Provide an option to add projects in the compliance framework creation workflow

Background

Compliance frameworks are structured sets of guidelines, controls, and requirements that organizations follow to ensure they meet specific regulatory standards or industry best practices. Common examples include SOC 2, HIPAA, ISO 27001, and PCI DSS.

In GitLab, users can create a compliance framework that is a label to identify that your project has certain compliance requirements or needs additional oversight. Compliance frameworks are created by clicking on the New Framework button in the compliance center page at group level:

After creating the compliance framework, users can attach them to projects by:

1. Navigating to the Projects tab in the Compliance Center;
2. Selecting all the projects they want to apply the framework against;
3. Selecting the framework they would like to apply; and
4. Clicking Apply

Problem

There are 2 key problems with this workflow:

Problem	Explanation
No guidance in creating framework workflow on what to do next	Compliance frameworks are only valuable - only works - if it is attached to a particular project. It doesn't complete it's function if there isn't a project it isn't attached to in order to check to see whether the appropriate settings or items have been enabled/enforced. By not guiding the user, especially new Ultimate users using compliance frameworks for the first time, that they should be attaching a compliance framework to a project, this context can either get lost, confused or increases the learning curve burden for users using compliance frameworks for the first time.
Decreases time to adoption for compliance frameworks	We believe that adoption of compliance frameworks occurs when a framework with 1 requirement and 1 control is successfully attached to a project. We should be introducing as many guides/steps along the compliance creation workflow to encourage or show users that they should be attaching a compliance framework to a project. This is particularly in cases where the compliance team already knows which projects they want to associate a newly created compliance framework with. If we can eliminate them having to go to the 'Projects' tab at the end and, instead, bake the step of attaching projects to a compliance framework as part of creating a compliance framework, this should hypothetically speed up adoption of compliance frameworks overall.

Solution

We should include an additional step in the compliance framework creation workflow. In light of custom compliance frameworks MVC being released soon, we should think about this as an additional improvement/enhancement to the compliance framework creation workflow in order to encourage and guide users to attaching compliance frameworks to projects, and to remove a hypothetical friction point of having to navigate to the Projects tab after creating a compliance framework.

The workflow with custom compliance frameworks MVC at the moment looks like this:

1. On the Compliance center page, navigate to the top right hand corner of the page and select New framework;
2. On the New framework page, the users can open the Basic Information tab and provide a Name, Description and select a Background colour for the compliance framework label;
3. Users can then open the Requirements tab and select New Requirement;
4. In the New Requirement modal, users can input the Name and Description of the Requirement before selecting one or multiple Controls that are associated with the requirement;
5. Once completed, users can select Create Requirement; and
6. Users click on Add Framework.

This improvement should include a new step, something like this:

1. On the Compliance center page, navigate to the top right hand corner of the page and select New framework;
2. On the New framework page, the users can open the Basic Information tab and provide a Name, Description and select a Background colour for the compliance framework label;
3. Users can then open the Requirements tab and select New Requirement;
4. In the New Requirement modal, users can input the Name and Description of the Requirement before selecting one or multiple Controls that are associated with the requirement;
5. Once completed, users can select Create Requirement;
6. (NEW STEP) Users should be provided the option of attaching multiple projects to the newly created compliance framework. It should be optional and not required so that they can choose to do this at another time if they like.
7. Users click on Add Framework.

Even by providing an optional step in the creation workflow, users will be notified of the fact that they need to attach a project to the compliance framework. This should still work even with our current planned 'ending' screen after a compliance framework is created, which also prompts a user to attach a project. The more prompts/guidance provided, the better the user feels about the choices they made when creating the framework and have better surety about the actions they need to take next.

Persona

• Cameron (Compliance Manager)