Getting Started

A practical guide to understanding and implementing Govula in your organization.

This section is intended for: Technical Team, Auditor, Management, End User. Unauthorised access is restricted.

What is Govula?

Govula is a continuous compliance platform designed for regulated organizations. It automates the creation, maintenance, and reporting of compliance documentation while preserving human oversight and accountability.

The platform addresses a fundamental challenge in compliance management: static documents become outdated the moment they are created. Traditional approaches require manual reviews, periodic audits, and significant effort to maintain accuracy.

Govula maintains a continuously evaluated compliance state, ensuring that your Statement of Applicability, control assessments, and evidence packages reflect the current reality of your organization.

What Problem Does It Solve?

Compliance programs face several persistent challenges:

  • Statements of Applicability that are only accurate at the time of creation
  • Manual effort required to track control status across multiple frameworks
  • Difficulty providing auditors with consistent, traceable evidence
  • Multiple stakeholders requiring different views of the same compliance data
  • Gaps between actual security posture and documented compliance state

Govula addresses these by maintaining a living system where compliance is continuously evaluated, not periodically documented.

Who Is It For?

Govula is designed for organizations that operate in regulated environments and require demonstrable compliance with recognized frameworks. This includes:

Healthcare Organizations

NHS trusts, private healthcare providers, and health technology companies subject to DSPT, ISO 27001, or similar requirements.

Financial Services

Banks, insurance companies, and fintech organizations requiring SOC 2, PCI DSS, or regulatory compliance.

Technology Companies

SaaS providers, managed service providers, and enterprises seeking ISO 27001 or SOC 2 certification.

Public Sector

Government agencies, local authorities, and public bodies with mandated compliance requirements.

Understanding the Living Statement of Applicability

A Statement of Applicability (SoA) is a core document required by standards such as ISO 27001. It lists all controls from a framework, indicates whether each applies to your organization, and provides justification for inclusion or exclusion.

Traditionally, an SoA is a static document created during certification preparation and reviewed annually. This creates a gap between the documented state and actual practice.

A Living Statement of Applicability is continuously evaluated. As your organization changes, as evidence is collected, and as controls are implemented or modified, the SoA updates to reflect current reality. Justifications are generated based on actual evidence and organizational context, not historical documentation.

This approach ensures that when an auditor reviews your SoA, they are seeing the current state of your compliance program, not a snapshot from months ago.

Platform Flow

1

Organization Setup

Your organization is configured with relevant metadata, industry context, and regulatory requirements. This context informs all subsequent compliance decisions.

2

Framework Selection

Select one or more compliance frameworks. The platform normalizes controls across frameworks and identifies overlapping requirements.

3

Evidence Collection

Evidence is associated with controls through uploads, integrations, or manual attestation. Evidence freshness is tracked and stale items are flagged.

4

Continuous Evaluation

The platform continuously evaluates compliance state based on evidence, control status, and organizational changes. Drift is detected and reported.

5

Stakeholder Reporting

Different stakeholders access appropriate views: executives see risk summaries, technical teams see control details, auditors see evidence trails.

What the System Automates

Automated by Govula

  • Compliance state evaluation and scoring
  • SoA generation with structured justifications
  • Drift detection and alerting
  • Evidence freshness tracking
  • Cross-framework control mapping
  • Report generation and distribution
  • Audit trail maintenance

Human-Controlled

  • Final applicability decisions
  • Evidence collection and attestation
  • Control implementation
  • Justification review and override
  • Risk acceptance decisions
  • Audit response and remediation
  • Organizational context updates

Next Steps

After onboarding, your organization will have a continuously evaluated compliance state. The platform will:

  • Generate and maintain your Statement of Applicability
  • Alert you to compliance drift or evidence expiration
  • Provide stakeholder-appropriate dashboards and reports
  • Maintain an immutable audit trail of all compliance activity

Proceed to the Platform Overview to understand the system architecture in detail.

Platform Overview