Which frameworks does KaitoSec support?

ISO 27001:2022, NIS2, SOC 2, TISAX, BSI Grundschutz, GDPR, DORA, ISO 22301, EU AI Act and ISO 42001 are supported today. New frameworks are added regularly. You can request a specific framework from the roadmap page.

How accurate are the cross-framework mappings?

Mappings are derived from the open-source CISO Assistant library and reviewed by the KaitoSec compliance team. Where authoritative crosswalks exist (for example ENISA guidance for ISO 27001 to NIS2) they are used as the primary source. Customer-specific mappings are versioned alongside the library.

Can we customise the control library?

Yes. Custom controls can be added to a workspace and mapped manually to framework requirements. Custom controls behave identically to the library in gap analysis, SoA generation and reporting.

How does the SoA export work for ISO 27001 certification?

KaitoSec generates a structured SoA listing all Annex A controls with applicability status, justification and current implementation state. The document exports as PDF or can be shared via a live auditor link that updates automatically.

What happens when one control covers multiple requirements?

KaitoSec shows the impact of a control across every relevant framework, including open gaps, missing evidence and the responsible owners.

KaitoSec

Compliance mapping

One control. Many frameworks. Zero duplicate work.

Implement a control once. KaitoSec propagates its effect across ISO 27001, NIS2, SOC 2, TISAX, DORA, Grundschutz, ISO 22301, GDPR and ISO 42001.

Book a demo See the platform

The challenge

Doing the same control five times for five frameworks

Access control shows up in ISO 27001, in NIS2, in SOC 2, in TISAX, and in BSI Grundschutz. It is the same control each time, but if your frameworks live in separate tools or separate tabs, you document it five times, evidence it five times, and explain to five auditors why the wording is slightly different in each. The work multiplies with every standard you add, even though the underlying security barely changes.

What you actually want is to implement a control once and have it count everywhere it applies. A single change should update the Statement of Applicability, the NIS2 measure register, and every other artefact that references it, without anyone retyping a thing. Until controls are mapped across frameworks in one place, compliance scales by headcount, and the gap analysis before each audit is really just a hunt for what fell out of sync.

Benefits at a glance

Cross-framework, cross-management-system mapping

A curated mapping library covers ISO 27001 Annex A, NIS2, SOC 2 TSC, TISAX, BSI Grundschutz, DORA, ISO 22301, GDPR and ISO 42001. One control implementation reports against every active framework and contributes to every management system in scope.

Gap analysis that prioritises by risk, not framework count

KaitoSec compares your current implementation against every selected framework and produces a remediation backlog sorted by residual risk and regulatory deadline. The same backlog is the input for control work, BC planning, vendor follow-up and AI governance.

Living Statement of Applicability and equivalent artefacts

Your SoA, NIS2 measure register, DORA control register and other regulatory artefacts are generated automatically and stay current. Share a read-only auditor link instead of exporting PDFs that go stale between reviews.

How it works

Unified control library

Browse and implement controls from one library spanning every supported framework. Mappings are pre-built and continuously maintained, with framework crosswalks visible at the point of work so you never lose sight of what a control is doing for you.

Gap analysis dashboard

See compliance posture across all active frameworks on one dashboard. Drill down per framework to view control status, owners and outstanding evidence. The same view powers management reviews for the ISMS, BCMS, DSMS and AIMS.

Audit evidence that compiles itself

Link controls to the documents, screenshots, exercise reports and system logs they generate. KaitoSec packages evidence per framework clause and per management system, ready for an auditor without a final-week scramble.

Framework silos versus one control model.

Without KaitoSec	With KaitoSec
Maintain each framework separately	One shared control model
Collect evidence multiple times	Link evidence once
Keep Excel mappings up to date	A maintained mapping library
Audit preparation by hand	Audit view and export straight from the system
Hunt for gaps framework by framework	Prioritise measures by multi-framework impact

FAQ

Supported frameworks

ISO 27001 NIS2 SOC 2 TISAX

Without KaitoSec

With KaitoSec

Maintain each framework separately

One shared control model

Collect evidence multiple times

Link evidence once

Keep Excel mappings up to date

A maintained mapping library

Audit preparation by hand

Audit view and export straight from the system

Hunt for gaps framework by framework

Prioritise measures by multi-framework impact

One control. Many frameworks. Zero duplicate work.

Doing the same control five times for five frameworks

Cross-framework, cross-management-system mapping

Gap analysis that prioritises by risk, not framework count

Living Statement of Applicability and equivalent artefacts

Unified control library

Gap analysis dashboard

Audit evidence that compiles itself

Framework silos versus one control model.

FAQ

Product

Frameworks

Solutions

Services

Resources

Company

Legal

One control. Many frameworks. Zero duplicate work.

Doing the same control five times for five frameworks

Cross-framework, cross-management-system mapping

Gap analysis that prioritises by risk, not framework count

Living Statement of Applicability and equivalent artefacts

Unified control library

Gap analysis dashboard

Audit evidence that compiles itself

Framework silos versus one control model.

FAQ

Product

Frameworks

Solutions

Services

Resources

Company

Legal