Start here

Your first 60 minutes in OneComply

A practical setup path for new teams: create the operating baseline first, then add evidence, vendors, incidents, and reports.

Owner: Customer SuccessLast reviewed: 2026-05-31

First goal

Baseline

Org profile, frameworks, users

Next goal

Evidence

Upload and link proof

DORA focus

RoI + incidents

Register and reporting clocks

Support

Ticket

Dashboard > Support

Before you start

  • Confirm the legal entity name, LEI if applicable, country, and regulated-entity type.
  • Decide which frameworks are in scope: DORA, CSSF 22/806, ISO 27001, NIS2, GDPR, or CRA.
  • Prepare an owner list for controls, vendors, evidence, incidents, and reporting.
  • Prepare the first evidence files or import spreadsheets if you already have mature data.

Recommended setup order

  1. Complete the organisation profile in Dashboard > Settings so reports use the correct entity details.
  2. Invite the right users from Settings > Members. Use RBAC roles instead of sharing accounts.
  3. Select frameworks and review the framework coverage page to understand what is operationally covered.
  4. Load controls manually or through Control Mapping Concierge if you have a spreadsheet baseline.
  5. Upload and link evidence to the controls that prove operating effectiveness.
  6. Create vendors and dependencies for ICT third-party risk and DORA/CSSF register workflows.
  7. Set up incident intake in review mode before switching any connector to auto-create.
  8. Generate draft reports and clear readiness blockers before any management or regulator handoff.

Use review mode first

For imports and incident connectors, start with review mode. Only switch to automatic creation after you have verified the source data quality and filters.

What to verify before inviting auditors

  • Controls have owners, statuses, due dates, and evidence.
  • Evidence has clear names, dates, source descriptions, and expiry where applicable.
  • Vendors have criticality, outsourcing classification, review dates, and contract evidence.
  • Incidents have detection time, severity, DORA major flag, stage, owner, and report deadlines.
  • Reports show no mandatory-field blockers for the selected authority package.

Continue reading

RBAC Summary

Choose the right roles before inviting users.

Control Mapping

Import existing controls safely.

Evidence Pipeline

Upload, link, review, and export evidence.

Troubleshooting

Common customer issues and safe fixes.