Compliance Mapping Visualizer¶

Compliance teams face a persistent challenge: mapping controls across multiple frameworks without losing fidelity or creating gaps. Organizations subject to SOC 2 audits often discover their NIST CSF implementation already satisfies 60-70% of the requirements — but only if the mapping is done correctly.

This interactive tool provides a unified crosswalk across four major frameworks — NIST CSF 2.0, CIS Controls v8, ISO 27001:2022, and SOC 2 Type II — covering 30+ control mappings across eight critical security domains. Use it to identify coverage gaps, plan audit evidence collection, and eliminate redundant compliance work.

How to Use This Tool

Select frameworks you need to comply with using the toggle buttons
Filter by domain to focus on specific control families
Click any cell in the matrix to view detailed mapping information
Check implemented controls to run a gap analysis across all frameworks
Export your crosswalk report for audit documentation

4

Frameworks

32

Control Mappings

8

Security Domains

128

Cross-References

Select Active Frameworks

Filter by Domain

Domain	Control Area	NIST CSF 2.0	CIS Controls v8	ISO 27001:2022	SOC 2 Type II	Coverage

Check the controls your organization has implemented, then view coverage across all frameworks.

Generate a formatted compliance crosswalk report based on your selected frameworks and filters.

Framework Summaries¶

NIST Cybersecurity Framework (CSF) 2.0¶

The NIST CSF 2.0, released in February 2024, is the most significant update to the framework since its original 2014 release. Key changes include the addition of a sixth function — Govern — elevating cybersecurity governance to a top-level concern alongside Identify, Protect, Detect, Respond, and Recover.

Core Functions:

Function	Code	Focus Area
Govern	GV	Cybersecurity risk management strategy, expectations, and policy
Identify	ID	Asset management, risk assessment, supply chain risk management
Protect	PR	Access control, awareness training, data security, platform security
Detect	DE	Continuous monitoring, adverse event analysis
Respond	RS	Incident management, analysis, mitigation, reporting
Recover	RC	Recovery planning and execution

Key CSF 2.0 Changes:

Governance Function (GV): New top-level function making governance a peer of operational security functions
Supply Chain Risk Management: Expanded from a subcategory to a major category under Govern
Applicability: Broadened beyond critical infrastructure to all organizations regardless of size or sector
Implementation Examples: New informative references with practical implementation guidance
Community Profiles: Templates for sector-specific and use-case-specific implementations

Nexus Coverage

For hands-on NIST CSF implementation, see Chapter 10: Governance, Risk & Compliance Engineering and the GRC Architecture Pattern.

CIS Controls v8¶

The CIS Controls v8 (May 2021) restructured the controls from 20 to 18 control groups organized by security function rather than by implementation complexity. Controls are further broken into 153 safeguards with three Implementation Groups (IGs) providing a prioritized on-ramp.

Implementation Groups:

Group	Target	Safeguards	Description
IG1	Small orgs, limited IT	56	Essential cyber hygiene — the minimum standard
IG2	Mid-size orgs, IT teams	74 (additional)	Expanded controls for orgs managing enterprise IT
IG3	Large orgs, security teams	23 (additional)	Advanced controls including penetration testing and incident response

Control Groups (v8):

Inventory and Control of Enterprise Assets
Inventory and Control of Software Assets
Data Protection
Secure Configuration of Enterprise Assets and Software
Account Management
Access Control Management
Continuous Vulnerability Management
Audit Log Management
Email and Web Browser Protections
Malware Defenses
Data Recovery
Network Infrastructure Management
Network Monitoring and Defense
Security Awareness and Skills Training
Service Provider Management
Application Software Security
Incident Response Management
Penetration Testing

Nexus Coverage

For CIS Benchmark implementation, see Chapter 15: Hardening & Configuration Management and the Detection Query Library.

ISO 27001:2022¶

ISO/IEC 27001:2022 is the international standard for Information Security Management Systems (ISMS). The 2022 revision restructured controls from 14 domains into 4 themes with 93 controls (down from 114 in 2013, with 11 new controls added).

