Compliance Frameworks

One platform for the frameworks
your customers, auditors, and partners care about

Frameworks overlap. Requirements repeat. The work becomes expensive because teams rebuild the same policies, risks, and controls for each new standard. TractionGRC maps them to each other so work done once counts everywhere, and you run one program instead of five.

NIST CSF 2.0 CIS Controls ISO 27001:2022 SOC 2 Type II ISO 42001 ISO 27701 CMMC L1 CMMC L2 CMMC L3
Every Annex A control mapped to SOC 2 TSC, NIST CSF, ISO 42001, CIS, and CMMC. Answer once, see it everywhere.
NIST Self-assessment

NIST CSF 2.0

Starter plan

Six-function framework (Govern, Identify, Protect, Detect, Respond, Recover) published by NIST. The common-denominator reference most teams point at when they say 'organize your security work.' No certification; self-assessment.

CIS Self-assessment

CIS Controls

Starter plan

18 prioritized safeguards grouped into three implementation groups. Tells lean teams what to do first, second, and third when everything feels urgent.

ISO 27001 Stage 1 + Stage 2 audit

ISO 27001:2022

Professional plan

International ISMS certification. Clauses 4-10 define the management system; Annex A lists 93 controls across four themes. Customers and enterprise buyers recognize the certificate.

SOC 2 Annual CPA attestation

SOC 2 Type II

Professional plan

AICPA attestation for service organizations. Security TSC required; Availability, Processing Integrity, Confidentiality, Privacy optional. The report US enterprise procurement asks for.

ISO 42001 Management system certification

ISO 42001:2023

Professional plan

Management system standard for AI. Defines how to govern AI development and use, with impact assessment, risk management, and ongoing oversight. New standard; adoption is accelerating.

ISO 27701 Extension certification

ISO 27701

Enterprise plan

Privacy extension to ISO 27001. Adds PIMS (Privacy Information Management System) requirements for controllers and processors. Builds on an existing ISO 27001 certification; you do not pursue it standalone.

CMMC L1 Annual self-assessment

CMMC 2.0 Level 1

Starter plan

DoD basic safeguarding for Federal Contract Information (FCI). 17 practices from FAR 52.204-21. Annual self-assessment, no third-party assessor. Required for nearly every DoD contractor.

CMMC L2 C3PAO assessment

CMMC 2.0 Level 2

Professional plan

All 110 NIST SP 800-171 Rev 2 practices. Required for DoD contractors handling Controlled Unclassified Information (CUI). Most contracts require C3PAO third-party assessment from Phase 2 (November 2026).

CMMC L3 DIBCAC assessment

CMMC 2.0 Level 3

Enterprise plan

24 enhanced requirements selected from NIST SP 800-172, layered on top of Level 2. Targets the small subset of contractors handling the most sensitive CUI on critical programs. Assessed by DCMA DIBCAC.

NIST CSF 2.0

Practical cybersecurity structure | Starter plan

NIST Cybersecurity Framework 2.0 organizes cybersecurity work across six functions: Govern, Identify, Protect, Detect, Respond, Recover. Published by NIST as voluntary guidance, widely adopted across US federal, state, and private sectors. No certification, no auditor. The reference point teams use when they need structure before they are ready for ISO 27001 or SOC 2.

GV Govern

Establish cybersecurity strategy, roles, and oversight.

ID Identify

Understand risks to systems, data, assets, and capabilities.

PR Protect

Implement safeguards that reduce likelihood and impact.

DE Detect

Identify events and issues in a timely way.

RS Respond

Take action when cybersecurity incidents occur.

RC Recover

Restore operations and improve resilience after incidents.

In TractionGRC: Starter includes a NIST CSF 2.0 library with the 106 subcategories organized by function. Self-assess against each, attach evidence as you collect it, and watch your TractionScore™ move. When you move to Professional, the same evidence carries into ISO 27001 Annex A and SOC 2 TSC.

CIS Controls

Security basics that smaller teams can act on | Starter plan

CIS Controls v8 is 18 prioritized safeguards maintained by the Center for Internet Security, grouped into three Implementation Groups (IG1, IG2, IG3) by maturity. IG1 is the "basic cyber hygiene" set. IG3 is enterprise-grade. The answer to "what should we do first?" for small teams drowning in recommendations.

IG1: basic cyber hygiene

56 safeguards covering the controls that stop 85% of the most common attacks. A lean team can implement this in a quarter.

