Map your controls once
Bring your controls into one place and link each one to the policies, risks, assets and evidence that satisfy it. It becomes a living record you maintain, not a row you copy into a fresh spreadsheet before every audit.
Map your controls once and keep every standard you hold audit-ready from the same place. Each control is a living record linked to the policies, risks, assets and evidence that satisfy it, so renewing one framework or adding the next reuses what you already maintain instead of rebuilding a binder.
The same three steps whether you hold a single standard or ten. You maintain one control set, and every framework draws on it.
Bring your controls into one place and link each one to the policies, risks, assets and evidence that satisfy it. It becomes a living record you maintain, not a row you copy into a fresh spreadsheet before every audit.
Cross-framework mapping is authored once and reads both directions. Define how a control maps in one place, and adding the next standard pulls in the controls and evidence you already maintain instead of starting a new binder.
You don’t re-map from each new framework’s side. The same mapping counts in both directions, so the second standard you add costs a fraction of the first.
Coverage rolls up per framework, from unknown to partial to full. Open gaps surface by control as you go, so you see them months before an audit, not in the two weeks before it.
Four choices behind how controls and frameworks work here — each one something you can check, not an adjective.
You maintain a single set of controls and point every framework at it, instead of keeping a separate binder per certificate.
A control’s cross-framework mapping is defined in one place and works in both directions, so a new standard reuses controls and evidence you already have.
Coverage rolls up unknown to partial to full, and open gaps show up by control months out, not as a fire drill the week before the audit.
ISO 27001, SOC 2, GDPR, HIPAA, PCI DSS, NIST CSF, EU AI Act, NIS2, Swiss nFADP, OWASP and ISO 42001 work out of the box, and you can add a custom framework and custom controls.
Hosted in Switzerland by default, in German and English, with on-premise possible. Your control set and evidence are yours and exportable to CSV and PDF at any time, with no lock-in.
Controls don’t live alone. Each one links to the policies, risks, assets, evidence and audits that prove it, all in the same workspace — so the proof is connected to the control instead of scattered across tools.
See how complete each framework is, by control, in one view.
Version, approve and review the policies your controls point to.
Keep audit-ready proof attached to the control it satisfies.
Tie each risk to the controls that treat it, and track it through.
Yes. ISO 27001, SOC 2, GDPR, HIPAA, PCI DSS, NIST CSF, EU AI Act, NIS2, Swiss nFADP, OWASP and ISO 42001 are supported out of the box, and you can define a custom framework with your own custom controls when you work to a standard or internal policy that isn’t pre-built.
Yes. You author a control’s cross-framework mapping once, in one place, and it reads in both directions. So when you add a new standard, it reuses the controls and evidence already mapped, instead of asking you to re-map everything from the new framework’s side.
You can add your own controls alongside the built-in ones, link them to the policies, risks, assets and evidence that satisfy them, and map them across frameworks the same way. Your methodology stays yours, in one workspace.
In a spreadsheet, a control is a row you rebuild before every audit, and a new framework means a new tab. Here, each control is a living record connected to the proof that satisfies it, mapped once across frameworks both ways, with coverage and gaps rolling up per framework — so you maintain one set of controls rather than reconciling several.
Swiss-hosted by default, in German and English, with on-premise possible. Your control set and evidence are yours, exportable to CSV and PDF and reachable through the API at any time, so there’s no lock-in.
Map your controls once, reuse the evidence across every standard you hold, and see the gaps by control months before the audit — not the week before.