The Challenge: Multiple frameworks, limited resources
Your organization needs to follow ISO 27001 for customer requirements. NIS2 applies because you’re classified as an essential entity. GDPR is law. And now the American customer is asking about SOC 2.
Each framework has its controls, its terminology, its documentation requirements. Managing them separately means duplicate work, inconsistent documentation and burnout.
The solution: Control mapping—identifying what overlaps and implementing common controls once.
Overlap between frameworks
How much overlap exists?
| Framework A | Framework B | Overlap |
|---|---|---|
| ISO 27001 | NIS2 | ~70% |
| ISO 27001 | SOC 2 | ~60% |
| ISO 27001 | GDPR | ~50% |
| NIS2 | GDPR | ~40% (incident reporting, security measures) |
| SOC 2 | ISO 27001 | ~60% |
Implication: If you’ve implemented ISO 27001, you already have the majority of other frameworks in place. What’s missing are framework-specific additions.
What is control mapping?
Control mapping means linking controls from one framework to corresponding controls in other frameworks. It shows which requirements are covered by the same measure.
Example: Access Control
| Framework | Control/Requirement | Requirement in brief |
|---|---|---|
| ISO 27001 | A.5.15-A.5.18 | Access control policy, access management |
| NIS2 | Art. 21.2i | Access control and asset management |
| GDPR | Art. 32.1b | Ability to ensure confidentiality |
| SOC 2 | CC6.1-CC6.8 | Logical and physical access controls |
Conclusion: A well-implemented access control policy with associated processes fulfills all four frameworks. Document once, map to all.
Mapping process
- List all applicable frameworks Which frameworks must you follow? Regulatory (NIS2, GDPR), customer requirements (ISO 27001, SOC 2), industry-specific? Create a complete list.
- Inventory unique requirements per framework List all controls/requirements from each framework. ISO 27001 has 93 controls in Annex A. NIS2 has 10 areas in Article 21. GDPR has specific articles. This becomes your total control universe.
- Identify common controls Go through and group controls that address the same area. Access control? Group all frameworks' requirements on access control. Incident management? Same thing.
- Create master control framework Build an internal framework with consolidated controls. Each control covers requirements from multiple frameworks. This becomes your source of truth.
- Implement and document Implement the controls once—but document which framework requirements each control fulfills. One policy, multiple mappings.
- Prove for multiple frameworks During audits, you show the same evidence but mapped to respective frameworks. The auditor gets what they need, you avoid duplicate work.
Example: ISO 27001 → NIS2 mapping
How ISO 27001 Annex A maps against NIS2 Article 21:
| NIS2 Article 21 | ISO 27001 Annex A |
|---|---|
| a) Risk analysis and security policy | A.5.1-A.5.4 (Policies), A.5.7 (Threat information) |
| b) Incident handling | A.5.24-A.5.28 (Incident management) |
| c) Business continuity | A.5.29-A.5.30 (Continuity), A.8.13-A.8.14 (Backup) |
| d) Supply chain security | A.5.19-A.5.23 (Supplier relationships) |
| e) Security in procurement | A.5.8 (Projects), A.8.25-A.8.34 (Development) |
| f) Evaluation of measures | A.5.35-A.5.36 (Review) |
| g) Cyber hygiene and training | A.6.3 (Awareness), A.6.6 (Remote work) |
| h) Cryptography | A.8.24 (Cryptography) |
| i) Personnel resources and access | A.6.1-A.6.2 (Screening), A.5.15-A.5.18 (Access) |
| j) Multi-factor authentication | A.8.5 (Authentication) |
Result: ISO 27001-certified organization has ~70-80% of NIS2 in place. Gap analysis identifies the rest.
What does NOT overlap?
24 hours for initial notification is specific to NIS2. ISO 27001 doesn't require specific timeframes.
Records of processing activities (Art. 30) is GDPR-specific. Overlaps with asset registers but not identical.
Availability and Processing Integrity have specific criteria that go beyond ISO 27001.
