Compliance Frameworks
The One Compliance includes pre-built compliance frameworks with control libraries, evidence requirements, and gap analysis. You can activate one or more frameworks per organization and track progress across all of them simultaneously.
Built-in Frameworks
| Framework | Controls | Description |
|---|---|---|
| SOC 2 | 64 | Trust Services Criteria — Security, Availability, Processing Integrity, Confidentiality, Privacy |
| HIPAA | 75 | Security Rule (Administrative, Physical, Technical safeguards), Privacy Rule, Breach Notification |
| NIST CSF | 108 | Identify, Protect, Detect, Respond, Recover — five core functions with categories and subcategories |
| CIS Controls v8 | 153 | 18 control families across Implementation Groups 1–3 |
| PCI DSS v4.0 | 264 | 12 requirement families covering cardholder data protection |
| CMMC | 171 | Cybersecurity Maturity Model Certification — Levels 1–3 practices and processes |
Selecting Active Frameworks
To activate a framework for your organization:
- Navigate to Compliance → Frameworks
- Click Add Framework
- Select the framework from the list
- Choose the applicable scope (e.g., SOC 2 Trust Services categories, CIS Implementation Group level, CMMC level)
- Click Activate
You can activate multiple frameworks simultaneously. Controls that overlap between frameworks are mapped automatically — satisfying a control in one framework can satisfy the equivalent control in another.
Framework Structure
Each framework follows a three-level hierarchy:
Controls
Controls are the individual requirements defined by the framework (e.g., "Encrypt data at rest" or "Conduct annual risk assessments"). Each control has:
- ID — The framework's official control identifier (e.g., CC6.1 for SOC 2, 164.312(a)(1) for HIPAA)
- Title — A human-readable control name
- Description — The full requirement text
- Category — The parent grouping within the framework
Evidence Requirements
Each control specifies one or more types of evidence needed to demonstrate compliance:
- Policy — A documented policy or procedure
- Screenshot — A screenshot showing a configuration or setting
- Report — An exported report from a tool or system
- Log — An audit log or event record
- Attestation — A signed statement or acknowledgment
Status
Each control carries a status based on its evidence:
| Status | Meaning |
|---|---|
| Not Started | No evidence uploaded or linked |
| In Progress | Some evidence present but requirements not fully met |
| Compliant | All required evidence is current and approved |
| Non-Compliant | Evidence is missing, expired, or flagged as insufficient |
| Not Applicable | Control has been scoped out with documented justification |
Control Mapping Across Frameworks
Many compliance requirements overlap. The One Compliance includes a cross-framework mapping that links equivalent controls:
- Upload evidence once and it satisfies matching controls across all active frameworks
- View the Control Mapping tab on any control to see its equivalents in other frameworks
- The gap analysis dashboard accounts for shared coverage when calculating readiness scores
For example, an encryption-at-rest policy uploaded for HIPAA 164.312(a)(2)(iv) also satisfies SOC 2 CC6.1 and NIST CSF PR.DS-1.
Gap Analysis Dashboard
The gap analysis dashboard provides a real-time view of your compliance posture:
- Framework Readiness Score — Percentage of controls in Compliant status per framework
- Evidence Coverage — Percentage of required evidence items that have been uploaded
- Control Heatmap — Visual breakdown by category showing compliant, in-progress, and non-compliant controls
- Overdue Items — Controls with expired evidence or approaching deadlines
- Cross-Framework Summary — Side-by-side comparison when multiple frameworks are active
Access the dashboard from Compliance → Dashboard.