Control Themes:

Theme	Controls	Focus
Organizational (A.5)	37	Policies, roles, responsibilities, threat intelligence, cloud security
People (A.6)	8	Screening, terms, awareness, remote working, reporting
Physical (A.7)	14	Perimeters, entry, offices, monitoring, utilities, media
Technological (A.8)	34	Endpoints, access, authentication, malware, backup, logging, development

New Controls in 2022:

A.5.7 — Threat intelligence
A.5.23 — Information security for cloud services
A.5.30 — ICT readiness for business continuity
A.7.4 — Physical security monitoring
A.8.9 — Configuration management
A.8.10 — Information deletion
A.8.11 — Data masking
A.8.12 — Data leakage prevention
A.8.16 — Monitoring activities
A.8.23 — Web filtering
A.8.28 — Secure coding

Nexus Coverage

For ISO 27001 implementation guidance, see Chapter 10: Governance, Risk & Compliance Engineering and the Controls Catalog.

SOC 2 Type II¶

SOC 2 Type II is an audit framework developed by the AICPA based on the Trust Services Criteria (TSC). Unlike a point-in-time assessment (Type I), Type II evaluates whether controls operated effectively over a period (typically 6-12 months).

Trust Services Criteria:

Criterion	Code	Description
Security	CC	Protection against unauthorized access (mandatory for all SOC 2 reports)
Availability	A	Systems are available for operation as committed
Processing Integrity	PI	System processing is complete, valid, accurate, and timely
Confidentiality	C	Information designated as confidential is protected
Privacy	P	Personal information is collected, used, retained, and disclosed appropriately

Common Control Categories (CC Series):

CC1: Control Environment (tone at the top, governance)
CC2: Communication and Information (internal/external)
CC3: Risk Assessment (identification and analysis)
CC4: Monitoring Activities (ongoing and separate evaluations)
CC5: Control Activities (policies and procedures)
CC6: Logical and Physical Access Controls
CC7: System Operations (detection and monitoring)
CC8: Change Management
CC9: Risk Mitigation

Nexus Coverage

For SOC 2 audit preparation, see Chapter 10: Governance, Risk & Compliance Engineering and the Maturity Model.

Mapping Methodology¶

How Framework Crosswalks Are Built¶

Compliance mapping is not a simple one-to-one exercise. Frameworks differ in abstraction level, scope, and intent. A single NIST CSF subcategory may map to multiple CIS safeguards, and an ISO 27001 control may partially overlap with several SOC 2 criteria.

Mapping Principles Used in This Tool:

Intent-Based Matching: Controls are mapped based on their security objective, not their exact wording. A control requiring "access reviews" in one framework maps to controls addressing the same security outcome in others.
Coverage Classification:
- Full Coverage — The mapped control addresses the same security objective with equivalent rigor
- Partial Coverage — The mapped control addresses part of the objective or requires additional controls to achieve equivalence
- Gap — No corresponding control exists in the target framework for this security objective
Granularity Normalization: Frameworks operate at different levels of granularity. NIST CSF subcategories are high-level outcomes; CIS safeguards are specific technical actions. Mappings bridge these levels by identifying the most appropriate match.
Validation Sources: Mappings are validated against published references including NIST SP 800-53 Rev 5, the CIS Controls Mapping to NIST CSF, and ISO 27001 Annex SL alignment documentation.

Mapping Limitations¶

Important Caveats

Framework mappings are approximations, not exact equivalences
A mapped control in one framework does not automatically satisfy requirements in another
Auditors interpret controls in the context of your specific environment
Always validate mappings with your compliance team and external auditors
This tool uses synthetic educational data — verify mappings against official framework publications

Building Your Own Crosswalk¶

Step 1: Identify Your Primary Framework Start with the framework that has the most regulatory or contractual weight for your organization.

Step 2: Map to Secondary Frameworks For each control in your primary framework, identify corresponding controls in secondary frameworks using intent-based matching.

Step 3: Classify Coverage Document whether each mapping provides full, partial, or no coverage. Partial mappings require gap analysis.

Step 4: Address Gaps For each gap, determine whether additional controls are needed or whether existing controls can be extended.

Step 5: Document Evidence Map each control to the specific evidence artifacts that demonstrate implementation. Evidence often satisfies multiple frameworks simultaneously.