Explicit requirement for management to undergo security training. More specific than ISO 27001.
Master control framework in practice
Structure for a consolidated control:
CONTROL: Access Control
─────────────────────────
Description:
Systematic management of user privileges based on
the principle of least privilege.
Policy: P-AC-001 Access Control Policy
Processes:
- Onboarding/offboarding
- Access reviews (quarterly)
- Privileged access
Mapping:
├── ISO 27001: A.5.15, A.5.16, A.5.17, A.5.18
├── NIS2: Article 21.2i
├── GDPR: Article 32.1b
└── SOC 2: CC6.1, CC6.2, CC6.3
Evidence:
- Access control policy (document)
- Access review reports (quarterly)
- AD configuration (screenshot/export)
- Offboarding checklist (example)
Benefits: One control, one implementation, one evidence collection—but proof for four frameworks.
Efficiency gains
Concrete savings:
| Activity | Without mapping | With mapping | Savings |
|---|---|---|---|
| Policy creation | 4 versions | 1 version + mapping | 75% |
| Evidence collection | 4 collections | 1 collection | 75% |
| Audit preparation | 4 packages | 1 package + mapping matrices | 60% |
| Ongoing maintenance | 4 updates | 1 update | 75% |
| Gap analyses | 4 separate | 1 consolidated | 60% |
Total estimated time savings: 40-60% for organizations with 3+ frameworks.
Pitfalls to avoid
Not all frameworks are identical. A mapping should show overlap—but also clarify differences and additions required.
Frameworks are updated. ISO 27001:2022 differs from 2013. Mapping must be maintained when changes occur.
The same control may need different levels depending on framework. "Encryption" can mean different things in different contexts.
GRC tools with built-in mapping are good—but you must understand the logic. The tool should support, not replace, your understanding.
Practical tips
Start with what you have
If you already have ISO 27001, use it as a base and map other frameworks against it. You don’t need to build new from scratch.
Document differences clearly
In each mapping, note what’s unique to respective frameworks. “NIS2 additionally requires X” is important information.
Involve the right people
Legal for GDPR interpretation, IT security for technical controls, business for process understanding. Multi-framework requires cross-functional work.
Automate where possible
GRC systems with built-in control mapping save enormous time. Manual mapping in Excel works—but doesn’t scale well.
Common mapping journey
Typical progression for European organization:
Year 1: GDPR compliance (2018)
- Basic data protection
- Records of processing activities
- Consent and rights
Year 2-3: ISO 27001 certification
- Information security management system
- 93 controls in Annex A
- External audit and certificate
Year 4: NIS2 compliance (2024-2025)
- Gap analysis against ISO 27001
- Additions: incident reporting, management responsibility
- Mapping against existing controls
Year 5+: SOC 2 / industry-specific
- Customer-driven expansion
- Mapping against existing base
- Efficient with master control framework
How Securapilot can help
Securapilot is built for multi-framework compliance:
- Built-in control mapping — See overlaps between frameworks
- Master control framework — One control, multiple mappings
- Evidence sharing — Same proof for multiple frameworks
- Gap analysis — Identify what’s missing per framework
- Reporting — Compliance status per framework in one dashboard
Book a demo and see how we simplify multi-framework compliance.
Frequently asked questions
Do I need to follow multiple frameworks?
It depends on industry, geography and customers. Many European organizations need at least NIS2 (law), GDPR (law), and ISO 27001 (customer requirements). B2B SaaS often adds SOC 2.
Which framework should I start with?
Start with the one with the biggest driver—often a customer requirement or regulatory mandate. ISO 27001 provides broad foundation. NIS2/GDPR are legally binding.
What is a 'master control framework'?
An internal framework that consolidates all controls from your applicable frameworks. You implement controls once and then map evidence to respective frameworks.
How do I avoid duplicate work?
By identifying common controls and linking them. An access control policy fulfills requirements in ISO 27001, NIS2, GDPR and SOC 2—document it accordingly.
