140+ GRC skills with built-in validation
10 framework workspace templates
Zero training on your data
Isolated per-project workspaces

Framework Coverage

Choose your framework. Start drafting in minutes.

Each workspace template packages domain-specific skills, reference material, and validation tools for a complete engagement path.

ISO 27001 ISMS

22 skills 60+ validation checks

Full PDCA cycle from scoping through Statement of Applicability, risk assessment, policy generation, internal audit, and management review.

  • Clause-aligned artifact generation
  • Risk-control-SoA traceability
  • Cross-document consistency checks
Try it free Read guide →

DORA Compliance

12 skills 40+ validation checks

Complete EU Digital Operational Resilience Act (Regulation 2022/2554) compliance program covering all five pillars: ICT risk management, incident classification and reporting, resilience testing (TLPT), third-party risk management with information register, and information sharing.

  • RTS/ITS-aligned validation (2024/1774, 2024/1772, 2025/302)
  • ITS 2024/2956 information register field checks
  • 7-criteria major incident classification
Try it free Read guide →

SOC 2 Audit Readiness

9 skills 40+ validation checks

From organization profile and system description through risk assessment, gap analysis, control narratives, policy generation, and internal audit.

  • AICPA TSC coverage validation
  • SCSR pairing and CUEC specificity
  • Vague-language detection
Try it free Read guide →

NIS2 Directive

8 skills 25+ validation checks

Complete EU NIS2 Directive (2022/2555) compliance: entity classification, gap assessment against all Art. 21 measures, governance accountability, policy drafting, supply chain security, business continuity, incident reporting with 24h/72h/1-month timelines, and authority registration.

  • Essential vs. important entity classification
  • Art. 21 measure maturity rating (0-5)
  • Incident reporting timeline validation
Try it free Read guide →

CMMI-DEV

30+ skills

Process improvement across all CMMI-DEV practice areas: causal analysis, configuration management, decision analysis, and organizational process definition.

  • Practice area coverage scoring
  • Maturity level gap analysis
  • Process improvement roadmap
Try it free Read guide →

ISO 20000 SMS

22 skills 22 validation checks

Full PDCA cycle for IT Service Management: service catalog, SLAs, incident/problem/change/release/configuration management, continuity, capacity, and audit.

  • 13 ITSM process area coverage
  • Service-SLA-CMDB traceability
  • Cross-process integration checks
Try it free Read guide →

ISO 17025 Laboratory

21 skills 40+ validation checks

Complete accreditation journey for testing and calibration laboratories: scope definition, method validation, measurement uncertainty (GUM), equipment calibration, metrological traceability, PT/ILC, and assessment readiness.

  • Per-method scope validation
  • GUM uncertainty budget checks
  • Equipment-traceability-competence cross-refs
Try it free Read guide →

GDPR Compliance

19 skills 50+ validation checks

Dual-track program: EU-wide GDPR gap assessment plus Ireland DPC self-assessment alignment. Covers all 14 compliance domains.

  • ROPA and DPIA automation
  • DPC checklist alignment
  • Consent and LIA validation
Try it free Read guide →

ISO 42001 AIMS

18 skills 45+ validation checks

AI Management System from inventory and impact assessment through risk register, data governance, model development, and Annex A SoA.

  • AI-specific risk criteria
  • Bias and drift monitoring checks
  • Responsible AI policy generation
Try it free Read guide →

ISO 45001 OHSMS

12 skills 24 validation checks

Full PDCA cycle for Occupational Health and Safety: organization context, hazard identification, risk assessment with hierarchy of controls, legal register, OH&S policy, emergency preparedness, internal audit, and management review.

  • Hierarchy of controls enforcement
  • Hazard-legal traceability
  • Worker consultation evidence checks
Try it free Read guide →

ISO 27701 PIMS

11 skills 30+ validation checks

Privacy Information Management System extending ISO 27001 with PII inventory, controller/processor controls, DPIA program, and privacy SoA.

  • Annex A/B control coverage
  • ROPA data flow mapping
  • Privacy risk assessment
Try it free Read guide →

NIST SP 800-53

7 skills 30+ validation checks

FIPS 199 categorization, baseline selection, family policies, control standards, mapping, gap analysis, and CSF crosswalk.

  • Catalog-scale baseline completeness
  • Tailoring justification validation
  • NIST CSF profile authoring
Try it free Read guide →

How it compares

Why GRC teams choose Rakenne over generic AI

Generic chatbots produce plausible-sounding text with no structure guarantees. Rakenne runs your compliance process.

