Skip to main content

SimpleRisk Core

Ensure that management identifies, analyzes, and responds appropriately to risks that may adversely affect realization of your business objectives.

What is SimpleRisk Core?

SimpleRisk Core is the free and open source component of SimpleRisk that includes all of our basic Governance, Risk Management and Compliance (GRC) capabilities. It is the foundation upon which both our On-Premise and Hosted SimpleRisk offerings are built. As illustrated in the blog post from SimpleRisk's CEO titled "The Origin of SimpleRisk - A Founder's Story", SimpleRisk was started with the altruistic belief that all organizations should be able to manage their GRC program with a purpose-built tool, rather than a spreadsheet. That is why even though SimpleRisk has been embraced by some of the largest organizations in the world, we still offer our SimpleRisk Core as a free download for everybody.

What is Included with SimpleRisk Core?

SimpleRisk Core is designed to include all of the basic Governance, Risk Management and Compliance capabilities that an organization needs to get started with their program. What follows is a list of some of the key functionality that is included in the SimpleRisk Core. That said, this is not intended to be a comprehensive list of components and new features and functionality are regularly being added with each new release.



The SimpleRisk Core includes the ability to define your own frameworks and controls. As your risk management program matures, these can be used later on to associate controls with risks under Risk Management or to validate for control effectiveness under Compliance. You can upload documentation for all of your organization's policies, guidelines, standards, and procedures as well as the ability to track exception approvals for your policies and controls. These can then be linked to controls, have owners and approvers defined, and then used to track review dates and status.



The SimpleRisk Core includes a wide variety of reports designed to help you make the most out of your risk management program. These include graphical dashboards, reports for identifying risks that fall outside of your level of risk appetite, reports giving you advice on determining how to best prioritize remediation efforts and achieve the strongest return on your investment, reports showing the associations between your risks and your controls or assets, and a truly dynamic report that allows you to create your own custom reporting around the various fields managed by SimpleRisk.



The SimpleRisk Core includes the ability to define unlimited tests across all of the frameworks and controls that you've defined in Governance. Audits can then be initiated at the framework, control, or test level. Active audits can be filtered and tracked along with all of their associated documentation and evidence. Past audits can be viewed and access to your testing progress and results can be restricted to only individuals with a need to know.



The SimpleRisk Core is highly configurable and enables you to configure a risk management process that is tailored to your organization. You can change the values in the various dropdowns, edit the risk formulas and manage the risk catalog. You can define an unlimited number of users, map them to roles and make fine-grained changes to their permissions. All changes made in the system are logged and kept as an audit trail for review by your system administrators.



The SimpleRisk Core includes the ability to take one of our pre-configured risk assessments by answering a series of Yes / No answers for the CIS Critical Security Controls, HIPAA, NIST 800-171 or PCI DSS 3.2. Those answers are then used to generate pending risks which you can elect to have added into your risk registry, with the click of a button.


Asset Management

The SimpleRisk Core includes the ability to do a basic automated discovery of assets in your organization. Assets can also be added manually with the ability to assign valuation to assets and associate them with different teams and locations. Assets can be logically grouped together and associated with risks.


Risk Management

The SimpleRisk Core includes the ability to submit new risks and keep a registry to track all of the risks for your organization. You can plan mitigations for your risks by setting mitigation dates, defining the level of effort, assigning ownership, associating with the controls defined in Governance, and tracking changes in residual risk by setting a mitigation percentage. Management will be involved in the risk management process by outlining next steps for your risks in the review process. Risks can be grouped together into higher level projects for batch management and reporting purposes. SimpleRisk will help you with tracking review dates and status for your risks and ensure regular reviews are occurring.


What is Not Included with SimpleRisk Core?

The functionality outlined above is critical to the success of any GRC program and is therefore included in our SimpleRisk Core, however, since SimpleRisk was first introduced in 2013, we have developed a variety of plug-and-play modules, termed "Extras", that provide functionality above and beyond our core offering. Our Upgrade and Secure Controls Framework (SCF) Extras can be downloaded for free to use with any registered SimpleRisk instance. The Upgrade Extra provides you with the ability to backup or upgrade your SimpleRisk instance with the click of a button while the Secure Controls Framework (SCF) Extra enables you to select from 185 different frameworks that have been mapped to over 1,000 security and privacy related common controls. Other licensed SimpleRisk Extras include:

Additional information about all of our licensed SimpleRisk Extras as well as our paid support plans can be found here.

What is the Underlying Technology of SimpleRisk?

SimpleRisk is written using the PHP programming language. This was selected for a variety of reasons. First, PHP is an open source technology with an extensive library of documentation around it and a highly collaborative community supporting it. It is under active development for both functional and security fixes. It is fast, works in almost any operating system environment and is especially well-suited for web application development. Second, when the first prototype of SimpleRisk was built in 2013, SimpleRisk's Founder, Josh Sokol, had previously built a number of web applications with PHP and he recognized that his familiarity with the programming language would lead to faster development cycles with less bugs and security issues.

SimpleRisk leverages MySQL as the back-end database for all of its data. MySQL is a very popular open source relational database with a large community behind it. Like PHP, MySQL is fast and works in almost any operating system environment. It can even be configured with clustering in order to support an organization's high-availability requirements. Occasionally, we do have customers ask about support for other databases. We have a number of customers operating SimpleRisk with MariaDB, and will support that configuration, but we are unable to support other database types at this time.

How do I Get Started Using SimpleRisk?

If you are looking to get started with our free and open source SimpleRisk Core offering, simply go to our Downloads page to select your preferred installation method and follow the associated installation guide.

If you have already installed our SimpleRisk Core and are looking at adding additional functionality to further enhance it, take a look at our SimpleRisk On-Premise offering. Or, if you are interested in our GRC SaaS offering, check out our SimpleRisk Hosted plans.

If you are interested in learning more about SimpleRisk and wish to better understand the differences between our SimpleRisk Core, SimpleRisk On-Premise and SimpleRisk Hosted models, we recommend scheduling a demo with our team.