What's New in CISO Assistant — Week 08, 2026 (v3.12.5 – v3.12.7)

Three releases close out February, headlined by the new ITIL 4 library, broader validation coverage, and a long list of stability improvements across notifications, exports, and IAM.

New Features

Expanded validation coverage (v3.12.6) — Validations now extend to processings, exceptions, accreditations, and contracts. If your organisation uses approval workflows, these object types can now participate in the same review-and-sign-off process as existing entities.

Applied controls on the evidences table (v3.12.5) — The evidences list now shows which applied controls each piece of evidence supports, making it easier to verify coverage without drilling into individual records.

Stakeholder names on charts (v3.12.5) — Charts that reference stakeholders now render their names directly, replacing opaque identifiers with human-readable labels.

M2M visibility check in serializer (v3.12.6) — Many-to-many relationships now respect object-visibility rules at the serializer level, closing a gap where related objects could leak across permission boundaries.

Framework & Library Updates

• ITIL 4 Management Practices — Added by community contributor @Qnadia. Covers all 34 ITIL 4 management practices, making it easy to map your IT service management controls against the ITIL body of knowledge.
• CyFun 2025 reference-ID fix — Corrected reference IDs that were misaligned in the initial CyFun 2025 import.

Deployment & Infrastructure

Optional Kubernetes ServiceAccount with annotations (v3.12.5) — Contributed by @tajpouria (welcome!). Helm chart users can now enable a dedicated ServiceAccount and attach annotations — useful for IAM-role bindings on AWS EKS, GCP Workload Identity, or Azure AD pod identity.

Skeleton UI v4 migration (v3.12.5) — The front-end component library has been upgraded to Skeleton UI v4, bringing improved accessibility and performance. This is an internal change, but theme or plugin authors should review the Skeleton v4 migration guide.

Bug Fixes & Stability

This week is heavy on fixes — v3.12.6 alone ships over a dozen:

Exports & Reports

• DORA RoI export now aligns with the official EBA XLS Master Template.
• Audit zip-export filenames are sanitised to prevent issues with special characters.
• The export feature has been restored after temporarily removing a Popover component that was interfering with it.
• Actor information in incident PDF reports is now handled correctly.

Notifications

• Multiple improvements to notification delivery and consistency.
• Email notification settings are now applied consistently across all channels.

IAM & Authentication

• IAM group-creation logic has been corrected.
• Session expiry with allAuth now properly redirects to the login page instead of showing an error.
• MFA redirect no longer interferes with the authentication flow (v3.12.7).
• Labels read-permission is now granted to the reader profile.

Data Integrity

• Domain export/import correctly handles terminologies.
• Markdown field values are preserved when submitting a form in preview mode.
• Search state is maintained when selecting objects in the ModelTable.
• Finding labels within a follow-up now display the correct text.
• Operating-mode kill-chain updates work as expected.
• Task-node due-date changes are saved reliably.

TPRM

• Multiple improvements to solutions management in the third-party risk module.

For the full list of changes, see the v3.12.5 – v3.12.7 releases on GitHub.