Compliance: Multi-Framework Mapping

Home Manifesto Compliance

✅ Compliance: One Control, Multiple Frameworks, Zero Duplication

Unified ISMS: When Framework Mapping Eliminates Compliance Theater

Nothing is true. Everything is permitted. Including the permission to implement one security control that satisfies multiple compliance frameworks instead of treating ISO 27001, NIST CSF, and CIS Controls as separate universes. Are you paranoid enough to question why consultants profit from complexity?

Think for yourself. Question authority. Question consultants who sell separate "ISO 27001 program" and "NIST CSF program" when they're addressing the same security domains with 80% overlapping controls. The bureaucracy is expanding to meet the needs of the expanding bureaucracy. Don't feed it.

At Hack23, compliance isn't separate programs—it's unified ISMS with systematic framework mapping. Our Compliance Checklist maps single control implementations to multiple frameworks: 93% ISO 27001 Annex A (106/114 controls), 87% NIST CSF 2.0 (108/124 subcategories), 82% CIS Controls v8 (135/164 safeguards).

ILLUMINATION: Compliance frameworks aren't competing standards—they're different lenses on the same security reality. ISO 27001 control A.5.15 (access control) maps to NIST CSF PR.AC-04 (access control) maps to CIS Control 6 (access control). Same control, three compliance checkboxes. Consultants profit from treating these as separate because complexity billable. We profit from mapping because efficiency is competitive advantage. Follow the incentives, psychonaut.

Our compliance framework demonstrates cybersecurity consulting expertise through efficiency gains: Single control implementation → multiple compliance outcomes. Audit prep time: 80 hours manual → 12 hours automated evidence collection. Framework coverage via CIA Compliance Manager tool.

The Three Primary Frameworks: Coverage Through Systematic Mapping

🏛️ ISO 27001:2022 Annex A

Coverage: 93% (106/114 controls implemented)

Framework Purpose: International standard for Information Security Management Systems. Risk-based approach with 114 controls across 4 themes (Organizational, People, Physical, Technological). Gold standard for ISMS certification.

Implementation Status: 106 controls implemented, 8 not applicable (physical security for office-less company, outsourced development—no outsourcing). Evidence documented in Compliance Checklist with direct links to ISMS policies.

Coverage Highlights: A.5 (Organizational controls) 100%, A.6 (People controls) 91%, A.7 (Physical controls) 67% (office-less adjustments), A.8 (Technological controls) 97%.

Tool Support: CIA Compliance Manager tracks ISO 27001 Annex A control coverage with automated mapping to ISMS documentation.

ISO 27001 is comprehensive but not prescriptive. "Implement access control" doesn't specify how. That's feature, not bug. Allows tailoring to business context. Also allows consultants to charge €50K to tell you what "implement" means. We chose the free option: think for yourself.

🛡️ NIST Cybersecurity Framework 2.0

Coverage: 87% (108/124 subcategories addressed)

Framework Purpose: Risk-based framework organized by six Functions (Govern, Identify, Protect, Detect, Respond, Recover). Practical guidance with implementation tiers. Widely adopted in US federal agencies + critical infrastructure.

Implementation Status: 108 subcategories addressed across all six Functions. Govern (GV): 78%, Identify (ID): 89%, Protect (PR): 92%, Detect (DE): 84%, Respond (RS): 87%, Recover (RC): 81%. Full mapping in Compliance Checklist.

Coverage Highlights: Strong Protect function (PR.AC access control, PR.DS data security, PR.PT protective technology). Detect function leveraging AWS services (GuardDuty, Security Hub, Config). Response procedures with classification-driven SLAs.

Unique Value: NIST CSF provides implementation tiers (Partial, Risk Informed, Repeatable, Adaptive) enabling maturity assessment. Hack23 targets Tier 3 (Repeatable) for critical controls, Tier 2 (Risk Informed) for standard controls.

NIST CSF is outcome-focused, not prescriptive. "Detect cybersecurity events" doesn't mandate specific tools. Enables AWS-native detection (GuardDuty) vs third-party SIEM based on business context.

🔧 CIS Controls v8

Coverage: 82% (135/164 safeguards implemented)

Framework Purpose: Prioritized set of actions for cyber defense. 18 Controls with 164 Safeguards organized by Implementation Groups (IG1 basic, IG2 intermediate, IG3 advanced). Highly specific, actionable guidance.

Implementation Status: IG1 (essential cybersecurity) 94% (49/52 safeguards), IG2 (enterprise security) 86% (61/71 safeguards), IG3 (advanced security) 61% (25/41 safeguards). Full breakdown in Compliance Checklist.

