How it works

What this looks like in practice

A typical first-time ISO 27001, SOC 2, or CMMC 2.0 Level 2 program runs three to nine months from kick-off to audit, depending on starting maturity. Here is how that work breaks down on TractionGRC, and where the platform takes weight off your team.

Get visibility Organize the work Improve posture Prepare for review Prove your progress

Watch it run

A guided animation of the work below. Hover to pause if you want to study a step.

Choose a scenario

You came here because someone
asked you for something.

Pick the situation closest to yours and see how TractionGRC turns the request into a clear security, compliance, or remediation workflow.

Preview

Compliance score

Threats detected

2 spoof domains, 1 KEV CVE

Frameworks active

ISO 27001, SOC 2, CMMC L2, NIST CSF

Pick a path below ↓

Each scenario takes about a minute. No signup, no email required.

Secure Workspace

TractionGRC ·

Sandbox

Beat of ·

ISO 27001 ISMS · Workspace initialized

Audit ready

Annex A controls

Evidence items

The workspace opens with scope, controls, evidence, and audit readiness in one place.

TractionAI · drafting policy

Information Security Policy

Drafting from scope

TractionAI creates a usable draft from your scope and control set. Your team edits and approves.

Cloud Connect · evidence syncing

Evidence synced %

External exposure scan · 3 lookalike domains detected

tractiongrc-app[.]com
tractlongrc[.]com
tractiongrc-billing[.]net

Remediation tasks opened for registrar reporting and email hardening.

The same workspace that prepares your audit also watches the external risks that customers care about.

TractionScore · maturity calculated

Foundational

Your program is no longer a vague checklist. It has a score, evidence, and next actions.

Scope set

ISMS workspace created

Evidence syncing

cloud controls verified

Plan ready

audit path generated

The ISO request becomes a working ISMS plan with policies, evidence, external risk signals, and a clear readiness score.

Microsoft SSPA Assessment

Due in 30 days

Controls imported

Responses approved

Sections detected

The questionnaire is imported as a workflow, not another spreadsheet.

Section K · AI Systems AI governance controls detected

TractionGRC flags the new AI controls and prepares response drafts from your existing governance work.

TractionAI · responses mapped

Answers, evidence, and review ownership are linked before submission.

Your team sees what is complete, what is approved, and what still needs review before the Microsoft deadline.

52 responses

ready for review

Evidence linked

no retyping next year

Renewal ready

workflow scheduled

The SSPA request becomes a repeatable supplier assurance workflow with reusable answers, evidence, and annual renewal tracking.

CMMC 2.0 Level 2 · CUI scope

Prime request active

110

Practices required

Mapped so far

NIST domains

The CMMC workspace opens with CUI scope, Level 2 practices, and assessment readiness in one view.

Existing ISMS work becomes reusable CMMC evidence instead of a separate compliance project.

TractionAI · POA&M drafting

POA&M for remaining gaps

Owner + timeline suggestions

The remaining gaps become an organized remediation plan your RPO or assessor can review.

Readiness score calculated

Operational

Target 85 for C3PAO confidence

Leadership, your prime, and your assessor can all understand where readiness stands.

Prime-facing readiness profile

Your Organization

CMMC L2 · DoD supply chain

Shareable

Readiness

Inherited

Gaps

Prepared for prime review before assessment pressure builds.

47 inherited

controls reused from ISO

63 gaps

organized into a POA&M

Prime-ready

readiness profile prepared

Your ISO work is reused, the remaining CMMC gaps are organized, and your prime gets a clearer readiness picture before assessment pressure builds.

Domain Threat Simulator

Free tool. No signup. 30 seconds.

Domain entered

yourdomain.com

The simulator checks whether your domain is being abused before a customer sees the phishing email first.

Scanning spoof domains, email auth, exposed services, and known exploited vulnerabilities

This is the same signal that can become continuous monitoring on Starter.

Findings detected

Remediation actions ranked

Apply DMARC reject policy

Stops spoofed mail from reaching customer inboxes

High impact

Report lookalike domains

Open takedown workflow for suspected impersonation

Urgent

4 findings

ranked by urgency

Fix list

ready for IT

Monitor

upgrade path created

The free tool shows what is exposed. Starter turns the scan into continuous monitoring and remediation tracking.

Check your domain

Free. No signup. Works on your real domain.

Your next step

Phase 1

Get visibility

Set up the organization, define scope, and connect the systems that will provide live evidence. The faster this happens, the less you will fight blank pages later.

Set your organizational context

Week 1

Define the boundary of your ISMS: which entities, locations, services, and data are in scope. Identify the customers, regulators, and partners whose expectations shape your control selection. This is Clause 4 in ISO 27001 terms, and getting it wrong here costs you weeks of rework downstream.

Organization profile and ISMS scope statement

Interested parties register

Statement of Applicability seeded with selected controls

Roles, responsibilities, and accountability assignments

Connect signals from your environment

Weeks 1 to 2

Connect Azure, Entra, AWS, and Google Workspace through read-only OAuth. Configuration data, identity policies, and key control signals start flowing into the platform within minutes. This replaces the screenshot-and-spreadsheet pattern most teams default to before they know better.

Read-only OAuth integration with Azure, AWS, Google Workspace

Auto-detection of MFA, encryption, logging, and access policies

Cloud signal mapping to ISO 27001 Annex A and SOC 2 TSC

Live evidence refresh, no manual upload required

Phase 2

Organize the work

Documentation, risk register, and supplier assurance. The unglamorous middle of any compliance program. The platform shortens this phase materially if you let it.

