Security Settings

Configure security reporting, audits, threat assessments, and team members for your Security Management System.

Set up and manage security report categories, audit configurations, risk matrices, tolerabilities, and security personnel to maintain an effective SeMS.

1 Overview

What this page does

The Security Settings page provides centralized configuration for all security-related settings. Use this page to define report categories, configure risk matrices and tolerabilities for threat assessment, create audit checklists and templates, and manage your security team. These settings support both security incident reporting and security audit functions.

Who uses this page

Security managers, SeMS coordinators, administrators, and users with security management permissions.

What you see here

Settings Tabs

This page is organized into tabs for different configuration areas:

  • Security Report Categories: Define types of security incident reports users can submit
  • Security Auditors/Investigators: Manage security audit and investigation team
  • Security Audit Checklists: Build reusable security audit checklists
  • Security Audit Templates: Create pre-configured security audit templates
  • Risk Matrix: Configure threat assessment matrices (likelihood × severity)
  • Tolerabilities: Define security threat tolerability levels and colour coding
  • Audit Types: Define security audit categories
  • Compliance Types: Configure security compliance classifications
  • Security Audit Report Configs: Set up security audit report formats
Key Concepts
  • Report Category: Classification of security incident reports (e.g., Unauthorized Access, Threat, Cybersecurity)
  • Risk Matrix: Grid showing threat levels based on likelihood and severity combinations
  • Tolerability: Acceptable level of security threat (e.g., Acceptable, Tolerable, Intolerable)
  • Auditor: Team member authorized to conduct security audits
  • Investigator: Team member authorized to investigate security incidents
Note: Security Settings supports both security incident reporting (SeMS) and security audit functions. Changes here affect security operations across your organization.

Permissions

To access and modify Security Settings, you need Security Administrator or System Administrator permissions.

When to use

  • When setting up security reporting for your organization
  • When configuring security threat assessment tools (matrices and tolerabilities)
  • When creating security audit checklists or templates
  • When adding or removing security auditors or investigators
  • When defining security audit types or compliance requirements
  • When customizing security audit report formats
Important: Changes to security report categories, risk matrices, and tolerabilities affect existing and future security incidents. Consider the impact on historical data and ongoing investigations before making changes.

2 Settings Tabs

Click on a tab below to jump to its documentation section. Tabs are listed in the order they appear in the application.

Security Report Categories
Critical

Define types of security incident reports users can submit
Security Auditors/Investigators
Critical

Manage security audit and investigation team
Security Audit Checklists
Important

Build reusable security audit checklists
Security Audit Templates
Important

Create pre-configured security audit templates
Risk Matrix
Critical

Configure threat assessment matrices (likelihood × severity)
Tolerabilities
Critical

Define security threat tolerability levels and colour coding
Audit Types
Core

Define security audit categories
Compliance Types
Required

Configure security compliance classifications
Security Audit Report Configs
Optional

Set up security audit report formats

3 Security Report Categories

Security Context: These report categories control what types of security reports users can submit and how those reports are processed.

Overview

The Report Categories tab allows administrators to define the types of reports that can be submitted in this section. Report categories determine what information users must provide, what investigation workflows are triggered, and how reports are classified and tracked.

What Report Categories Are

Key Concepts
  • Report category: A classification that defines a type of reportable event or issue
  • Hazard/Event/Area selection: Controls what additional details reporters must or can provide
  • Investigation requirement: Determines if reports in this category automatically require investigation
  • Workflow options: Define how reports are processed and routed
  • Entity selection: Controls organization entity assignment for multi-entity operations
Common Report Categories
  • Safety: Near miss, accident, injury, equipment failure
  • Security: Security breach, unauthorized access, theft, suspicious activity
  • Dangerous Goods: Spill, leak, packaging failure, transport incident
  • Ad Hoc: General concern, suggestion, compliance issue, environmental

What You See Here

Page Controls
  • Active/Deactivated views: Radio buttons to switch between active and deactivated categories
  • Search: Filter categories by name
  • Add button: Create new report categories
  • Categories table: View and manage all report categories with configuration details
  • Edit button: Modify existing category configuration
  • Copy button: Create a new category by duplicating an existing category's configuration
  • Pagination: When there are 16 or more categories, page controls appear

View Existing Report Categories

The Active table displays all available categories with the following columns:

Column Description
Edit Button to modify the category configuration
Copy Button to create a new category by copying this category's configuration. Disabled for system categories (PIC Discretion and Duty Violation).
Name The report category name (sortable by clicking the column header)
Hazards ✓ if reporters can select hazards; ✗ if not available for this category
Events ✓ if reporters can select events; ✗ if not available for this category
Areas ✓ if reporters can select areas; ✗ if not available for this category
Entity (if enabled) ✓ if reporters can select organization entity; ✗ if fixed entity
Default Entity (if enabled) The default organization entity for reports in this category
Deactivate Button to deactivate this category (not available for system categories)
Note: Some categories are system-defined and cannot be deactivated. These are core categories required for proper system operation.

Create a New Report Category

To add a new report category:

Step 1: Basic Information

  1. Click the Add new report category button
  2. Enter a category name (e.g., "Equipment Malfunction", "Security Alert", "Near Miss")
  3. Optionally, add a description to explain when this category should be used

Step 2: Configure Information Selection

Choose what information reporters can or must provide:

  • Hazards: Enable if reporters should identify hazards related to the report
    • Useful for risk assessment and hazard tracking
    • Links reports to hazard registers
  • Events: Enable if reporters should select specific event types
    • Provides standardized event classification
    • Helps with trend analysis and reporting
  • Areas: Enable if reporters should identify the location or operational area
    • Essential for location-based analysis
    • Routes reports to area-specific managers

Step 3: Entity Selection Settings (If Enabled)

If your organization uses multiple entities:

  • Allow entity selection: Enable to let reporters choose which organization entity the report belongs to
  • Default entity: Select the default entity for this category
    • Used when reporters don't select an entity
    • Determines which entity's investigation team is notified

Step 4: Investigation and Workflow Settings

Configure how reports are processed:

  • Investigation required: Set whether reports in this category automatically require investigation
  • Notification settings: Define who receives notifications when reports are submitted
  • Approval workflows: Configure any required review or approval steps
  • Auto-assignment rules: Set up automatic investigator assignment if applicable

Step 5: Save the Category

  1. Review all settings
  2. Click Submit or Save to create the category
  3. The category appears in the Active table
  4. Users can now select this category when submitting reports

Edit an Existing Category

To modify a report category:

  1. Locate the category in the Active table
  2. Click the Edit button (pencil icon)
  3. Update any settings:
    • Change the category name or description
    • Enable or disable hazard/event/area selection
    • Modify entity settings
    • Adjust investigation or workflow settings
  4. Click Submit to save your changes
Important: Changes to category settings apply to new reports only. Existing reports submitted under this category remain unchanged.

