ZenGRC Reviews

ZenGRC brings all the tools you need to run a successful GRC program to the table in a clear, concise and minimalist package that's nimble and efficient. Our company had been utilizing the old method of email/spreadsheets and was getting lost in the weeds even on the smallest of audits and struggling to keep up each year to stay ahead. Our evaluations with other tools fell flat, didn't meet our requirements or introduced complexity. Our evaluation of ZenGRC started with skepticism, but quickly turned positive once we realized how logically organized the system was on the back-end. During our testing period, we were able to quickly create a Sarbanes-Oxley program, using both their template import and the GUI, in a matter of days. Since that time only a few short weeks ago we have now almost completed a full internal audit of our SOX program, complete with evidence collection and control evaluations. Our rough estimate has us gaining back a full week of time from previous audits last year and year prior using the old email/spreadsheet method. We are now rolling out an ISO27001, SOC2 and internal security control framework on the heels of the SOX success.

As with any SaaS from a small company that is new to market (less than 5 years), there are aspects of the tool that require some creative thinking and clever workarounds. This is not necessarily a dislike in my opinion, however less technical individuals may find this aspect difficult or troublesome. ZenGRC staff do redeem themselves on this front as they're quick to respond to feature requests and have already implemented several suggestions our team has submitted. Since starting to use the product, they have continually updated the product with new features, fixes and updates to existing functionality.

This is a light, minimal and logical GRC tool that has a lot to offer a company that has never used a GRC tool in the past. Definitely worth a demo and serious consideration.

Traditionally our audit cycles were difficult in that we rarely hit our target evidence collection windows. Adding to that difficulty we typically have sample requests that introduce complexity and cross-collection on requests with similar subjects and titles making it easy to get lost in email weeds. With ZenGRC, we removed all that complexity by making each and every evidence request unique. Sample requests were entered as new requests in the system so as not to get confused with the original request. Accountability was easily visible with the Request status on the Audit dashboard and escalations were efficient. On our first run, after a small 30 minute training session, we achieved 98.5% completion ahead of our submission deadline. That would have been impossible without ZenGRC.

Ease of use of the ZenGRC portal combined with the ability to run the audit and give your audit direct access to controls & related evidence makes the entire process friction-less.

The ability to take a full image backup, locally, is a small but manageable risk.

Setting up your initial controls can be a little time consuming, but the ability to use common controls across multiple compliance frameworks & to mitigate risks is extremely valuable. Time is saved with the cross mapping capability and the value is realized very quickly.

The main benefit is the way we can share audit evidence from within the secure portal, by directly provisioning the auditor, is a valuable benefit. The time to audit was reduced by at least 30%.

We've been using zGRC for 18 months. It is the best tool I've found for mapping compliance obligations, controls, risks, vendors, and the myriad of other objects that need to be modeled for a solid risk and compliance program. It's ability to cross-link objects to each other, especially linking controls to multiple frameworks (SOC 2, HITRUST, PCI, etc) is invaluable. I could not do my job without it.

The ability to model risks could be improved. We've extended it with custom fields to fit our needs.

It's a great product. The Reciprocity team is easy to work with, and they listen to customer product suggestions. We looked at a lot of other software. Nothing came close to zGRC for the money.

Our company is subject to multiple compliance frameworks. We needed a system to map all our controls to those frameworks to simplify audit and compliance. Also, we needed a way to track risks, especially as related to our vendors. zGRC has greatly enhanced our ability to get and stay compliant. It cuts our audit times in half.

The product is very user friendly. The ZenGRC training was well organized and very informative. We are preparing for our annual ISO audit and wished we had this product last year! Alejandro, our Customer Success Manger, has insured that all our questions and requests have been met thus far. The ZenGRC subject matter experts are very helpful and knowledgeable. Follow-up has been very good! We are looking forward to using the product!!

Additional demo scenarios would be good. No dislikes to speak of.

Identify your requirement, # of required admins and audit types. This will assist in building your site and identify training.

Streamline our internal and external security audits. Compliance with industry requirement and standards. We have realized other ways that we can use this ZenGRC to track audit findings and resolve issues.

I have been using ZenGRC for over two years now and it has been an essential tool helping us get and stay organized when we embarked on gaining a SOC 2 attestation. We have since been through two SOC 2 audits and are using ZenGRC to help us assess and remediate our gaps against ISO 27001.

There's a fair amount of things you have to edit by exporting to CSV, editing in your favorite spreadsheet app, then re-importing, so it would be nice if some of that functionality was built into the UI. That being said, that workflow is actually ideal for some tasks.

Our last audit firm wasn't able to use the app directly for requesting and managing audit evidence so there was a bit of duplication of effort. The ZenGRC team is making some changes to make that better though.

GRC program management, controls gap analysis, compliance reporting. Because it's so well organized we've managed to keep the required staff to manage compliance at a minimum.

The tool is so simple to use and navigate around. It gives me everything I need in regards to dashboards, heatmaps and condensing all of my risks and regulations. I can get what I need through a couple of clicks. Hands down the best tool I've used for risk reporting and compliance requirements.

All the people at Reciprocity are amazing to work with. Always responsive and on hand to go above and beyond whenever needed.

Needs more reporting functions and different dashboard types. Most Execs like visuals and straight to the point reporting in my experience.

We needed to move away from spreadsheets, better our reporting requirements and get what we need on demand.

The general consensus from the team is that this tool is really great. We are really happy to use it, and I do believe it is going to make our compliance efforts really streamlined. Our organization tends to be a little bit resistant to rigor and control, so tools like ZenGRC are helping to make it easy and less intrusive.

Looking forward to the custom survey feature!

Internal and External audit, ISO 27001 certification, SOC 2 reporting, Risk Assessment and vendor security

ZenGrC provided use with a single platform under which we could manage multiple, complex audits. The evidence collection and workflows replaced what was an otherwise tedious and duplicative process with JIRA tickets. The ability to present evidence from previous years as an example is immensely helpful when dealing with turnover in engineering and operations teams. Simple implementation, very lightweight, but not lacking for features.

The JIRA integration is rapidly improving but isn't quite as richly features as we would like. That being said, our use of JIRA is probably on the extreme side off complex so the current integration is likely acceptable for the majority of customers.

Take the time to do a POC and you will not be disappointed. Their support and go-live is exceptional.

GRC, multiple concurrent audits, understanding audit readiness, coordination between multiple teams and auditors.

Using ZenGRC, we've automated tracking of compliance issues that pose potential risks. It has allowed us to remediate these issues swiftly.

Exporting reports to CSV then takes a decent amount of reformatting to ready them for Executive review, but the new dashboard functionalities are providing new options in reporting key results which is great.

Overall the team has been quick to respond to requests for changes or additional functionality.

Centralized and systematic issue tracking across review types, programs and teams.

ZenGRC has a nice user interface and is fairly intuitive to use. It is a refreshing change from some of the larger industry standard GRC tools I've used over the years.

I would love to see a way to ZenGRC as a tool to manage all aspects of our audit function- audit work programs, work papers, testing spreadsheets, supporting documentation and reporting.

They have excellent customer support. I would definitely try a demo to see if this tool would meet your GRC needs.

GRC, audit tracking

ZenGRC is very flexible and easy to use even with complex compliance programs leveraging multiple standards. Reciprocity Labs listens to our feedback and is constantly improving the product.

Evidence storage solutions could be more fully integrated. I understand this is on the roadmap for future development.

Third-party assessment and certification management is easier for a small GRC team to manage with ZenGRC.