Coverage Highlights: CIS 1 (Inventory) via AWS Config, CIS 2 (Software) via Dependabot + SBOM, CIS 3 (Data Protection) via KMS encryption, CIS 4 (Secure Configuration) via CloudFormation IaC, CIS 5 (Account Management) via IAM policies, CIS 6 (Access Control) via least privilege + MFA.

Implementation Groups: IG1 focus (small business baseline) 94% complete. IG2 focus (enterprise capabilities) 86% complete. IG3 focus (advanced controls) 61% complete—intentional prioritization based on risk vs resource tradeoff.

CIS Controls are specific: "Enable firewall logging" not "implement network security." Specificity reduces ambiguity but requires adaptation to cloud-native architectures (VPC Flow Logs vs traditional firewall logs).

Regulatory Frameworks: GDPR, NIS2, CRA Readiness

RegulationApplicabilityKey RequirementsHack23 Status
GDPR (EU General Data Protection Regulation)Fully applicable (EU data processing)
  • Lawful basis (Art. 6)
  • Consent management (Art. 7)
  • Data subject rights (Art. 12-23)
  • Breach notification <72hr (Art. 33)
  • DPO appointment (Art. 37-39)
  • DPIA for high-risk processing (Art. 35)
  • International transfers safeguards (Art. 44-50)
Compliant. Data Protection Policy addresses all GDPR requirements. Breach procedures with <30min detection, <72hr notification. No DPO required (no large-scale monitoring). All data EU-located (Stockholm region).
NIS2 (Network and Information Security Directive 2)Potentially applicable (critical infrastructure assessment)Cybersecurity risk management (Art. 21), incident reporting 24hr initial / significant within 72hr (Art. 23), supply chain security (Art. 21), business continuity (Art. 21), security measures (Art. 21), management accountability (Art. 20).Ready. NIS2 applicability assessment complete (essential services provider determination pending). All technical requirements met: incident response (<30min for critical), supply chain controls (Third Party Policy), BCP (RTO <1hr critical). Management accountability: CEO = Security Officer.
CRA (Cyber Resilience Act)Applicable (software products with digital elements)Secure by design (Art. 10-11), vulnerability handling (Art. 13), mandatory reporting (Art. 14), CE marking (Art. 30), 5-year security support (Art. 13), SBOM provision (Art. 13), security updates (Art. 13).Prepared. CRA classification: Citizen Intelligence Agency (Important Product Class II), CIA Compliance Manager (Standard Product). Secure development via SDL Policy. Vulnerability disclosure via Security Policy. SBOM via Dependency-Track.
UK DPDP Act (Data Protection and Digital Information Act)Potentially applicable (UK market operations)Similar to GDPR with UK modifications: lawful processing, individual rights, security obligations, breach notification, accountability principles.Review complete. GDPR compliance provides substantial coverage. UK-specific adaptations documented in Data Protection Policy. International data transfers via adequacy decisions. No separate UK operations currently (Stockholm-based).

REGULATORY ILLUMINATION: Regulations overlap deliberately. GDPR data protection + NIS2 cybersecurity + CRA product security address same security domains from different angles. Good security posture satisfies multiple regulations, not separate compliance programs.

How Framework Mapping Eliminates Duplication

Example: Access Control Implementation

FrameworkControl ReferenceControl Description
ISO 27001A.5.15, A.5.16, A.5.17, A.5.18Access control policy, identity management, authentication information, access rights provisioning
NIST CSF 2.0PR.AC-04, PR.AC-05, PR.AC-06, PR.AC-07Access permissions managed, network integrity protected, identities proved/verified, users authenticated
CIS Controls v8CIS 5, CIS 6Account management (Control 5: 13 safeguards), Access control management (Control 6: 8 safeguards)
Hack23 ImplementationSingle IAM policy implementation: Least privilege AWS IAM roles, MFA enforcement for all humans, service accounts with specific permissions, no root account usage, access review quarterly, automated access provisioning/deprovisioning. Documented in Access Control Policy. Satisfies 3 frameworks with 1 control.

Framework Mapping Benefits:

  • Efficiency Gain: One control implementation → three compliance checkboxes. Reduces implementation effort by ~70% vs separate framework programs.
  • Audit Preparation: Pre-mapped evidence. ISO 27001 audit → show Access Control Policy. NIST CSF assessment → same policy, different reference numbers. Single evidence source, multiple compliance outcomes.
  • Gap Analysis Simplified: Identify gaps once, remediate for all frameworks. Missing "vulnerability management" control impacts ISO 27001 A.8.8, NIST CSF DE.CM-08, CIS Control 7. Fix once, satisfy three requirements.
  • Compliance Maintenance: Update policy once, maintain compliance across all frameworks. Access control policy update → automatically updated ISO 27001 + NIST CSF + CIS Controls evidence.