Copy an Existing Category

To create a new category based on an existing one:

  1. Locate the category you want to copy in the Active table
  2. Click the Copy button (copy icon) next to the Edit button
  3. A window opens pre-populated with the original category's configuration:
    • General settings (hazard, event, and area selection options)
    • Report fields and field headers (complete field structure)
    • Preview report fields
    • Default investigation team members
    • Entity settings (if enabled)
  4. Change the category name (required - you cannot keep the same name)
  5. Modify any other settings as needed
  6. Click Submit to create the new category

What gets copied: When you copy a category, the system duplicates all active report fields, field headers (including nested sections), default investigation team assignments, and configuration settings. The original category remains unchanged.

When to use copy: Copying is useful when you need a similar category with minor differences. For example, if you have a "Ground Safety Incident" category with detailed fields, you can copy it to create "Ramp Safety Incident" with the same structure but different naming or slight field adjustments.
System category restriction: PIC Discretion and Duty Violation report categories are system-defined and cannot be copied. The copy button is disabled for these categories with a tooltip explanation.

Deactivate a Category

When a category is no longer needed:

  1. Locate the category in the Active table
  2. Click the Deactivate button (ban icon)
  3. Confirm the deactivation if prompted
  4. The category moves to the Deactivated view

What happens when you deactivate: The category is removed from report submission forms. Users can no longer select it for new reports. Existing reports with this category remain unchanged and can still be viewed and processed.

Note: System-defined categories cannot be deactivated as they are essential for core system functionality.

Reactivate a Category

To restore a previously deactivated category:

  1. Switch to the Deactivated view using the radio buttons
  2. Locate the category in the table
  3. Click the Activate button (plus icon)
  4. The category returns to the Active table
  5. Users can now select it again for new reports

Usage in Report Submission

Report categories affect the reporting process:

For Report Submitters:

  • Category selection: Active categories appear in a dropdown when creating reports
  • Dynamic forms: Form fields change based on the selected category's settings
  • Required fields: Hazard/event/area fields appear only if enabled for the category
  • Guidance: Category descriptions help users choose the correct type

For Investigators and Managers:

  • Report classification: Reports are grouped and filtered by category
  • Investigation triggers: Categories with investigation requirements automatically create investigation tasks
  • Notifications: Category settings determine who is notified of new reports
  • Workflow routing: Category configuration controls approval and review routing
  • Trend analysis: Categories enable analysis of report types over time

Permissions

To view and manage report categories, you must have the Security Settings - Full Access permission. Users without this permission see an access notification instead of the settings page.

Best Practices

Tips
  • Create specific categories rather than generic ones to enable better analysis and trending (e.g., "Slip/Trip/Fall" instead of just "Accident")
  • Enable hazard/event/area selection for categories where this information provides valuable context for investigation and analysis
  • Write clear category descriptions to help reporters choose the correct category for their reports
  • Review report categories periodically to ensure they reflect current operations and reporting needs
  • Don't create too many categories - aim for 5-15 well-defined categories per section to avoid confusion

4 Security Auditors/Investigators

Security Context: Manage the team members authorized to conduct security audits or investigate security reports.

Overview

The Auditors/Investigators tab allows administrators to designate which users can conduct audits or investigate reports in this section. Only users added here will be able to be assigned as auditors or investigators, ensuring proper authorization and access control.

Understanding Auditors vs Investigators

Auditors
  • Purpose: Conduct planned audits and assessments
  • Access: Can create, conduct, and complete audits
  • Responsibilities: Follow audit templates, complete checklists, document findings
  • Assignment: Assigned to audits before or during the audit process
  • Reports: Generate audit reports based on their findings
Investigators
  • Purpose: Investigate events, incidents, or reported issues
  • Access: Can create, investigate, and close investigation reports
  • Responsibilities: Gather evidence, interview witnesses, determine root causes
  • Assignment: Assigned to reports/events requiring investigation
  • Reports: Generate investigation reports with findings and recommendations
Note: Some sections only use auditors (Quality), others only use investigators (Ad Hoc), and some use both (Safety, Security, DG). The page title and functionality adjust accordingly.

What You See Here

Page Controls
  • Search: Filter team members by name, ID number, or passport number
  • Add button: Add new auditors or investigators to the team
  • Team table: View all authorized team members with their details
  • Pagination: When there are 16 or more team members, page controls appear

View Team Members

The table displays all authorized auditors/investigators with the following columns:

Column Description
Name Team member's full name (sortable by clicking the column header)
ID Identity number (sortable)
Passport Passport number (sortable)
Auditor Entity (if enabled) The organization entity this auditor is associated with
Remove Button to remove this team member from auditor/investigator role

Add a Team Member

To authorize a user as an auditor or investigator:

  1. Click the Add new auditor/investigator button (button text varies by section)
  2. In the window that opens, search for and select the user you want to add:
    • Search by name, ID number, or passport number
    • Only active system users appear in the list
    • Users must already exist in the system
  3. If applicable, select the role:
    • Auditor: Can conduct audits only
    • Investigator: Can investigate reports only
    • Both: Can conduct audits and investigate reports
  4. If entity-specific settings are enabled, select the auditor entity (organization they represent)
  5. Click Add or Submit to save
  6. The user appears in the team table
Note: The user receives permissions automatically based on their role. They can now be assigned to audits or investigations in this section.

Remove a Team Member

To remove authorization from an auditor or investigator:

  1. Locate the team member in the table
  2. Click the Remove button (trash icon) in their row
  3. Confirm the removal if prompted
  4. The user is removed from the team table
Important: Removing a team member does not affect audits or reports they are already assigned to. It only prevents them from being assigned to new audits or investigations. Their past work remains unchanged.

Impact on Audit and Report Assignment

Being listed as an auditor or investigator affects several areas:

For Auditors:

  • Audit assignment: They appear in auditor selection lists when creating or editing audits
  • Audit access: They can view and work on audits they are assigned to
  • Findings: They can document findings and observations during audits
  • Reports: They can generate audit reports for their assigned audits
  • Notifications: They receive notifications about their assigned audits

For Investigators:

  • Investigation assignment: They appear in investigator selection lists for reports and events
  • Report access: They can view and work on investigations they are assigned to
  • Evidence collection: They can gather and document evidence
  • Root cause analysis: They can perform and document root cause investigations
  • Reports: They can generate investigation reports for their assigned cases
  • Notifications: They receive notifications about their assigned investigations

Entity-Specific Settings

If entity-specific checklists and templates are enabled in your organization, auditors are associated with specific entities (companies or subsidiaries). This controls which checklists and templates they can access and use. Auditors can only use checklists and templates that belong to:

  • Their assigned entity
  • Parent entities (ancestors) of their assigned entity
  • Subsidiary entities (descendants) of their assigned entity

Search and Filter

To quickly find a team member:

  • Use the Search box to filter by:
    • Name (first name, surname, initials)
    • ID number
    • Passport number
  • Click any column header to sort by that column
  • If there are many team members (16+), use the pagination controls at the bottom of the table

Permissions

To view and manage auditors and investigators, you must have the Security Settings - Full Access permission. Users without this permission see an access notification instead of the settings page.

