Compliance Frameworks

Manage compliance with industry-standard security frameworks and regulatory requirements.

Supported Frameworks

Security Frameworks

NIST Cybersecurity Framework

Comprehensive cybersecurity guidance:

• Identify
• Protect
• Detect
• Respond
• Recover

ISO 27001

Information security management:

• 114 controls
• 14 control domains
• Certification support
• Continuous compliance

SOC 2

Trust services criteria:

• Security
• Availability
• Processing Integrity
• Confidentiality
• Privacy

CIS Controls

Prioritized security actions:

• Implementation Groups (IG1, IG2, IG3)
• Specific safeguards
• Measurable outcomes

Industry Regulations

PCI DSS

Payment card security:

• 12 requirements
• Quarterly assessments
• Merchant levels
• Service provider requirements

HIPAA

Healthcare data protection:

• Privacy Rule
• Security Rule
• Breach notification
• Business associates

GDPR

Data privacy (EU):

• Data subject rights
• Processing requirements
• Cross-border transfers
• Breach notification

Managing Frameworks

Adding Frameworks

1. Navigate to Compliance → Frameworks
2. Click Add Framework
3. Select framework from library
4. Configure scope
5. Begin mapping

Framework Dashboard

For each framework:

• Compliance percentage
• Control status
• Gap count
• Last assessment

Scoping

Define what's in scope:

• Business units
• Systems
• Data types
• Locations

Control Management

Viewing Controls

• Control list by domain
• Status indicators
• Ownership
• Evidence links

Control Details

For each control:

• Control description
• Requirements
• Implementation guidance
• Evidence requirements
• Assessment history

Control Status

• Implemented - Fully compliant
• Partially Implemented - Gaps exist
• Not Implemented - Not in place
• Not Applicable - Out of scope

Assessment Process

Conducting Assessments

1. Select controls to assess
2. Gather evidence
3. Evaluate compliance
4. Document findings
5. Update status

Assessment Types

• Self-assessment
• Internal audit
• External audit
• Continuous monitoring

Assessment Schedule

• Annual full assessments
• Quarterly reviews
• Continuous monitoring
• Event-triggered assessments

Evidence Management

Evidence Requirements

Each control specifies:

• Required evidence types
• Collection frequency
• Retention period
• Format requirements

Collecting Evidence

• Automatic collection (integrations)
• Manual upload
• Screenshot capture
• Document linking

Evidence Review

• Review and approve
• Link to controls
• Version management
• Audit trail

Gap Remediation

Identifying Gaps

• Assessment findings
• Failed controls
• Missing evidence
• Partial implementation

Remediation Planning

1. Prioritize gaps
2. Define remediation actions
3. Assign owners
4. Set deadlines
5. Track progress

Tracking Progress

• Remediation status
• Due date tracking
• Owner accountability
• Escalation procedures

Framework Mapping

Cross-Framework Mapping

Map controls across frameworks:

• Common requirements
• Reduce duplication
• Single evidence
• Unified view

Custom Mappings

Create your own mappings:

• Internal requirements
• Customer requirements
• Custom frameworks
• Combined views

Reporting

Framework Reports

• Compliance summary
• Control details
• Gap analysis
• Trend analysis

Certification Support

• Evidence packages
• Assessment documentation
• Auditor access
• Certification tracking

Best Practices

1. Start with one framework - Build competency
2. Map controls completely - Full coverage
3. Assign owners - Clear accountability
4. Gather evidence continuously - Don't wait for audits
5. Use cross-mapping - Reduce duplication
6. Track trends - Monitor improvement

---

Related:

• Compliance Overview
• Policies