Frequently Asked Questions

Scrut offers:

• 60+ out-of-box frameworks along with support for custom frameworks
• Customizable risk scoring with approval workflows built in
• End-to-end audit management with hands-on, expert in-house support from onboarding to post-audit
• Downloadable, audit-ready reports showcasing real-time compliance
• Secure Trust Vault with branding customization options

Scrut supports 60+ out-of-the-box frameworks, including but not limited to:

• Security: SOC 2, SOC 1, ISO/IEC 27001
• Privacy: GDPR, CCPA, ISO/IEC 27701, HIPAA
• AI Governance: ISO/IEC 42001, EU AI Act
• Risk: NIST CSF, NIST SP 800-53, DORA
• Government: FedRAMP
• Custom frameworks for your organization

Yes, Scrut scales with your business — whether you’re a fast-moving startup or a complex enterprise.

• For startups: Scrut’s flexible, API-driven architecture and modular pricing help early-stage teams get up and running quickly. You can leverage pre-built policy templates, automated evidence collection, and affordable plans without needing a dedicated compliance team.
• For enterprises: Scrut supports multi-framework compliance (SOC 2, ISO 27001, PCI DSS, GDPR, and more), advanced vendor risk management, fine-grained role-based access controls, and integrations with SIEM and ticketing tools — making it ideal for managing complex, cross-functional compliance programs at scale.

For startups, Scrut offers:

• Pre-built policies and framework control mapping to get started quickly
• Affordable pricing plans tailored for small teams
• Automation to reduce the need for hiring dedicated compliance staff
• Support and hand-holding by experts in every step of compliance process

For enterprises, Scrut provides:

• Advanced risk management and vendor tracking
• Support for multiple frameworks and complex audits
• Integration with large-scale cloud and DevOps stacks
• Role-based access controls and auditor collaboration tools

Scrut offers flexible pricing tailored to your compliance needs. All pricing plans include access to all core features, modules, and frameworks within the Scrut platform, with no limits or hidden charges based on users or usage. Additional services like audit charges may influence the final quote. To learn more or get a custom quote, reach out to the Scrut team with your compliance requirements.

Yes. Scrut supports over 60 frameworks including ISO 27001, SOC 2, HIPAA, GDPR, and PCI DSS.

Yes. Scrut supports compliance with ISO/IEC 42001.

Yes. Scrut maintains a unified control library and automatically maps common controls between SOC 2 and ISO 27001, so you define a control once, and it applies to both frameworks.

Yes. Scrut’s multi-framework support is built around a unified control library that lets you map a single control to multiple frameworks. When you onboard a new framework, Scrut auto-populates the relevant controls, so you don’t have to start from scratch each time.

Through:

• Automated evidence collection from 80+ tools
• Continuous control monitoring to flag issues early
• Live dashboards to track framework status
• Smart alerts to notify teams about gaps or overdue tasks

Yes. Scrut offers a unified dashboard to manage multiple frameworks and its corresponding controls, evidences, tests, policies, and more in one single platform.

Scrut can automatically detect certain types of compliance gaps, like control failures, policy misconfigurations, or missing evidence, through continuous monitoring and automated tests.

For example, if an access control policy is outdated or a required encryption setting is missing, Scrut flags it in real time. However, identifying broader risks or evaluating business-specific impact still involves human review. Scrut supports this with automated workflows for risk identification, approval, and treatment — helping teams respond faster and more consistently.

Yes. Scrut offers continuous control monitoring by running automated daily tests against your configured controls. It flags misconfigurations, provides remediation guidance, and keeps your compliance posture up to date.

Scrut also maintains a unified controls registry that gives you a real-time view of control status across all frameworks. By automatically pulling evidence from integrated systems,  like cloud providers, endpoint tools, and code repositories, Scrut ensures your compliance status reflects your current security posture at all times.

Scrut integrates with over 80 tools to collect audit-ready evidence automatically, such as access logs, onboarding activity, and security configurations.

Scrut offers 80+ integrations across cloud, HR, identity, code repositories, and more.

Yes, Scrut Automation integrates seamlessly with Jira, AWS, and Slack, among over 80 other tools.

Yes. Scrut Automation integrates with both BambooHR and Google Workspace, among over 80 other tools.

It depends on your workflows, the number of frameworks you’re managing, and your company size. But on average, small to mid-sized businesses (SMBs) typically spend less than 3 hours per week inside Scrut.

Most of the heavy lifting, like evidence collection, control monitoring, and reporting, is automated. Your team mainly needs to review alerts, assign tasks, approve controls, and respond to auditor comments, all from a centralized dashboard.

Yes. Scrut significantly reduces manual audit effort by combining automation, AI assistance, and centralized documentation.