Best Practices

Tips
  • Only authorize users who are trained and qualified to conduct audits or investigations in this area
  • Review the auditor/investigator list regularly to ensure it reflects current team members and qualifications
  • Consider assigning experienced auditors/investigators as mentors for new team members
  • If using entity-specific settings, ensure auditors are assigned to the correct entities for proper access control

5 Security Audit Checklists

Security Context: These audit checklists are used in security audits to ensure consistent and thorough assessments.

Overview

The Audit Checklists tab allows administrators to create and manage structured checklists used during audits. Checklists ensure auditors follow a consistent process, capture all required information, and meet compliance requirements.

What Audit Checklists Are

Key Concepts
  • Checklist: A structured set of questions, items, or requirements to be verified during an audit
  • Groups: Sections that organise related checklist items (e.g., "Documentation Review", "Physical Inspection")
  • Items: Individual questions or requirements within each group
  • Item types: Text responses, yes/no answers, document uploads, and more
  • Templates: Checklists can be used as templates for audit templates
Checklist Structure

Hierarchy:

  • Checklist (top level)
    • Group 1 (section)
      • Item 1.1 (question/requirement)
      • Item 1.2
    • Group 2
      • Item 2.1
      • Item 2.2

What You See Here

Page Controls
  • Active/Deactivated views: Radio buttons to switch between active and deactivated checklists
  • Search: Filter checklists by name
  • Add button: Create new checklists
  • Checklists table: View and manage all checklists with item counts
  • Export options: Export checklists to PDF or print
  • Pagination: When there are 16 or more checklists, page controls appear

View Existing Checklists

The Active table displays all available checklists with the following columns:

Column Description
Edit Button to open the checklist editor
Checklist name The name of the checklist (sortable by clicking the column header)
Questions/Items Total count of active items across all groups in the checklist
Export Buttons to export the checklist as PDF or send to printer
Deactivate Button to deactivate this checklist

Create a New Checklist

To build a new audit checklist:

Step 1: Set Up Basic Details

  1. Click the Add button (text varies by section)
  2. In the large window that opens, enter:
    • Name (required) - A descriptive checklist name (e.g., "Annual Compliance Audit", "Supplier Assessment")
    • Default Area - Select the insight area this checklist relates to (helps with categorisation and reporting)

Step 2: Add Checklist Groups

Groups organise related items into sections. To add groups:

  1. In the Checklist Groups & Items section, click the Add button
  2. Select Group from the options
  3. Enter the group details:
    • Group name - Descriptive title (e.g., "Pre-Audit Documentation", "On-Site Inspection", "Post-Audit Review")
    • Description (optional) - Additional context for this section
  4. Click Add or Save to create the group
  5. Repeat to add more groups as needed

Step 3: Add Items to Each Group

Items are the individual questions or requirements. To add items:

  1. Expand a group by clicking on it
  2. Click the Add button within the group
  3. Select Item
  4. Configure the item:
    • Item name/question - The question or requirement text
    • Description (optional) - Guidance for auditors on how to assess this item
    • Item type - Choose from available field types:
      • Text response - Open-ended text answer
      • Yes/No - Boolean checkbox
      • Document upload - Allow evidence file attachment
      • Date - Date selection
      • Dropdown - Predefined options
    • Required vs optional - Mark whether auditors must complete this item
    • Insight area (optional) - Link specific items to areas if different from checklist default
  5. Click Add or Save to create the item
  6. Repeat to add more items within the group

Step 4: Reorder Groups and Items

To arrange groups and items in the desired sequence:

  • Use the up and down arrows to move groups or items
  • Groups appear in the order shown during audits
  • Items within groups also follow the displayed order
  • Drag-and-drop may be available depending on the interface

Step 5: Save the Checklist

  1. Review the complete checklist structure
  2. Click Submit to save and close, or Save to continue editing
  3. The checklist appears in the Active table
Note: The large editing window can be maximised for easier editing of complex checklists. Look for the maximise button in the window header.

Edit an Existing Checklist

To modify a checklist:

  1. Locate the checklist in the Active table
  2. Click the Edit button (pencil icon)
  3. The checklist editor opens showing:
    • Basic details (name, default area)
    • All groups and items in the current structure
  4. Make changes:
    • Edit group or item details by clicking on them
    • Add new groups or items
    • Remove groups or items (typically by deactivating them)
    • Reorder groups or items
  5. Click Submit or Save to save your changes
Note: Changes to checklists affect new audits created after the change. Existing audits that used this checklist retain their original structure.

Export a Checklist

To export a checklist for review or distribution:

  1. Locate the checklist in the Active table
  2. In the Export column, choose:
    • PDF button - Generates a PDF document of the complete checklist
    • Print button - Opens the print dialogue for immediate printing
  3. The exported document shows:
    • Checklist name and details
    • All groups with their names
    • All items within each group
    • Item types and requirements

Deactivate a Checklist

When a checklist is no longer needed for new audits:

  1. Locate the checklist in the Active table
  2. Click the Deactivate button (ban icon)
  3. The checklist moves to the Deactivated view

What happens when you deactivate: The checklist is removed from selection lists when creating audit templates. Existing audit templates and audits that use this checklist remain unchanged.

Reactivate a Checklist

To restore a previously deactivated checklist:

  1. Switch to the Deactivated view using the radio buttons
  2. Locate the checklist in the table
  3. Click the Activate button (plus icon)
  4. The checklist returns to the Active table

Usage in Audit Templates

Checklists are used when:

  • Creating audit templates: Select a base checklist, then customise it for specific audit types
  • Conducting audits: The checklist structure guides auditors through the assessment
  • Standardisation: Ensures all audits of the same type follow the same process
  • Compliance: Demonstrates systematic audit procedures for regulatory requirements

Permissions

To view and manage audit checklists, you must have the Security Settings - Full Access permission. Users without this permission see an access notification instead of the settings page.

Best Practices

Tips
  • Organise checklists into logical groups that follow the audit workflow (e.g., Pre-Audit, On-Site, Post-Audit)
  • Write clear, specific questions that leave no room for interpretation. This ensures consistent audit results
  • Include descriptions for items to provide guidance to auditors, especially for complex requirements
  • Review and update checklists regularly to reflect current regulations, standards, and organisational requirements
  • Keep checklists focused and manageable. Very long checklists can overwhelm auditors and reduce effectiveness

6 Security Audit Templates

Security Context: These audit templates are pre-configured checklists ready to use for security audits, saving time and ensuring consistency.