Audit Preparation Best Practices¶

Before the Audit¶

[ ] Evidence Collection (T-90 days): Begin gathering evidence artifacts at least 90 days before the audit period ends. Automated evidence collection tools reduce last-minute scrambling.
[ ] Control Owner Interviews (T-60 days): Interview each control owner to verify controls are operating as designed. Document any compensating controls or exceptions.
[ ] Self-Assessment (T-45 days): Conduct an internal audit using the same criteria as the external auditor. Remediate findings before the audit.
[ ] Evidence Organization (T-30 days): Organize evidence in a shared repository mapped to control IDs. Auditors spend less time (and charge less) when evidence is well-organized.
[ ] Readiness Meeting (T-14 days): Meet with the audit team to review scope, timeline, and evidence delivery expectations.

During the Audit¶

Single Point of Contact: Designate one person to coordinate evidence requests and auditor access
Response SLAs: Commit to responding to evidence requests within 24-48 hours
Documentation: Document every auditor request, response, and follow-up
Escalation Path: Define clear escalation for findings that require management input

Common Audit Pitfalls¶

Pitfall	Impact	Prevention
Incomplete evidence	Finding or qualification	Automated evidence collection
Missing access reviews	Access control finding	Quarterly automated reviews
Outdated policies	Governance finding	Annual policy review calendar
No incident response test	IR preparedness finding	Annual tabletop exercises
Shared credentials	Access control finding	PAM implementation
Missing encryption	Data protection finding	Encryption-by-default policies
No vendor assessments	TPRM finding	Annual vendor review program
Incomplete asset inventory	Asset management finding	Automated discovery tools

Multi-Framework Audit Efficiency¶

Organizations subject to multiple frameworks can achieve significant efficiency by:

Unified Control Framework: Map all required frameworks to a single internal control set. Test once, report to many.
Common Evidence Repository: Store evidence artifacts once with tags for which frameworks they satisfy.
Integrated Audit Calendar: Coordinate audit timelines so that evidence collected for one audit supports others.
Continuous Compliance Monitoring: Replace annual point-in-time assessments with continuous monitoring dashboards that provide real-time compliance status.

Cross-References¶

This compliance mapping visualizer connects to several other Nexus SecOps resources:

Resource	Relevance
Chapter 10: GRC Engineering	Deep dive into governance, risk, and compliance frameworks
Chapter 5: Detection Engineering at Scale	Building detection capabilities that map to compliance controls
Chapter 20: Cloud Attack & Defense Playbook	Cloud-specific controls and compliance considerations
Controls Catalog	Full catalog of 300+ security controls
Maturity Model	Assessing organizational security maturity
ATT&CK Gap Analysis	Mapping detection capabilities to MITRE ATT&CK
Detection Query Library	KQL/SPL queries that implement detection controls
Threat Model Canvas	Interactive threat modeling tool

Certification Preparation¶

Mastering compliance frameworks is essential for several leading security certifications. If you are preparing for certification exams, these frameworks feature prominently in the following:

Recommended Certifications

CISSP — Certified Information Systems Security Professional
The CISSP covers compliance and governance extensively in Domain 1 (Security and Risk Management). NIST CSF, ISO 27001, and SOC 2 are frequently tested topics.
Prepare for CISSP →

CISM — Certified Information Security Manager
CISM focuses on information security governance and risk management. The exam tests your ability to align security programs with business objectives using frameworks like NIST CSF and ISO 27001.
Prepare for CISM →

CRISC — Certified in Risk and Information Systems Control
CRISC is specifically designed for IT risk management professionals. The exam covers risk identification, assessment, response, and monitoring — directly aligned with the mapping methodology used in this tool.
Prepare for CRISC →

CCSP — Certified Cloud Security Professional
The CCSP covers cloud compliance and governance, including CSA CCM, ISO 27017, and SOC 2 considerations for cloud environments.
Prepare for CCSP →

Affiliate links support the continued development of Nexus SecOps. See our affiliate disclosure.

Nexus SecOps — Compliance Mapping Visualizer
All data is synthetic and for educational purposes only. Verify mappings against official framework publications.
nexus-secops.pages.dev