• 80+ integrations automatically pull evidence from your cloud, HR, and development tools
• Smart control mapping auto-fills overlapping controls across frameworks
• Scrut AI Teammate helps prepare for audits by answering control queries, surfacing gaps, and guiding remediation
• Secure auditor access ensures all communication and document sharing happens inside the platform — no email chains
• Trust Vault hosts all your compliance documents with NDA-backed access, accelerating audit reviews and shortening sales cycles

With these capabilities, your team can move faster and stay audit-ready with far less effort.

Yes. Scrut allows you to give auditors secure, role-based access to the platform so they can review relevant controls, evidence, and documentation in one place — without relying on spreadsheets or back-and-forth emails.

Scrut also generates audit-ready reports that include control status, evidence summaries, timestamps, and activity logs. These reports can be exported and shared with auditors to support a faster, more organized audit process.

Yes. Scrut gives you full control over auditor access through its dedicated Audit Center.

Auditors are never granted unrestricted or full-module access. Instead, you can add them to a specific audit’s Audit Team, which provides read-only, scoped access to only what they need, including controls, evidence files, policy previews, and attachments.

They can also comment on items, manage findings, and track audit progress, all without accessing the broader platform. Permissions are role-based, tightly scoped, and logged for complete visibility and control.

Yes, Scrut helps you identify, assess, and prioritize risks through its built-in Risk Register.

You can choose from a pre-defined library of risks or create custom ones tailored to your organization. Each risk is assessed using configurable scoring models based on likelihood, impact, and existing controls. Scrut also allows you to assign owners, set deadlines, and link risks to specific departments or compliance frameworks — giving you a clear, structured view of your risk landscape.

Yes. Scrut allows you to create custom risks directly from the Risk Register. When you click to add a new risk, a guided form pops up prompting you to fill in details such as the risk title, category, owner, affected department, and impact level. This makes it easy to define risks tailored to your organization’s context and link them to your compliance efforts.

Yes. When you select a risk in Scrut, you’ll be guided through a form where you can define a mitigation plan. You can choose an action type, such as accept, transfer, mitigate, or avoid, assign an owner, set deadlines, and add notes. Scrut then tracks progress on each plan, helping you monitor how risks are being addressed over time.

Yes. Scrut provides an upload option that lets you import your existing risk register directly into the platform. When you choose to upload, a guided interface prompts you to map your spreadsheet columns (like risk name, category, impact, owner) to Scrut’s fields, making the migration smooth and structured.

Yes. Scrut offers 100+ editable policy templates mapped to frameworks like SOC 2, HIPAA, ISO 27001, and GDPR. Each template can be customized using Scrut’s in-built policy editor, so you can tailor content to your organization’s needs without starting from scratch.

Yes. In Scrut, employees receive assigned policies through their own dedicated portal, where they can review and acknowledge them with just a click. As an admin, you can send reminders, track who has acknowledged which policies, and monitor completion directly from the Scrut dashboard — all in one place.

Yes. Scrut is built with security as a foundational principle, following industry-leading standards and certifications.

The platform is certified for ISO/IEC 27001, ISO/IEC 42001, SOC 2, ISO 27701, GDPR, and CCPA, and applies these standards across infrastructure, processes, and product features. It enforces end-to-end encryption (TLS in transit, AES-256 at rest), role-based access control, multi-factor authentication, and real-time monitoring to ensure data remains protected at all times.

Scrut also performs regular internal and third-party vulnerability assessments and penetration tests. Access to systems is tightly governed by least-privilege policies and reviewed on a quarterly basis.

For customers using Scrut’s AI features, data is handled responsibly. There is no cross-customer training of models, and all AI inputs are processed solely to deliver opted-in services. Scrut also follows minimal and purpose-bound data retention, with clear privacy boundaries enforced throughout.

A full overview of Scrut’s security posture — including audit reports, incident response protocols, data retention policies, and subprocessors — is available through its public Trust Vault.

Scrut’s approach ensures your data stays secure, whether you’re using automation, managing risks, or enabling AI-driven workflows.

Scrut is certified for:

• ISO/IEC 27001:2022 (information security)
• ISO/IEC 42001:2023 (AI management systems)

Yes. Scrut is certified under ISO/IEC 42001:2023, confirming responsible AI governance practices.

A customizable portal to showcase your security posture. Key features include:

• Real-time security status
• Centralized certification storage
• NDA-backed sharing for stakeholders
• Website embedding with brand customization

Trust Vault helps reduce the time and effort spent on security reviews by giving prospects and partners a clear, real-time view of your security posture. It hosts your latest certifications, policies, and reports in one place, and allows you to grant NDA-backed access for deeper documentation review.

You can embed Trust Vault on your website or share it via a secure link — making it easy to showcase your compliance posture without back-and-forth emails. This builds trust faster and helps move deals forward with fewer delays.