Overview

The Audit Templates tab allows administrators to create ready-to-use audit configurations based on checklists. Templates combine a base checklist with customised settings, default values, and pre-filled information, making it faster to create audits while maintaining consistency.

What Audit Templates Are

Key Concepts
  • Template: A pre-configured audit setup based on a checklist, ready to apply when creating audits
  • Base checklist: The underlying checklist structure that the template uses
  • Customisation: Templates can modify the base checklist, add defaults, or include additional settings
  • Time-saving: Instead of configuring each audit from scratch, apply a template to start with predefined settings
  • Consistency: Templates ensure all audits of the same type follow the same structure and requirements
Template vs Checklist

Checklist:

  • Generic structure of groups and items
  • Reusable across multiple scenarios
  • No default values or pre-filled information

Template:

  • Specific to a particular audit type
  • Built on a base checklist
  • Can include default values and settings
  • Ready to apply when creating an audit

What You See Here

Page Controls
  • Active/Deactivated views: Radio buttons to switch between active and deactivated templates
  • Search: Filter templates by name
  • Add button: Create new audit templates
  • Templates table: View and manage all templates
  • Pagination: When there are 16 or more templates, page controls appear

View Existing Templates

The Active table displays all available templates with the following columns:

Column Description
Edit Button to open the template editor
Name The name of the template (sortable by clicking the column header)
Deactivate Button to deactivate this template

Create a New Audit Template

To build a new template:

Step 1: Start with Basic Details

  1. Click the Add new audit template button
  2. In the large window that opens, enter:
    • Template name (required) - A descriptive name (e.g., "Annual SMS Audit", "Maintenance Facility Assessment")
    • Description (optional) - Additional context about when to use this template

Step 2: Select a Base Checklist

  1. Choose a base checklist from the available options
  2. The checklist structure (groups and items) loads into the template editor
  3. This forms the foundation of your template
Note: You must have at least one active checklist before creating a template. Checklists are managed in the Audit Checklists tab.

Step 3: Customise the Checklist (Optional)

Once the base checklist loads, you can customise it for this specific template:

  • Modify items: Change questions, descriptions, or field types
  • Add items: Include additional questions specific to this audit type
  • Remove items: Deactivate items that aren't needed for this template
  • Reorder groups/items: Arrange the structure to match your audit workflow
  • Set defaults: Pre-fill expected answers or values where appropriate
Note: Changes you make to the template do not affect the base checklist. The base checklist remains unchanged for use in other templates.

Step 4: Configure Template Settings

Set up template-specific options:

  • Default insight area: Link the template to a specific area for automatic categorisation
  • Entity assignment: Restrict template visibility to specific organisations (if enabled)
  • Template settings: Configure any template-specific behaviour or defaults

Step 5: Save the Template

  1. Review the complete template configuration
  2. Click Submit to save and close, or Save to continue editing
  3. The template appears in the Active table

Edit an Existing Template

To modify a template:

  1. Locate the template in the Active table
  2. Click the Edit button (pencil icon)
  3. The template editor opens showing:
    • Template name and details
    • Base checklist reference
    • All customised groups and items
    • Template settings
  4. Make your changes
  5. Click Submit or Save
Warning: Changes to templates affect audits created after the change. Existing audits that used this template retain their original configuration.

Deactivate a Template

When a template is no longer needed for new audits:

  1. Locate the template in the Active table
  2. Click the Deactivate button (ban icon)
  3. The template moves to the Deactivated view

What happens when you deactivate: The template is removed from selection lists when creating audits. Existing audits that used this template remain unchanged.

Reactivate a Template

To restore a previously deactivated template:

  1. Switch to the Deactivated view using the radio buttons
  2. Locate the template in the table
  3. Click the Activate button (plus icon)
  4. The template returns to the Active table

Apply Template When Creating an Audit

Templates save time when creating audits. To use a template:

  1. Navigate to the audit creation page
  2. When creating a new audit, select a template from the dropdown
  3. The audit inherits:
    • The complete checklist structure
    • All customised questions and items
    • Any default values or pre-filled information
    • Template settings and configurations
  4. You can still make audit-specific changes after applying the template
  5. Complete the audit creation process

Permissions

To view and manage audit templates, you must have the Security Settings - Full Access permission. Users without this permission see an access notification instead of the settings page.

Best Practices

Tips
  • Create templates for frequently conducted audits (e.g., annual compliance, quarterly reviews, supplier assessments)
  • Use clear, descriptive template names that indicate the audit type and purpose
  • Keep templates updated to reflect current regulations and organisational procedures
  • Test new templates by creating a trial audit before using them for live audits
  • Don't over-customise templates. Keep them flexible enough to accommodate variations in similar audits
  • Review and refine templates based on auditor feedback and lessons learned from completed audits

7 Risk Matrix

Security Context: These risk matrices are used in security risk assessments to evaluate the likelihood and severity of hazards.

Overview

The Risk Matrix tab allows administrators to create and manage risk assessment matrices used throughout the system. Risk matrices combine likelihood (probability) and severity levels to calculate overall risk levels, helping organisations systematically evaluate and prioritise hazards.

Understanding Risk Matrices

Key Concepts
  • Likelihood (Probability): How likely an event is to occur (e.g., Rare, Unlikely, Possible, Likely, Almost Certain)
  • Severity (Consequence): The potential impact if the event occurs (e.g., Negligible, Minor, Moderate, Major, Catastrophic)
  • Risk Index: The combination of likelihood and severity that produces a risk rating
  • Tolerability: The acceptance level for each risk (e.g., Acceptable, Tolerable, Intolerable)
Matrix Structure
  • Rows and columns: One axis shows likelihood levels, the other shows severity levels
  • Cells: Each cell represents a specific risk level based on the likelihood-severity combination
  • Colour coding: Cells are colour-coded according to tolerability levels for quick visual reference
  • Main matrix: The system main matrix is used by default in risk assessments

What You See Here

Page Controls
  • Active/Deactivated views: Radio buttons to switch between active and deactivated risk matrices
  • Search: Filter risk matrices by name
  • Add button: Create new risk matrices
  • Risk matrices table: View and manage all risk matrices

View Existing Risk Matrices

The Active table displays all available risk matrices with the following columns:

Column Description
Edit Button to open the risk matrix editor
Name The name of the risk matrix (sortable)
System main Shows ✓ (green check) if this is the default matrix used in risk assessments, or ✗ (red cross) if not
Deactivate Button to deactivate this risk matrix

Create a New Risk Matrix

To build a new risk assessment matrix:

Step 1: Set Up the Matrix

  1. Click the Add new risk matrix button
  2. In the window that opens, complete the basic settings:
    • Risk matrix name (required) - A descriptive name (e.g., "SMS Risk Matrix", "Security Threat Matrix")
    • Main Risk Matrix? - Tick this to make it the system default (only one can be main)

Step 2: Configure Matrix Layout

Customise how the matrix displays:

