In addition to the numerous functionalities typical of IT GRC tools (Governance, Risk Management, and Compliance), the core of the AlterRisk program is its knowledge base. This knowledge base consists of data on threats to the information system, characteristics of the information system (groups), internationally recognized best practices in information system management and associated security controls, as well as their interrelations.

AlterRisk version 4.7 includes data on the following standards and guidelines:
ISO/IEC 27001/27002:2022 (as well as previous versions from 2013 and 2005),
ISO/IEC 22301:2012,
ISO/IEC 9001:2015,
ISO/IEC 20000:2018,
CobiT v4.1,
PCI DSS v2.0,
NIST,
ITIL,
GDPR,
Croatian National Bank Decision on Adequate Information System Management,
Croatian National Bank Guidelines on Adequate Information System Management,
Decision on Minimum Standards for Information System Management (BiH),
Cybersecurity Regulation.

All controls from these standards are cross-mapped to NIST controls and further extended, if necessary, with standard-specific controls. In addition to this mapping, controls are also linked to the threats they are designed to prevent or mitigate. The mapping scheme is illustrated in the following image.

Solid lines represent mappings, while dashed lines indicate that a risk is considered to be a combination of a threat/event and a specific entity. In this program, vulnerability is not defined as a separate category; instead, it is equated with the absence of a control or its poor implementation.

Users can input their own standards, controls, and threats, and group and map them as needed. This is particularly useful for users who already work with a specific methodology and dataset they wish to retain and transfer into this program.