v3 changes from v2:
① Scope is visible. Project header surfaces scope chips; Controls table has a Scope filter dimension. Real engagements are scope-bounded; v2 hid it.
② Per-framework custom views. Inside Controls tab: sub-tabs for "All controls" (flat default) + framework-specific views (ISO 27001 native, CPCSC levels, etc.). Frameworks don't all have the same shape.
③ Generate Report is a persistent CTA. Lives in the project header as a primary button. The deliverable is what the consultant gets paid for — it should be one click away always.
④ "Preview as…" replaces Audience toggle. Honest framing: it's a preview of what another role sees, not a role switch.
⑤ Mappings (Phase 2) tab dropped. Don't ship visible-but-unbuilt UI. Returns when the queue ships.
⑥ Detail = full page by default. Real review takes 20+ min per control. Peek is an opt-in for queue-walking ("Quick peek" toggle).
⌘S
Control+S /
GW
Project RBC

RBC ISO 27001 · Q1 2026 In review

Scope: 📍 Toronto DC ☁️ AWS production 👥 Corporate IT Montreal office
12 / 147 reviewed · 47 evidence · 12 intake open · due Jun 30
View: Different frameworks have different shapes — each can have its own native view
| Filter:
|
🔐 ISO 27001:2022 147 controls · 12 reviewed · scope: Toronto DC, AWS prod, Corporate IT
5. Organizational (37)
A.5.1 Policies for information security 3/5 AI Not reviewed High 5 ev Toronto DC A.5.2 Information security roles and responsibilities 4/5 human Reviewed High 3 ev All scopes A.5.3 Segregation of duties 2/5 AI Not reviewed Med 2 ev Corp IT A.5.4 Management responsibilities none Not started High 0 ev All scopes
8. Technological (34)
A.8.1 User endpoint devices 3/5 AI Not reviewed High 8 ev Corp IT A.8.20 Networks security 4/5 AI Not reviewed High 4 ev AWS prod

Thinking & assessment — v3

v3 hardens v2 against three real-world stress points (scope, framework heterogeneity, deliverable visibility) and addresses three softer concerns (audience theater, unbuilt-tab clutter, peek-vs-fullpage default).

① Scope is now visible

  • Project header chips. "Toronto DC, AWS production, Corporate IT" — included scopes shown in scope-blue. "Montreal office" shown line-through to surface the explicit exclusion. Click "+ Edit scope" to manage.
  • Scope filter chip in the table view bar. A scope element is a filter dimension, same as Framework or Status.
  • Per-row scope badge. Each control row shows which scope it applies to ("Toronto DC", "Corp IT", "All scopes"). Same control can appear with different scopes if needed.
  • Schema implication. A new scopes table on Project, plus a scope reference (or array) on each control instance. Doesn't exist today — call this out for engineering.

② Per-framework custom views inside Controls

  • Sub-tabs inside the Controls tab: All controls (flat) · ISO 27001 (Annex A) · SOC 2 (TSC) · My queue · + Add view.
  • All controls (flat) is the default. Cross-framework reasoning still wins by default.
  • Framework-native views are per-framework UIs when needed. ISO 27001 Annex A grouped by theme. CPCSC by Implementation Level. NIST CSF by Function/Category. The Airtable shape supports custom views over the same data.
  • User-created saved views ("My queue") sit alongside framework-native ones — same UI primitive.
  • Resolves Anouar's tension: he wanted "each individual framework has its own UI." Now they do, without sacrificing the cross-framework default.

③ Generate Report as persistent CTA

  • Lives in the project header, primary brand button. Visible from any tab, any view.
  • The deliverable is what the consultant gets paid for. Treating it as a tab-level navigation buries it. Promoting it to a persistent action makes the product the system of record, not auxiliary to Word.
  • Triggers the Share/Export flow: PDF export, share-link generation for auditors, or live-dashboard publish for clients. The Share tab still exists for managing existing exports + share links.

④ "Preview as…" replaces Audience toggle

  • Renamed for honesty. "Audience: Consultant / Reviewer / Client" implied a role switch. Real consultants don't switch roles; they preview what someone else will see, then send a link.
  • Dropdown menu with Consultant (you, default) / Preview as Reviewer / Preview as Client. Selecting a preview shows a banner ("Preview mode — showing what reviewer sees") with an exit button.
  • Production share flow generates a share link that locks the role for the recipient. Toggle is for design/QA only.

⑤ Mappings (Phase 2) tab dropped

  • Don't ship visible-but-unbuilt UI. Showing a tab labeled "Phase 2" creates confusion: users think they should be able to use it; engineering has nothing to point at.
  • Returns when the queue ships. The schema work to promote Mapping to first-class is on the road map; the tab is just a UI affordance for that work, surfaced when ready.

⑥ Detail = full page by default

  • Real review takes 20+ min per control. 460px peek panel feels cramped for that depth.
  • Default behavior: click a row → full-page detail. Back button returns to the table with scroll position preserved.
  • Quick peek mode is an opt-in toggle in the view bar. When enabled, click → 460px peek slides in from right. Designed for fast queue-walking through 100+ controls.
  • "Open full page" button is prominent in peek header (brand-highlighted) so escalating from peek → full is one click.
  • Quick peek banner at top of peek panel reminds the user: "for deep review, open full page."

What's still architecturally open

  • Consultant tool vs Continuous monitoring product. v3 still bets these can share infrastructure with audience-as-filter. Worth confirming with real users from each persona before deep build.
  • Density. All-controls table at 147+ rows may overwhelm. Default Group + Filter brings working set to ~12-30 rows; empty default needs care.
  • Discussion thread adoption. GRC consultants today work in email + Slack. Will they switch to in-product comments? Depends on whether this becomes the system of record.
  • Scope schema. Doesn't exist today. Need a design pass on the data model before Scope-as-filter ships.
  • Full-page detail is not yet drawn. v3 mockup still shows the peek (with "Full page" promoted). The full-page detail is its own design pass — likely close to v1's main content area, but with the breadcrumb back to the Controls table.

Files: index.html (v1 — tree shape, original) · index-v2.html (v2 — web shape, Org demoted) · index-v3.html (this — v2 + scope + framework views + report CTA + preview-as + peek-as-opt-in)