  • Is Probability Ascending? - Tick to show lowest probability first, untick for highest first
  • Is Severity Ascending? - Tick to show lowest severity first, untick for highest first
  • Is Probability In Row? - Tick to show probability as rows and severity as columns, untick to reverse
  • Use Numbers For Probability? - Tick to display probability levels as numbers (1, 2, 3...) instead of letters (A, B, C...)
  • Use Numbers For Severity? - Tick to display severity levels as numbers instead of letters
  • Probability Label - Custom axis label (e.g., "Likelihood", "Frequency")
  • Severity Label - Custom axis label (e.g., "Consequence", "Impact")

Step 3: Define Probability Levels

  1. Click the button at the bottom to add a probability level
  2. For each level, enter:
    • Name - The probability name (e.g., "Rare", "Unlikely", "Possible", "Likely", "Almost Certain")
    • Description - A definition or frequency (e.g., "May occur once per year")
  3. The Level is assigned automatically (A, B, C... or 1, 2, 3... depending on your settings)
  4. Add as many probability levels as needed (typically 3-5)
  5. To remove a level, click the button

Step 4: Define Severity Levels

  1. Click the button on the right to add a severity level
  2. For each level, enter:
    • Name - The severity name (e.g., "Negligible", "Minor", "Moderate", "Major", "Catastrophic")
    • Description - A definition of impact (e.g., "Results in minor injury requiring first aid")
  3. The Level is assigned automatically
  4. Add as many severity levels as needed (typically 3-5)
  5. To remove a level, click the button

Step 5: Assign Tolerability to Each Cell

For each combination of probability and severity in the matrix:

  1. Each cell shows a dropdown labelled Tolerability
  2. Select the appropriate tolerability level for that risk combination (e.g., Acceptable, Tolerable, Intolerable)
  3. The cell background colour changes to match the tolerability level
  4. The risk rating shown in brackets combines the probability and severity levels (e.g., "Tolerable (A1)", "Intolerable (E5)")
Note: You must configure tolerability levels in the Tolerabilities tab before they appear in the dropdown. Tolerabilities define colour coding and acceptance thresholds.

Step 6: Save the Matrix

  1. Review the complete matrix layout
  2. Ensure all cells have a tolerability assigned
  3. Click Submit to save the risk matrix
  4. The new matrix appears in the Active table

Edit an Existing Risk Matrix

To modify a risk matrix:

  1. Locate the risk matrix in the Active table
  2. Click the Edit button (pencil icon)
  3. The matrix editor opens showing the current configuration
  4. Make changes to any settings, levels, or tolerabilities
  5. Click Submit to save your changes
Warning: Editing a risk matrix affects all future risk assessments. Existing assessments that reference this matrix will display updated level names but retain their original risk ratings.

Set the Main (Default) Risk Matrix

To make a risk matrix the system default:

  1. Edit the risk matrix you want to set as main
  2. Tick the Main Risk Matrix? checkbox
  3. Click Submit
  4. The system automatically removes the main status from other matrices
  5. Only one matrix can be the main matrix at a time

What the main matrix does: When users perform risk assessments, the main matrix is pre-selected by default. Users can still choose alternative matrices if needed.

Deactivate a Risk Matrix

When a risk matrix is no longer needed:

  1. Locate the risk matrix in the Active table
  2. Click the Deactivate button (ban icon)
  3. Confirm the action in the dialogue that appears
  4. The risk matrix moves to the Deactivated view
Note: You cannot deactivate the main risk matrix. Set a different matrix as main first, then deactivate.

What happens when you deactivate: The matrix is removed from selection lists and cannot be used for new risk assessments. Existing risk assessments that used this matrix remain unchanged.

Reactivate a Risk Matrix

To restore a previously deactivated risk matrix:

  1. Switch to the Deactivated view using the radio buttons
  2. Locate the risk matrix in the table
  3. Click the Activate button (plus icon)
  4. The risk matrix returns to the Active table

Usage in Risk Assessments

Risk matrices are used when:

  • Hazard assessments: When identifying and evaluating hazards in the Risk & Hazard Register
  • Safety report investigations: When assessing the risk level of reported safety occurrences
  • Security threat evaluations: When analysing security incidents and vulnerabilities
  • DG incident assessments: When evaluating dangerous goods related events
  • Audit findings: When determining the severity of non-conformances

Users select a probability level and severity level, and the system automatically calculates the risk rating and displays the corresponding tolerability.

Permissions

To view and manage risk matrices, you must have the Security Settings - Full Access permission. Users without this permission see an access notification instead of the settings page.

Best Practices

Tips
  • Use clear, consistent terminology for probability and severity levels across all matrices. This helps users understand risk assessments
  • Include descriptions for each level that define the criteria or thresholds. This ensures consistent risk evaluation
  • Align your risk matrix with industry standards or regulatory requirements for your aviation authority (e.g., SACAA, ICAO)
  • Create different matrices for different types of assessments if needed (e.g., separate matrices for safety vs security)

8 Tolerabilities

Security Context: These tolerability levels are used in security risk assessments to indicate whether a risk is acceptable, tolerable, or intolerable.

Overview

The Tolerabilities tab allows administrators to define and manage risk tolerance levels used throughout the system. Tolerability levels indicate whether a risk is acceptable to the organisation, requires mitigation, or is unacceptable and must be eliminated or avoided.

What Tolerability Levels Mean

Key Concepts
  • Tolerability: The acceptance threshold for a risk based on its likelihood and severity
  • Acceptable risk: Low risk that requires no immediate action (typically green)
  • Tolerable risk: Moderate risk that requires monitoring and possible mitigation (typically yellow)
  • Intolerable risk: High risk that requires immediate action to reduce or eliminate (typically red)
  • Sort order: The sequence in which tolerability levels appear in dropdowns and reports
How It Works
  • Risk matrix integration: Each cell in a risk matrix is assigned a tolerability level
  • Colour coding: Tolerability levels have colours that appear in risk assessments for quick visual reference
  • Decision making: Tolerability guides whether to accept a risk, apply controls, or avoid the activity
  • SMS compliance: Aligns with Safety Management System risk acceptance principles

What You See Here

Page Controls
  • Active/Deactivated views: Radio buttons to switch between active and deactivated tolerability levels
  • Add button: Create new tolerability levels
  • Tolerabilities table: View and manage all tolerability levels with reordering controls

View Existing Tolerability Levels

The Active table displays all available tolerability levels with the following columns:

Column Description
(Arrows) Controls to move tolerability level up or down in sort order
Edit Button to open the edit window
Name The name of the tolerability level (e.g., "Acceptable", "Tolerable", "Intolerable")
Colour The colour assigned to this level (shown with background colour applied)
Description Icon button that displays the full description in a popover when clicked
Deactivate Button to deactivate this tolerability level

Add a New Tolerability Level

To create a new risk tolerance level:

  1. Click the Add tolerability level button
  2. In the window that opens, complete the following fields:
    • Name (required) - The tolerability level name (e.g., "Acceptable", "Tolerable", "Intolerable", "As Low As Reasonably Practicable")
    • Color (required) - Select from:
      • Green - Typically for acceptable/low risks
      • Yellow - Typically for tolerable/moderate risks
      • Red - Typically for intolerable/high risks
      • Other - Opens a colour picker to select any custom colour (use for additional levels like orange, blue, etc.)
    • Description - Explain what this tolerability level means and when it should be used (e.g., "Risk is intolerable and must be eliminated or avoided")
  3. Click Submit to save the tolerability level
  4. The new level appears at the bottom of the Active table
Note: When you select "Other" as the colour, a colour picker appears allowing you to choose any hex colour code. Preset colours are available for quick selection.