Handle supplier assurance programs

First 30 days, then ongoing

If you sell into Microsoft, large enterprises, or healthcare, you will receive supplier assurance questionnaires. SSPA, SIG, SIG Lite, CAIQ, HITRUST. Respond directly through the platform on every plan. Issue programs to your own suppliers from Professional and up. Reuse evidence across responses so the same answer is not rewritten ten times.

Respond to customer SSPA, SIG, CAIQ, HITRUST requests on every plan

Issue programs from the catalog (Professional and Enterprise)

Evidence reuse across multiple questionnaires

TractionAI drafts initial responses from your control library

Draft policies and operating procedures

Weeks 2 to 6

Most teams underestimate documentation. A first-time ISO 27001 program needs roughly 25 policies and procedures, plus supporting records. TractionAI drafts each one against your scope, your tech stack, and the framework clauses they need to satisfy. You review, edit, and approve. Faster than starting blank, more defensible than copy-pasting a competitor's leaked policy pack.

Pre-drafted policies aligned to your scope and tech stack

Approval workflow with version history

Cross-referenced to ISO 27001 clauses, Annex A, and SOC 2 criteria

Auditor-ready document index

Build the risk register and treatment plan

Weeks 3 to 6

Identify assets, threats, and vulnerabilities. Score likelihood and impact. Decide what to treat, accept, transfer, or avoid. The risk assessment is the foundation auditors trace everything else back to, so it is worth doing properly the first time. The platform gives you a working template and a defensible methodology, not a blank Excel file.

Asset register with owners and classification

Risk register with ISO 31000-aligned scoring

Treatment plan tied to control implementation status

Residual risk view for management review

For DoD contractors

Same five phases, different finish line: CMMC 2.0

The phases above map cleanly onto a CMMC 2.0 Level 2 program. The work in Phases 1 through 4 is the same: define scope, connect cloud signals, draft policies, build the risk register, implement controls, and run an internal review. The certification body in Phase 5 is the difference. Instead of an ISO/IEC certification body conducting Stage 1 and Stage 2, a CMMC Third-Party Assessment Organization (C3PAO) assesses your environment against the 110 NIST SP 800-171 Rev 2 practices.

Phase 1 of CMMC enforcement began November 10, 2025 (self-assessment). Phase 2, when most CUI-handling contracts will require C3PAO certification before award, begins November 10, 2026. If you handle Controlled Unclassified Information and bid on DoD contracts, plan a 6 to 12 month preparation runway.

If you already run an ISO 27001 program, expect roughly 70 to 80 percent of CMMC Level 2 to be covered by your existing Annex A control implementations. TractionGRC ships the cross-mappings, so you start CMMC Level 2 readiness from your real ISO 27001 baseline rather than from zero.

See CMMC framework coverage Read the CMMC FAQ

Phase 3

Improve posture

Implementation. The phase where most stalled programs die. Visibility into what is done, what is in flight, and what is blocking certification.

Track controls across frameworks

Weeks 4 to 12, then continuous

Manage implementation status across ISO 27001 Annex A, SOC 2 Trust Services Criteria, NIST CSF, CIS Controls, ISO 42001, and CMMC 2.0 (Levels 1, 2, and 3) from one register. A control implemented for SOC 2 should not be implemented again for ISO 27001 — and an ISO 27001 Annex A control implementation typically credits the matching CMMC L2 practice automatically. The cross-mapping is built in, so evidence collected once counts for every framework that accepts it.

Single control register across all selected frameworks

Implementation, evidence, and ownership status per control

TractionScore™ reflects real progress, not self-reported percentages

Gap reporting filtered by framework, owner, or due date

Phase 4

Prepare for review

Internal audit and management review. The two clauses most likely to surface as nonconformities at Stage 2 if you skip them. Plan three months ahead of the certification audit.

Run internal audit and management review

3 months before certification audit

ISO 27001 requires both an internal audit covering the full ISMS and a documented management review before Stage 2. Most certification bodies also require three months of operating evidence before they will book the Stage 2 audit. The platform tracks audit findings, corrective actions, and management review inputs in one place, with the records auditors will ask for.

Internal audit program with scope, criteria, and findings log

Corrective action register with owners and due dates

Management review pack auto-assembled from current data

Audit trail of decisions, approvals, and review outputs

Centralize supplier assurance evidence

Ongoing, intensifies during audit prep

Auditors will sample your supplier reviews. If your evidence lives in three inboxes, two shared drives, and one consultant's laptop, you will spend the audit explaining the chaos instead of demonstrating the controls. Bring questionnaires, evidence packages, and reassessment cycles into one record.

Supplier inventory with classification and review schedule

Questionnaire responses linked to specific suppliers and dates

Evidence files versioned and timestamped

Reassessment reminders before contract anniversaries

Phase 5

Prove your progress

Certification, surveillance, and the 'show me your security' conversations that follow you for the next three years.

Certify, surveil, and prove maturity externally

Stage 2 audit, then annual surveillance

Stage 1 audits documentation. Stage 2 audits implementation. Once you certify under ISO 27001, surveillance audits land annually and a recertification cycle hits every three years. CMMC 2.0 Level 2 follows a similar three-year rhythm with C3PAO recertification, plus annual affirmation in SPRS. SOC 2 Type II reports refresh annually as well. TractionScore gives prospects, customers, and partners a single shareable view of maturity that does not require sending a 200-page evidence pack.

Stage 1 and Stage 2 audit prep with evidence indexed by clause

Surveillance audit support with reduced manual effort each cycle

C3PAO assessment prep for CMMC L2 contractors handling CUI

TractionScore profile for sharing maturity externally

Explore the platform

Where do you want to start?

Most teams begin with a free trial of Starter, walk through Phase 1 in their first week, and decide from there. If you would rather see the platform driven by someone who has done this before, book a 30-minute walkthrough.

Start free Book a demo View pricing