HomeGuidesAPI ReferenceChangelogDiscussions
Log In

Understanding the RegScale Information Architecture

Understanding the RegScale Information Architecture

RegScale is a robust and modern software platform that consists of over 20 different modules that interact in various ways to drive continuous compliance processes. In addition, these modules can be inter-related throughout the system in a variety of ways allowing the ability to model high complexity systems engineering. While this robustness is useful in sophisticated modeling, it can also cause a signficant learning curve and/or cause implementation to become overly complicated as customers deviate from best practices with the platform. This guide is designed to assist you with understanding the RegScale Information Architecture to ensure you understand the role of different modules, how they should interact, and the intended hierarchy for using them.

Fundamentally, RegScale modules are organized into one of four categories:

  • Regulators
  • Organizers
  • Implementers
  • Workers

The rest of this guide will explain each category, which modules fall under each category, and the intended use and interaction between modules in different categories.


Regulator modules are intended to provide the set of laws, regulations, or other governing external regulatory requirements that must be met by your organization. Nearly every RegScale deployment starts by identifying and loading the regulator modules to provide a foundation for the rest of the compliance program. There are currently three regulator modules in RegScale:

  • Catalogues - this module is used to digitize regulations and load them in machine readable format (including our RegScale JSON schema and the NIST OSCAL standard). We provide both a GUI and API for customers to digitize their catalogues and will often using sophisticated scripting libraries to automate the digitization of catalogues for our Enterprise Edition (EE) customers. We support over 70 catalogues (and growing) and make them available on our website for ease of download. Whether creating your own or using one of ours, this is the first place most customers start.
  • Security Controls - this module captures the discrete requirements within a given catalogue. It can support multiple levels via objectives, parameters, tests, and other related information for the control. All of the controls are bundled together (including their child data) when importing and exporting any given catalog.
  • Profiles - this module allows you to create a recipe for instantiating new organizer objects. Profiles might sometimes be referred to as baselines, overlays, or templates. They consist of one or more controls across one or more catalogs to create a template for creating compliance artifacts. Profiles can be layered like a cake allowing you to apply multiple profiles to any given organizer object to allow you to dynamically build solutions based on a complex set of overlays.

The general flow for customers is to determine which requirements will apply to their specific use cases, load the catalogues into RegScale, and then build the expected templates using the profiles module. Once complete, customers are ready to begin using the organizers.


Organizers modules allow you to bucket requirements into logical objects to organize, report, and manage your regulatory compliance. Organizers allow you to flow down requirements from the regulators and organize them for efficient implementation. Examples of our organizers include:

  • Components - the legos of information systems that allow you to break larger systems into smaller pieces such as load balancers, switches, virtual machines, etc. and then apply requirements to those smaller pieces. This approach is supported by NIST OSCAL for building composable systems instead of larger monolithic system security plans.
  • Policies - allows customers to flow down regulations into organizational specific policies and procedures to ensure implementation.
  • Projects - allows customers to consistently apply requirements to a project to support readiness and/or validation and verification efforts in engineering.
  • Security Plans - allows customers to define a system boundary, categorize the system, and then apply the requirements consistently using appoaches such as the NIST Risk Management Framework (RMF).
  • Supply Chain - allows customers to flow down requirements to vendors or contractors in a consistent manner.

The general flow for customers is to determine which use cases they need to apply requirements to, the applicable set of modules to leverage for these use cases, and then apply the regulations via the RegScale Builders (automated wizards) to create the organizing objects they need to manage their compliance program. Once complete, customers are ready to begin using the implementers.


Implementer modules define what each customer will do to effectively execute the requirements within the organizational modules. It typically defines the customer's policy, how they implemented it, status, and other relevant data to ensure compliance. RegScale implementers inlcude:

  • Requirements - are organizationally defined and typically driven by customer specific policies. They are stand alone in nature and get applied by layering policies onto the organizers via the Builders.
  • Control Implementations - are externally defined and typically driven by laws and regulations. They are inherited in nature and get applied by applying profiles on the the organizers via the Builders.

The general flow for customers is to work through each implementer's specific requirements and to document the expected state of compliance and expectations for implementation. Once complete, the core compliance artifacts are built and customers are ready to begin using the workers and managing the operational lifecycle of their programs.


Workers allow customers to take specific actions on the organizers and implementers to drive compliance. Once the initial setup and documentation steps are completed, the worker modules are for maintaining, documenting, and managing compliance over time efficiently. Post initial implementation, the bulk of the workload will occur for customers using the Worker modules. Examples of the worker modules include:

  • Assessments - for conducting audits, whether manual or automated, to verify the state of compliance of a given control/requirement or a set of control/requirements
  • Assets - the specific assets that are under management of a given organizer and thus subject to the compliance requirements. They are often required to be inventoried as part of compliance processes
  • Case Management - investigations of non-compliance, often performed by Legal or Human Resources, to determine if requirements were violated, by who, and the consequences of such actions
  • Causal Analysis - a systemic approach that analyzes the causal factors associated with a non-compliance or other negative event in order to better understand what happened and to provide more effective corrective actions
  • Data Calls - the collection of evidence and related artifacts to support compliance business processes
  • Exceptions - reviewing, documenting, justifying, and approving exceptions to policy requirements
  • Incident Response - investigations of potential security breaches including hacking, malware, ransonware, and other relevant security incidentss
  • Issues (POAMs) - documenting specific and actual non-compliances with policies or procedures that require formal remediation
  • Risks - documenting potential non-compliances or negative consequence events that could have a material impact on customer programs
  • Tasks - corrective actions and discrete actions that are planned; typically with a task owner, due date, and specific set of expectations for completion. Tasks are most commonly used as corrective actions for Issues using our Kanban Boards but can be applied to any module
  • Threats - negative changes in the risk landscape resulting from new potential dangers that require risk analysis and/or investigation to determine potential customer impacts and risk exposure


The RegScale information architecture provides a consistent methodology and set of modules for enabling continuous compliance. Our architecture allows for a consistent customer journey that typically follows the pattern below:

  • Regulators - customers digitize and load their catalogues, build their profiles, and provide the foundation for their compliance program
  • Organizers - customers determine what needs to be compliant in their environment and overlay the regulations on the organizer objects to build their program
  • Implementers - customers define how they will be compliant and establish their initial compliance baseline using the implementer objects
  • Workers - customers then execute assurance processes over the lifecycle of their program to conduct audits, address issues, monitor for changes to the environment, and pro-actively mitigate risk using our worker objects

The RegScale information architecture provides a comprehensive set of modules that enable the industry's first ERP for Compliance. Compliance programs can be managed end to end in a digital system of record, executed in a consistent way using our best practices, and then be enhanced with automation to lower costs, improve speed, and reduce risks.