Edit an Existing Tolerability Level

To modify a tolerability level:

  1. Locate the tolerability level in the Active table
  2. Click the Edit button (pencil icon)
  3. Update the name, colour, or description as needed
  4. Click Submit to save your changes
Warning: Changing a tolerability level's colour affects how existing risk assessments display. The risk rating itself does not change, but the visual representation updates.

Reorder Tolerability Levels

The sort order determines how tolerability levels appear in dropdown lists and reports. To change the order:

  1. Locate the tolerability level in the Active table
  2. Click the up arrow to move it higher in the sort order
  3. Click the down arrow to move it lower in the sort order
  4. The sort order updates automatically

Common sorting: Organisations typically order from lowest to highest risk (e.g., Acceptable → Tolerable → Intolerable) or from highest to lowest (e.g., Intolerable → Tolerable → Acceptable).

Deactivate a Tolerability Level

When a tolerability level is no longer needed:

  1. Locate the tolerability level in the Active table
  2. Click the Deactivate button (ban icon)
  3. The tolerability level moves to the Deactivated view
Note: You cannot deactivate a tolerability level that is currently assigned to cells in any active risk matrix. Remove it from risk matrices first.

What happens when you deactivate: The tolerability level is removed from selection lists and cannot be assigned to new risk matrix cells. Existing risk assessments that used this level remain unchanged.

Reactivate a Tolerability Level

To restore a previously deactivated tolerability level:

  1. Switch to the Deactivated view using the radio buttons
  2. Locate the tolerability level in the table
  3. Click the Activate button (plus icon)
  4. The tolerability level returns to the Active table at the bottom of the sort order

Integration with Risk Matrices

Tolerability levels and risk matrices work together:

  • Matrix configuration: When creating or editing a risk matrix, you assign a tolerability level to each combination of probability and severity
  • Colour coding: The tolerability level's colour appears as the background colour of the matrix cell
  • Risk assessment display: When users perform risk assessments, the system shows the risk rating with the corresponding tolerability colour
  • Prerequisites: You must define tolerability levels before creating risk matrices, as matrices reference these levels

Usage in Risk Assessments

Tolerability levels are used to:

  • Guide decision making: Determine whether a risk requires immediate action, monitoring, or is acceptable as-is
  • Prioritise resources: Focus efforts on intolerable risks before addressing tolerable or acceptable ones
  • Meet regulatory requirements: Demonstrate systematic risk management aligned with SMS principles
  • Visual communication: Use colour coding for quick identification of risk levels in reports and dashboards
  • Approval workflows: Some tolerability levels may require higher-level approval (configured per matrix)

Permissions

To view and manage tolerability levels, you must have the Security Settings - Full Access permission. Users without this permission see an access notification instead of the settings page.

Best Practices

Tips
  • Use standard tolerability terminology consistent with your SMS framework (e.g., ICAO, SACAA guidelines)
  • Keep the number of tolerability levels manageable (typically 3-5). Too many levels make risk decisions complicated
  • Use intuitive colours: green for acceptable, yellow/orange for tolerable, red for intolerable
  • Write clear descriptions that explain decision criteria. This ensures consistent risk evaluation across your organisation

9 Audit Types

Security Context: These audit types are used to categorise security audits, helping to organise and report on different types of assessments.

Overview

The Audit Types tab allows administrators to create and manage categories for audits. Audit types help organise audits by their purpose or focus area (e.g., "Internal Audit", "External Audit", "Surveillance Audit", "Compliance Audit").

What Audit Types Are

Key Concepts
  • Audit type: A category that classifies audits by their purpose or methodology
  • Organisation: Audit types help group similar audits together for reporting and tracking
  • Flexibility: You can create as many audit types as needed to match your organisation's processes
  • Historical data: Audit types remain linked to past audits even after deactivation
Common Examples
  • Internal audit: Audits conducted by your own organisation
  • External audit: Audits conducted by regulatory authorities or certification bodies
  • Supplier audit: Audits of third-party suppliers or contractors
  • Compliance audit: Audits focused on regulatory compliance
  • Surveillance audit: Ongoing monitoring audits

What You See Here

Page Controls
  • Active/Deactivated views: Radio buttons to switch between active and deactivated audit types
  • Search: Filter audit types by name
  • Add button: Create new audit types
  • Audit types table: View and manage all audit types
  • Pagination: When there are 16 or more audit types, page controls appear

View Existing Audit Types

The Active table displays all available audit types with the following columns:

Column Description
Edit Button to open the edit window
Type name The name of the audit type (sortable by clicking the column header)
Deactivate Button to deactivate this audit type
Delete Button to permanently delete this audit type (only if not used in any audits)

Add a New Audit Type

To create a new audit type:

  1. Click the Add new audit type button
  2. In the window that opens, enter the following:
    • Type name (required) - The name of the audit type (e.g., "Internal Audit", "External Audit", "Compliance Audit")
  3. Click Submit to save the audit type
  4. The new audit type appears in the Active table
Note: Audit types have a simple structure with just a name. This keeps them flexible and easy to use across different audit scenarios.

Edit an Existing Audit Type

To modify an audit type:

  1. Locate the audit type in the Active table
  2. Click the Edit button (pencil icon)
  3. Update the type name as needed
  4. Click Submit to save your changes
Note: Changing an audit type name updates the display for all audits using that type. The audit records themselves are not affected.

Deactivate an Audit Type

When an audit type is no longer needed for new audits:

  1. Locate the audit type in the Active table
  2. Click the Deactivate button (ban icon)
  3. The audit type moves to the Deactivated view

What happens when you deactivate: The audit type is removed from selection dropdowns and cannot be selected when creating new audits. Existing audits that use this type remain unchanged and continue to display the type name.

Reactivate an Audit Type

To restore a previously deactivated audit type:

  1. Switch to the Deactivated view using the radio buttons
  2. Locate the audit type in the table
  3. Click the Activate button (plus icon)
  4. The audit type returns to the Active table

Delete an Audit Type

To permanently remove an audit type:

  1. Locate the audit type in the Active table
  2. Click the Delete button (trash icon)
  3. Confirm the deletion in the dialogue that appears
Important: You can only delete an audit type if it is not used in any audits. If audits reference this type, you must deactivate it instead. This protects historical audit data.