IG2: established program

Adds 74 safeguards for organizations with IT staff and multiple departments. Expect a few quarters of work.

IG3: mature enterprise

Adds 23 safeguards for organizations handling sensitive data or operating at scale. Usually pursued alongside ISO 27001 or SOC 2.

Cross-mapping ready

CIS maps cleanly to ISO 27001 Annex A and NIST CSF. TractionGRC ships these mappings so CIS work carries forward when you certify.

ISO 27001:2022

International ISMS standard | Professional plan

ISO/IEC 27001:2022 is the international standard for Information Security Management Systems. Clauses 4-10 define what the management system must do: scope, leadership, risk, objectives, operation, evaluation, improvement. Annex A lists 93 security controls you choose from based on your risk assessment. Certification is issued by an accredited body after a two-stage audit, with annual surveillance audits and re-certification every three years.

Why ISO 27001 matters

Opens enterprise deals

Procurement teams at global enterprises often list ISO 27001 as a prerequisite. The certificate drops you past the gatekeeping round and into the actual review.

Forces scope honesty

You define what is in scope up front: which services, which data, which locations. Scope drift is the single biggest cause of Stage 2 surprises.

Auditor-reviewed, not self-attested

A third-party certification body reviews the evidence. That is what makes the certificate worth more to a procurement team than an internal claim they cannot verify.

Three-year discipline

Annual surveillance audits and re-certification every third year. The cadence prevents the 'let it lapse' failure mode that sinks self-assessment programs.

Structure of ISO 27001:2022

ISO 27001 has mandatory clauses that define management system requirements, plus Annex A controls that support security implementation.

Main clauses

4 Context of the Organization
5 Leadership
6 Planning
7 Support
8 Operation
9 Performance Evaluation
10 Improvement

Annex A themes

A.5

Organizational controls

37 controls

A.6

People controls

8 controls

A.7

Physical controls

14 controls

A.8

Technological controls

34 controls

SOC 2 Type II

US assurance standard | Professional plan

SOC 2 is an attestation report issued by a CPA firm under AICPA's SSAE 18. It applies to service organizations that hold or process customer data. The report evaluates your controls against the Trust Services Criteria you selected: Security (required), plus any of Availability, Processing Integrity, Confidentiality, or Privacy.

Type I is a point-in-time snapshot. Type II covers a review period, typically 6 or 12 months, during which the auditor tests whether controls operated effectively. Type II is the report US enterprise buyers ask to see, because it reflects months of operation rather than a single day.

Trust Services Criteria

CC

Security (Common Criteria)

Required

Controls protecting systems and information against unauthorized access or damage.

A

Availability

Optional

System availability and performance against commitments.

PI

Processing Integrity

Optional

Processing is complete, valid, accurate, timely, and authorized.

C

Confidentiality

Optional

Confidential information is protected appropriately.

P

Privacy

Optional

Personal information is handled in accordance with commitments and requirements.

ISO 27001 vs SOC 2

Comparison of ISO 27001 and SOC 2 across origin, market, output, best fit, and audit body.
ISO 27001 SOC 2
Origin ISO/IEC international AICPA USA
Primary market Global Primarily USA
Output Certification Audit report
Best fit Global and enterprise buyers US enterprise buyers
Audit body Certification body CPA firm

Teams pursuing both run ISO 27001 Annex A as the base library, then map Security TSC criteria on top. TractionGRC ships the mapping, so one implementation covers both reports.

ISO 42001

AI management system standard | Professional plan

ISO/IEC 42001:2023 is the management system standard for AI. Structurally similar to ISO 27001: clauses 4-10 define the management system, with annexes listing AI-specific controls and impact-assessment requirements. Published in December 2023; adoption is accelerating among vendors building AI into customer-facing products, and among enterprises with AI use cases on the governance radar.

AI impact assessment

Required for each AI system in scope. Assess intended use, affected stakeholders, and potential harms before deployment.

AI risk management

Integrates with your existing risk register. AI risks (bias, drift, hallucination) get the same treatment, acceptance, and review cycle as security risks.

Data governance for AI

Training data provenance, quality, and labelling all in scope. Auditors want to see this even if your AI use is limited to third-party models.

Starting with AI Essentials: Starter-plan teams begin with AI Essentials, a TractionGRC module covering ISO 42001 impact assessments, AI-specific risks, and governance roles. The same work carries into full ISO 42001 certification on Professional when you are ready.

