reference such as OBJ-001 and color-coded status (for example At Risk, Active, On Track). Link objectives to requirements and controls for traceability, follow lifecycle Active, At Risk or On Track, Achieved, Archived, and report on them from the dashboard.
Maintain the risk register and treatment plans in the same program context as execution. Tie tasks to risks, corrective actions, controls, and measures so treatment work stays traceable and owners see concrete next steps instead of orphaned action items.
Who uses it
For security leaders who need visibility into who is doing what, whether recurring control work is on time, and how task health reads back into control posture.
For risk managers who need the register, treatment decisions, and follow-up tasks in one place so nothing drops between risk assessment and closure.
For compliance teams who run repeating control activities while also reporting progress against strategic and operational compliance objectives.
FAQ
Recurring tasks carry a health score from their status relative to the due date (for example, completed on time reads as healthy; late or still in progress can read as at risk). That feeds into control health and propagates through linked measures and requirements so operational slippage shows up in the control line, not only in a task queue.
Recurring tasks are meant for control and operating cadence: completing them updates health scoring and, when configured, the task regenerates on the next cycle. One-off tasks suit treatment plans, projects, and ad hoc work; they do not play the same recurring health role, so you can run project-style work without mixing it into the recurring control rhythm.
Board view is a column-based Kanban layout for tasks. You drag cards between columns to reflect status. Tasks in a terminal state such as Done or Completed are protected from being dragged; opening them shows the detail panel instead, so finished work is not accidentally moved.
You create objectives under Comply, Objectives with title, description, status, owner, and target date. Each objective gets a stable reference (for example OBJ-001) and status badges. You link objectives to requirements and controls for traceability, move them through Active, At Risk or On Track, Achieved, Archived, and include them in dashboard reporting.
Completion updates the task's health contribution for linked controls and the upstream rollups. For recurring tasks, Acuna then regenerates the next instance so the cadence continues; one-off tasks simply close without that regeneration.
Tasks can be linked to controls, treatment plans, risks, corrective actions, and measures so assignees always see the program object the work supports.
Related answers
Supplier Shield is Acuna's third-party risk management (TPRM) module. It provides a centralised supplier register with automated risk scoring across three weighted dimensions — dependency (×0.4), penetration (×0.3), and exposure (×0.3) — producing a colour-coded 1–5 score. Features include assessment campaigns with questionnaire distribution and deadline tracking, individual risk profiles with immutable activity logs, a supplier portal for external responses, and lifecycle management with expiry monitoring and CSV bulk import.
Each control in Acuna displays a colour-coded health badge — green (healthy), orange (at risk), or red (unhealthy). Health is driven primarily by recurring task completion: a task completed on time scores as healthy (100), completed late scores as at risk (75), in progress but not past due as at risk (75), and not started past due as unhealthy (0). These scores cascade upward through measures and requirements so operational slippage surfaces in the control and programme views, not only in a task list. Click any health badge for a breakdown explaining which tasks contributed to the current score.
Acuna supports four KPI data source types. Manual entry is for metrics from outside the platform (pen test scores, survey results). Computed KPIs calculate automatically from live compliance data using either a predefined metric library (grouped by Compliance, Operations, Risk, Controls, General, and Assure categories), a custom query builder with filters and operators, or a control-sourced effectiveness/execution feed. Connectors pull values from integrated external services. External API/webhook receives inbound values from systems that push data to Acuna. Per-item compliance thresholds with colour-coded progress bars are available for computed sources.
Operate is the day-to-day execution layer. It manages recurring tasks (with configurable frequencies and owners), objectives and KPIs, incident tracking, and third-party registers. Tasks drive control health: when a recurring task is completed on time, the linked control stays green; when it slips, the control turns orange or red, and that status cascades up to the measure and requirement. Operate also houses the KPI dashboard with manual, computed, connector, and webhook data sources, giving management real-time visibility into programme performance.
Each control can have one or more recurring tasks — for example, 'Review access rights quarterly' or 'Test backup restoration monthly.' Tasks are assigned an owner, frequency (daily, weekly, monthly, quarterly, annually, or custom), and a due date. When a task is completed on time, it scores 100 (healthy). Completed late scores 75 (at risk). In progress but not overdue scores 75. Not started past due scores 0 (unhealthy). These scores roll up to the parent control, then to the measure, then to the requirement — so a missed task surfaces as a visible gap at every level of the programme.
Enterprise Risk in Acuna provides a structured risk register where each risk is scored on likelihood and impact across configurable dimensions (financial, operational, reputational, regulatory). Risks are linked to controls, assets, processes, and owners. The module supports risk treatment plans (mitigate, accept, transfer, avoid) with action tracking, residual risk recalculation after control implementation, and heat-map visualisation for management reporting. Risk data integrates with other modules: a high-risk supplier in Supplier Shield or a failed control in Implement surfaces as a risk event automatically.
A CISO dashboard is a consolidated view of security, risk, and compliance indicators a Chief Information Security Officer needs to run their program. Effective CISO dashboards combine: multi-framework compliance posture (ISO 27001, NIS2, DORA, SOC 2), risk register with scoring and trends, control maturity by domain, and readiness for upcoming audits. In Acuna, each CISO configures their dashboard via RBAC to show only their scope, their KPIs, and the risks they own. Leadership sees the summary. Analysts see their controls. Same platform, different views per role.
A compliance calendar is a structured view of every review, audit, assessment, renewal, and regulatory deadline a compliance program must meet. Organizations running multiple frameworks (ISO 27001, SOC 2, GDPR, NIS2) face dozens of recurring obligations per year, from quarterly internal audits to annual surveillance audits to vendor reviews. Compliance calendar software consolidates these into one view, tracks ownership, and surfaces what's overdue. Without it, deadlines live in Outlook and on spreadsheets, making missed obligations common. In Acuna, the calendar spans every framework, every cycle, every owner, with alerts before due dates.
Get access and our team will walk you through Operate and the full Acuna platform.
Get Access