Usage in Audit Creation

Audit types are used when:

  • Creating audits: When setting up a new audit, users select the applicable audit type from a dropdown
  • Filtering audits: Users can filter the audit list by type to find specific categories of audits
  • Reporting: Audit reports and dashboards can group or filter by audit type
  • Scheduling: Audit types help plan and track different types of assessments

Search and Filter

To quickly find an audit type:

  • Use the Search box to filter by type name
  • Click the Type name column header to sort alphabetically (ascending or descending)
  • Switch between Active and Deactivated views using the radio buttons
  • If there are many audit types (16+), use the pagination controls at the bottom of the table

Permissions

To view and manage audit types, you must have the Security Settings - Full Access permission. Users without this permission see an access notification instead of the settings page.

Best Practices

Tips
  • Use clear, descriptive names that make sense to all users. Avoid abbreviations unless they are widely understood
  • Keep the number of audit types manageable. Too many types make selection difficult and reporting cluttered
  • Align audit types with your organisation's audit programme and regulatory requirements
  • Deactivate rather than delete audit types when they're no longer needed. This preserves historical audit data

10 Compliance Types

Security Context: These compliance types are used in security reports, audits, and findings to categorise items according to regulatory requirements and company policies.

Overview

The Compliance Types tab allows administrators to manage the list of compliance categories used throughout the Security module. Compliance types categorise findings and non-conformances according to regulatory requirements, internal policies, and industry standards.

What You See Here

Page Controls
  • Active/Deactivated views: Radio buttons to switch between active and deactivated compliance types
  • Search: Filter compliance types by name
  • Add button: Create new compliance types
  • Compliance types table: View and manage all compliance types with sorting and level controls
Key Concepts
  • Compliance type: A category that classifies findings based on regulatory or policy requirements
  • Level: The priority order in which compliance types are displayed (drag arrows to reorder)
  • Corrective action requirement: Whether findings of this type must have corrective actions assigned
  • Active vs deactivated: Active types are available for new findings; deactivated types remain linked to existing items

Add a New Compliance Type

To create a new compliance type:

  1. Click the Add new compliance type button at the top right of the page
  2. In the window that opens, complete the following fields:
    • Compliance name (required) - The name of the compliance category (e.g., "SACAA Regulations", "Company Policy", "ICAO Standards")
    • Must have corrective action (checkbox) - Tick this if findings of this type always require corrective actions
    • Corrective action plan submission deadline - Number of days within which the corrective action plan must be submitted (0 = immediate, leave blank for no deadline)
    • Corrective action implementation deadline - Number of days within which the corrective action must be implemented (0 = immediate, leave blank for no deadline)
    • Corrective action submission type - Choose between:
      • Always Combined - Plans and implementation are always submitted together
      • Always Separate - Short-term and long-term actions are submitted and reviewed separately
  3. Click Submit to save the compliance type
  4. The new compliance type appears in the Active table at the bottom of the priority list
Note: Negative values for deadlines are not allowed. Use 0 for immediate deadlines, or leave blank for no specific deadline.

Edit a Compliance Type

To modify an existing compliance type:

  1. Locate the compliance type in the Active table
  2. Click the Edit button (pencil icon) in the row
  3. Update the fields in the window that opens
  4. Click Submit to save your changes
Warning: Changing corrective action requirements affects how findings are processed. Ensure changes align with your Security procedures.

Reorder Compliance Types

Compliance types are displayed in priority order (Level) in dropdown lists throughout the system. To change the order:

  1. Locate the compliance type you want to move in the Active table
  2. Click the up arrow to move it higher in the priority list
  3. Click the down arrow to move it lower in the priority list
  4. The Level number updates automatically

Deactivate a Compliance Type

When a compliance type is no longer needed:

  1. Locate the compliance type in the Active table
  2. Click the Deactivate button (ban icon)
  3. The compliance type moves to the Deactivated view

What happens when you deactivate: The compliance type is removed from dropdown lists and cannot be selected for new findings. However, it remains linked to any existing findings, audits, or reports that already reference it.

Reactivate a Compliance Type

To restore a previously deactivated compliance type:

  1. Switch to the Deactivated view using the radio buttons
  2. Locate the compliance type in the table
  3. Click the Activate button (plus icon)
  4. The compliance type returns to the Active table

Fields Reference

The Active compliance types table shows:

Column Description Editable
(Arrows) Controls to move compliance type up or down in priority order Yes (click arrows)
Level Display order number (1 = highest priority). Updates automatically when reordering No (changed via arrows)
Edit Button to open the edit window N/A
Compliance name The name of the compliance type Yes (via Edit)
Corrective action Shows ✓ (green check) if corrective actions are required, or ✗ (red cross) if optional Yes (via Edit)
Period for plan Deadline for submitting corrective action plan (days). Shows "Immediate" for 0 days, "N/A" if not set Yes (via Edit)
Period for implementation Deadline for implementing corrective action (days). Shows "Immediate" for 0 days, "N/A" if not set Yes (via Edit)
Submission Type Shows "Always Combined" or "Always Separate" submission workflow Yes (via Edit)
Deactivate Button to deactivate this compliance type N/A

Usage Throughout the System

Compliance types are used in:

  • Findings: When creating a finding during an audit or investigation, users select the applicable compliance type
  • Corrective actions: The compliance type determines corrective action requirements and deadlines
  • Reports and exports: Findings can be filtered and grouped by compliance type
  • Dashboards: Metrics and charts display compliance type breakdowns

Permissions

To view and manage compliance types, you must have the Security Settings - Full Access permission. Users without this permission see an access notification instead of the settings page.

Best Practices

Tips
  • Order compliance types by importance or frequency of use. The most commonly used types should appear first in the list
  • Use clear, descriptive names that make sense to all users. Avoid abbreviations unless they are widely understood
  • Deactivate rather than delete. This preserves historical data while preventing future use

11 Security Audit Report Configs

Security Context: These report configurations control how security audit reports are formatted, what sections are included, and how they appear.

Overview

The Audit Report Configurations tab allows administrators to create and manage templates that control the appearance and content of audit reports. Report configurations define which sections appear in audit reports, customise headers and footers, set branding options, and control how findings are displayed.