ISO 27701

Privacy extension standard | Enterprise plan

ISO/IEC 27701 is the privacy extension to ISO 27001. It adds a Privacy Information Management System (PIMS) on top of your existing ISMS, with additional requirements for organizations acting as data controllers or processors under privacy regulations like GDPR and CPRA. It is not a standalone certification. You must already hold, or pursue alongside it, ISO 27001 certification.

Controller and processor scopes

Distinct requirement sets for each role. If you are both (most SaaS vendors are), you implement both. TractionGRC splits the two so scope is explicit.

Additional Annex A controls

PIMS adds ~50 privacy-specific controls on top of ISO 27001's 93. Consent management, data subject rights, cross-border transfer, retention limits.

GDPR and CPRA evidence

ISO 27701 alone is not GDPR compliance, but the certificate is strong evidence of program maturity. DPAs and customers recognize it.

CMMC 2.0

Cybersecurity Maturity Model Certification · Three levels · Starter to Enterprise

CMMC 2.0 is the US Department of Defense's mandatory cybersecurity certification program. The 32 CFR Part 170 final rule took effect December 16, 2024, and Phase 1 of contract enforcement began November 10, 2025. Starting Phase 2 (November 10, 2026), most contracts handling Controlled Unclassified Information require third-party C3PAO certification before award. CMMC requirements flow down to subcontractors, so even small DIB suppliers are in scope. TractionGRC ships all three levels, with cross-mappings to ISO 27001 Annex A so an org running ISO 27001 already has roughly 70-80% of CMMC Level 2 covered.

Level 1 (Foundational)

Starter plan

Scope: Federal Contract Information (FCI)

Controls: 17 practices

Assessment: Annual self-assessment

Level 2 (Advanced)

Professional plan

Scope: Controlled Unclassified Information (CUI)

Controls: 110 practices (NIST SP 800-171 Rev 2)

Assessment: C3PAO third-party assessment, every 3 years

Level 3 (Expert)

Enterprise plan

Scope: Critical CUI on high-value programs

Controls: +24 enhanced practices (NIST SP 800-172)

Assessment: DCMA DIBCAC government-led assessment

Levels are cumulative. An org pursuing Level 3 must already hold Final Level 2 (C3PAO) certification for the same scope. Per 32 CFR 170.14, all Level 2 POA&M items must be closed before DCMA DIBCAC will conduct a Level 3 assessment. TractionGRC tracks each level independently so teams can build out higher-level controls in parallel with lower-level certification.

Looking for SSPA?

SSPA is a supplier assurance program, not a framework

Microsoft's Supplier Security and Privacy Assurance (SSPA) program is an annual assurance cycle that Microsoft suppliers complete by attesting to the Data Protection Requirements (DPR). It is not a certification framework like ISO 27001. It's a questionnaire-and-evidence process driven by Microsoft's supplier contracts.

TractionGRC handles SSPA through our Supplier Assurance Programs catalog, alongside SIG, SIG Lite, CAIQ, and HITRUST. Our SSPA starter library is aligned to DPR v12 (released April 2026), and teams can issue SSPA programs to suppliers or respond to SSPA requests from customers through the same workflow.

See Supplier Assurance Programs SSPA FAQ

Work once. Count everywhere.

The cross-walks are already written: NIST CSF to ISO 27001 Annex A, Annex A to SOC 2 TSC, ISO 27001 to ISO 27701 PIMS, ISO 27001 to ISO 42001, and CMMC 2.0 (NIST SP 800-171 Rev 2 and 800-172) to ISO 27001 Annex A. Add one control with one piece of evidence; it shows up against every framework where it applies.

Starter plan

NIST CSF · CIS Controls · CMMC L1 · AI Essentials

Professional plan

ISO 27001 · SOC 2 · ISO 42001 · CMMC L2

Enterprise plan

ISO 27701 · CMMC L3 · multi-entity ISMS scopes

Supplier assurance

Respond on every plan · Issue from Professional

See full feature comparison

Pick the framework that fits where you are

Start a free Starter trial with NIST CSF, CIS Controls, and CMMC Level 1. Move to Professional when a customer asks for SOC 2, ISO 27001, or CMMC Level 2 (the CUI-handler tier most DoD subs need). Enterprise when the scope covers multiple entities, you need ISO 27701, or you operate at CMMC Level 3 on critical DoD programs. The work and evidence carry forward at each step.

Start free trial How it works View pricing