Fifteen frameworks, one workspace.

6 min read · The Tour

"Unified compliance" is a term used loosely across the industry. In ComplyAura, it has a specific meaning: every supported framework is implemented against a shared control library, a shared evidence library, and a shared audit trail. The result is that work performed for one framework contributes to every other framework it touches. The list below describes what is supported today.

The trust frameworks

• SOC 2 (Type I & Type II). The TSC mapped to controls, with point-in-time and operating-effectiveness evidence handled separately because they are separate things.
• ISO 27001:2022 & ISO 27701:2019. Annex A and the privacy extensions, with the cross-walk to SOC 2 already drawn so you don't redo work.
• ISO 22301:2019. Business continuity treated as a first-class program, not a policy you wrote once.

The regulatory frameworks

• HIPAA. Administrative, physical, and technical safeguards, plus the breach-notification clocks and the BAA tracking around them.
• GDPR & CCPA / CPRA. Article-level mapping for GDPR; consumer rights workflows for CCPA. DPIAs, RoPAs, the lot.
• PCI DSS v4.0. All twelve requirements, the customized approach where it applies, and the continuous validation expectations baked into the workflows.

The government & sector frameworks

• NIST CSF v2.0. The new "Govern" function included, mapped to your existing controls so you don't restart.
• NIST 800-53 Rev 5. Full control catalog. Tailoring supported. Overlays supported.
• FedRAMP Rev 5. Low/Moderate/High baselines, with the SSP scaffolding generated from your control implementations.
• CIS Controls v8. Implementation Groups 1, 2, and 3 — picked once, applied everywhere.
• HITRUST CSF v11. The maturity model and the inheritance model, both first-class.

The unifying model

None of these frameworks operate in isolation. Implementing a control once causes it to satisfy every framework requirement it covers. Adding a sixteenth framework is therefore not a new program but an incremental exercise: enable the framework, run the gap analysis, and complete the small set of additional work the analysis surfaces. The infrastructure that supports the new framework is already in place.

---

← Previous   All Field Notes   Book a demo →