What Audit Report Configurations Are

Key Concepts
  • Report configuration: A template that defines the structure and appearance of audit reports
  • Section selection: Choose which parts of the audit appear in the report (findings, evidence, checklists, etc.)
  • Customisation: Personalise headers, footers, cover pages, and branding
  • Consistency: Ensures all reports follow a standard format for professionalism and compliance
  • Flexibility: Create different configurations for different audit types or audiences
Common Use Cases
  • Internal reports: Detailed configuration with all findings and evidence for internal review
  • Client reports: Professional configuration with executive summary and key findings only
  • Regulatory reports: Configuration meeting specific authority requirements
  • Executive summaries: High-level configuration with conclusions and recommendations

What You See Here

Page Controls
  • Active/Deactivated views: Radio buttons to switch between active and deactivated configurations
  • Search: Filter configurations by name
  • Add button: Create new report configurations
  • Configurations table: View and manage all report configurations with reordering controls
  • Pagination: When there are 16 or more configurations, page controls appear

View Existing Report Configurations

The Active table displays all available configurations with the following columns:

Column Description
(Arrows) Controls to move configuration up or down in sort order
Edit Button to open the configuration editor
Name The name of the report configuration
Deactivate Button to deactivate this configuration

Create a New Report Configuration

To build a new audit report configuration:

Step 1: Name the Configuration

  1. Click the Add new audit report configuration button
  2. Enter a configuration name (e.g., "Standard Internal Audit Report", "Client Executive Summary", "Regulatory Submission")

Step 2: Select Sections to Include

Choose which parts of the audit appear in the report:

  • Executive summary: High-level overview of the audit
  • Audit details: Audit scope, objectives, and methodology
  • Findings: All identified issues and observations
  • Evidence: Supporting documentation and attachments
  • Checklist responses: Complete checklist with answers
  • Corrective actions: Actions planned or completed
  • Recommendations: Auditor suggestions
  • Conclusions: Overall assessment and outcomes
  • Appendices: Additional reference materials

Step 3: Customise Header and Footer

Personalise the header and footer that appear on each page:

  • Header content: Company name, audit title, document number
  • Footer content: Page numbers, date, confidentiality notice
  • Font and style: Choose font size, colour, and alignment
  • Dynamic fields: Insert placeholders that auto-populate (e.g., audit date, auditor name)

Step 4: Configure Cover Page Options

Set up the report cover page:

  • Cover page template: Select from available designs or create custom
  • Logo placement: Add organisation logo and position it
  • Title and subtitle: Define how audit name and details display
  • Audit information: Choose which audit metadata appears (dates, location, auditors)
  • Signature blocks: Include approval signatures if needed

Step 5: Set Findings Display Options

Control how findings are presented:

  • Grouping: Group findings by severity, category, or area
  • Sorting: Sort findings by priority, date discovered, or custom order
  • Detail level: Include full descriptions, summaries, or key points only
  • Evidence display: Show embedded images, links to attachments, or reference numbers
  • Status indication: Display finding status (open, closed, in progress)

Step 6: Configure Branding and Logo Options

Apply organisation branding:

  • Logo: Upload and position your organisation logo
  • Colour scheme: Set primary colours for headers, highlights, and accents
  • Fonts: Choose report fonts (body text, headings)
  • Watermark: Add "Draft", "Confidential", or custom watermarks

Step 7: Save the Configuration

  1. Review all settings
  2. Click Submit to save the configuration
  3. The configuration appears in the Active table

Edit an Existing Configuration

To modify a report configuration:

  1. Locate the configuration in the Active table
  2. Click the Edit button (pencil icon)
  3. Update any settings:
    • Change included sections
    • Modify header/footer content
    • Update branding or logo
    • Adjust findings display options
  4. Click Submit to save your changes
Note: Changes to report configurations affect reports generated after the change. Existing reports remain unchanged.

Reorder Configurations

The sort order determines how configurations appear in dropdown lists:

  1. Locate the configuration in the Active table
  2. Click the up arrow to move it higher in the sort order
  3. Click the down arrow to move it lower
  4. The sort order updates automatically

Tip: Place the most frequently used configurations at the top for easy access.

Deactivate a Configuration

When a configuration is no longer needed:

  1. Locate the configuration in the Active table
  2. Click the Deactivate button (ban icon)
  3. The configuration moves to the Deactivated view

What happens when you deactivate: The configuration is removed from selection lists when generating reports. Existing reports that used this configuration remain unchanged.

Reactivate a Configuration

To restore a previously deactivated configuration:

  1. Switch to the Deactivated view using the radio buttons
  2. Locate the configuration in the table
  3. Click the Activate button (plus icon)
  4. The configuration returns to the Active table at the bottom of the sort order

Use Configuration When Generating Reports

To apply a configuration when creating audit reports:

  1. Complete your audit
  2. Navigate to the audit report generation section
  3. Select a report configuration from the dropdown
  4. Click Generate Report
  5. The report is created using the selected configuration's settings
  6. Download, print, or share the report

Permissions

To view and manage audit report configurations, you must have the Security Settings - Full Access permission. Users without this permission see an access notification instead of the settings page.

Best Practices

Tips
  • Create separate configurations for different audiences (internal, client-facing, regulatory)
  • Include all sections for internal reports, but create streamlined configurations for external distribution
  • Test new configurations by generating a sample report before using them for live audits
  • Use consistent branding across all report configurations to maintain professional appearance
  • Include clear headers and footers with page numbers, dates, and confidentiality notices as appropriate

12 Best Practices

Report Category Design

  • Align with SeMS requirements: Organize categories to match your Security Management System structure and ICAO Annex 17 requirements
  • Cover all security threat types: Include categories for unauthorized access, threats, cybersecurity incidents, cargo security, etc.
  • Keep categories clear and distinct: Avoid overlap between categories to prevent confusion during reporting
  • Consider regulatory alignment: Map categories to regulatory reporting requirements (e.g., local security authorities)

Threat Assessment

  • Configure risk matrices for security threats: Set up matrices that reflect security-specific likelihood and impact criteria
  • Define appropriate tolerability levels: Establish clear thresholds for acceptable, tolerable, and intolerable security threats
  • Use consistent colour coding: Apply standard colors (green for acceptable, yellow for tolerable, red for intolerable) across all security threat assessments
  • Review and update regularly: Reassess risk matrices and tolerabilities as your security environment changes

Checklist Design

  • Structure for SeMS audits: Organize checklists around security management system elements and ICAO Annex 17 standards
  • Use clear, actionable items: Write checklist items that auditors can verify through observation, document review, or interview
  • Group related items: Use checklist groups to organize items by security area (e.g., Access Control, Screening, Cargo Security)
  • Balance thoroughness with practicality: Include enough detail for comprehensive audits without making checklists unwieldy

Team Management

  • Assign both roles where appropriate: Some team members may serve as both security auditors and investigators
  • Consider training requirements: Ensure security auditors and investigators have appropriate security management training
  • Review access regularly: Periodically review who has auditor or investigator access and remove access when no longer needed
  • Document role responsibilities: Maintain clear documentation of what security auditors vs investigators are authorized to do
Navigation
Settings

Theme

Other settings coming soon...

An unhandled error has occurred. Reload 🗙
Interactive features loading...