MAPPING ILLUMINATION: Consultants profit from treating frameworks as separate universes. "You need ISO 27001 program ($50K) plus NIST CSF program ($40K) plus CIS implementation ($35K)." Reality: 80% overlap. Unified ISMS satisfies all three for fraction of cost.

Compliance Automation: Evidence Collection Over Manual Reporting

Automated Evidence Collection: AWS Config for configuration compliance, CloudTrail for audit logs, Security Hub for security findings, GitHub Actions for CI/CD evidence, SonarCloud for quality metrics, Dependabot for vulnerability management. Continuous compliance monitoring vs annual audit scramble.

CIA Compliance Manager Tool: Open-source framework mapping tool tracking 40+ compliance frameworks. ISO 27001 Annex A mapping, NIST CSF 2.0 coverage, CIS Controls v8 tracking, GDPR requirements checklist, NIS2 readiness assessment, CRA applicability matrix. Real-time compliance posture visibility.

Compliance Dashboard Metrics:

  • Framework Coverage: ISO 27001 93% (106/114), NIST CSF 87% (108/124), CIS Controls 82% (135/164). Updated automatically as controls implemented.
  • Evidence Completeness: 98% of implemented controls have documented evidence links (policies, procedures, configurations, logs). 2% pending documentation updates.
  • Gap Analysis: 8 ISO 27001 controls not applicable, 16 NIST CSF subcategories partially implemented (documented gap remediation plan), 29 CIS Controls safeguards intentionally deferred (IG3 advanced controls, risk-based prioritization).
  • Audit Readiness: 12 hours estimated for next compliance audit (vs 80 hours manual evidence collection). Pre-generated audit packages with evidence links.

AUTOMATION ILLUMINATION: Manual compliance is perpetual audit preparation. Automated compliance is continuous evidence collection. One approach scales linearly with controls. Other scales to thousands of controls with same effort.

Welcome to Chapel Perilous: Compliance Mapping Edition

Nothing is true. Everything is permitted. Including the permission to implement unified ISMS with systematic framework mapping instead of treating ISO 27001, NIST CSF, and CIS Controls as separate compliance programs.

Traditional compliance: Separate programs for each framework, consultants billing separately, duplicate control implementations, 80%+ overlap ignored. Hack23 compliance: Single unified ISMS (one control implementation) → multiple framework mapping (ISO 27001 + NIST CSF + CIS Controls) → automated evidence collection (Config + CloudTrail + Security Hub) → continuous compliance (real-time posture visibility).

Our compliance framework:

  • Framework Coverage: 93% ISO 27001 (106/114 controls), 87% NIST CSF (108/124 subcategories), 82% CIS Controls (135/164 safeguards)
  • Regulatory Readiness: GDPR compliant, NIS2 ready, CRA prepared, UK DPDP reviewed. Single ISMS addresses multiple regulations.
  • Framework Mapping: Single control implementation → multiple compliance outcomes. Access control satisfies ISO + NIST + CIS simultaneously.
  • Compliance Automation: Continuous evidence collection via AWS services + GitHub + SonarCloud. 12 hours audit prep vs 80 hours manual.
  • Tool Support: CIA Compliance Manager for real-time compliance posture tracking across 40+ frameworks.

Think for yourself. Question authority—including compliance consultants whose billable hours depend on treating overlapping frameworks as separate universes. Frameworks aren't competing standards. They're different perspectives on same security reality. Good security satisfies multiple frameworks, not separate programs. ISO 27001 + NIST CSF + CIS Controls = same security, three compliance checkboxes. Consultants who can't see that overlap are either incompetent or incentivized. Guess which.

ULTIMATE ILLUMINATION: You are now in Chapel Perilous. Compliance without framework mapping is expensive theater. Compliance with systematic mapping is operational efficiency. We map once, comply multiple times. Because business value requires efficiency, not duplicate implementations. The bureaucracy is expanding to meet the needs of the expanding bureaucracy—but only if you let it.

All hail Eris! All hail Discordia!

Read our full Compliance Checklist with complete framework mappings (ISO 27001 + NIST CSF + CIS Controls + GDPR + NIS2 + CRA), evidence links, and gap analysis. Public. Systematic. Reality-based. With specific coverage percentages we actually measure.

— Hagbard Celine, Captain of the Leif Erikson

"Map systematically. Implement once. Comply multiply. Repeat until efficient."

🍎 23 FNORD 5