Traditional GRC Tools
Generic AI (ChatGPT)
Rakenne
Clause completeness
Traditional GRC Tools Manual checklists — human effort on every review
Generic AI (ChatGPT) No structural awareness — may skip required sections
Rakenne Automated checks flag missing clauses before you review
Cross-document consistency
Traditional GRC Tools Separate Word files — contradictions found late
Generic AI (ChatGPT) Each prompt is isolated — contradictions go unnoticed
Rakenne Sequential skills read prior artifacts and validate alignment
Risk-control traceability
Traditional GRC Tools Spreadsheet-based mapping — manual and error-prone
Generic AI (ChatGPT) No linkage between risk register and control narratives
Rakenne Traceability tools verify risk-to-control-to-SoA mapping
Self-correction
Traditional GRC Tools No self-correction — relies entirely on reviewer
Generic AI (ChatGPT) Errors persist until you catch them manually
Rakenne Validation tools detect issues; agent revises automatically
Framework-specific references
Traditional GRC Tools Built-in but rigid and hard to customize
Generic AI (ChatGPT) General knowledge, often outdated or imprecise
Rakenne Version-pinned reference files per framework (e.g. ISO 27001:2022)
Reproducibility
Traditional GRC Tools Template-based — consistent structure but manual execution
Generic AI (ChatGPT) Different output each time — copy-paste prompts
Rakenne Same skill runbook, same validation, same bar every time

See it in action

Validation catches what reviewers miss

Skills include automated checks that run against the output. When something fails, the agent fixes it — no manual back-and-forth.

The agent validates, then self-corrects

In this ISO 27001 example, the agent runs a clause completeness check, discovers a missing mandatory section, fixes the draft, and re-validates — all within the same conversation.

Rakenne Agent
Agent
Draft complete. Let me validate the ISMS documentation set against ISO 27001:2022 requirements.
Agent
Running clause_completeness_check on 14 artifacts…
Agent

FAIL — 1 issue found:

  • Clause 6.1.2: Information security risk assessment — missing mandatory risk acceptance criteria section. Required by Clause 6.1.2(a).
Agent
Adding the risk acceptance criteria section to the risk assessment methodology document. Referencing the risk appetite statement from the organization profile…
Agent
Running clause_completeness_check again…
Agent
PASS — All 14 artifacts validated. 73 clauses covered, 0 gaps remaining. Ready for your review.

Beyond the big frameworks

140+ skills across privacy, financial crime, and industry-specific compliance

The GRC skill library goes far beyond the major frameworks. Browse the full catalog or start with a workspace template.

Privacy & Data Protection

  • CCPA / CPRA
  • Canada PIPEDA
  • UK GDPR & ICO DPIA
  • EU AI Act (FRIA)

Financial Crime

  • AML / BSA Program
  • Nordic AML/CFT
  • AUSTRAC AML/CTF
  • CFPB UDAAP

Industry-Specific

  • ISO 14971 (Medical Devices)
  • ISO 14001 (Environmental)
  • ISO 45001 (OH&S)
  • ISO 17025 (Laboratories)
  • ITAR / EAR (Export Control)
  • AS9100 (Aerospace)

Cross-Framework

Go deeper

Tutorials, use cases, and best practices

Step-by-step guides showing real dialog, tool output, and how skills chain together for each framework.

Framework Tutorials

Use Cases

Best Practices

FAQ

Common questions from GRC practitioners

Auditors evaluate whether evidence is adequate, narratives are accurate, and controls hang together — not which tool produced the first draft. Rakenne’s GRC skills are designed around explicit validation and traceable artifacts. You remain the author of what you deliver; the product reduces mechanical omissions and inconsistency. Many teams position the tool the same way they would a clause library or junior analyst: structure and completeness checks, with senior review on judgment calls.

Yes. Skills reference version-pinned material — for example ISO 27001:2022, NIST SP 800-53 Rev 5, and AICPA 2017 TSC. Reference files are bundled with each skill, so the agent works against a known baseline rather than general training data. When standards are updated, the corresponding skills are updated to match.

Absolutely. Every GRC skill is written in plain text — you can fork a skill, add or modify validation rules, change required sections, or adjust the workflow steps. The Skill Workshop template lets you author and test custom skills interactively. No programming required.

Skills in a workspace template are designed to run sequentially. Later skills read the artifacts produced by earlier ones — the risk register, scope statement, organization profile, etc. Validation tools then check cross-references: for example, that every risk in the register maps to a control, and every control appears in the Statement of Applicability. This catches the ‘floating paragraphs’ problem common in multi-document compliance programs.

No. Your prompts, documents, and outputs are processed only to deliver the service and are never used to train foundation models. Each project gets an isolated workspace — no cross-tenant or cross-project access. Data handling and subprocessors are described in our Privacy Policy.

Yes. Skills are reusable packages that you can share across your organization. Customize a workflow once — add your firm’s structure, validation rules, and style guidelines — then roll it out to your team so every engagement starts from a consistent, proven baseline.

Traditional GRC platforms focus on control management, evidence collection, and workflow orchestration — they track your compliance program. Rakenne focuses on document drafting and validation — the actual production of policies, procedures, risk assessments, control narratives, and audit reports. They complement each other: Rakenne produces the artifacts that GRC platforms track.

Ready to draft your first compliance document?

Pick a framework, start a workspace, and see validation in action. No sign-up required.

Start with ISO 27001 Browse all GRC skills

Ready to let your expertise drive the workflow?

Stop wrestling with rigid templates and generic chatbots. Describe your process, let the agent handle the rest.

Get Started Free — No Sign-Up