The multi-framework reality
Five years ago, a mid-sized software company might need one compliance framework: SOC 2 to sell to US enterprise customers. Today, the same company might need SOC 2 (US customers), ISO 27001 (European and enterprise customers), GDPR (EU data processing), NIS2 (if it qualifies as an essential or important entity), and DORA (if it provides services to financial institutions).
The market pressure is structural. Regulated customers are demanding compliance evidence as a procurement condition. Regulators are expanding the scope of mandatory frameworks. Investors are including cyber compliance in due diligence checklists. And enterprise sales cycles increasingly stall at the security questionnaire stage when compliance evidence is not immediately available.
The question is not whether to pursue multiple frameworks. It is how to do so without making your compliance programme exponentially more expensive and complex.
The silo problem: how most organizations fail at multi-framework compliance
The default approach to multi-framework compliance is to treat each framework as a separate project. ISO 27001 gets its own control spreadsheet, its own evidence folder, its own project manager, and its own audit cycle. SOC 2 gets the same. GDPR gets its own ROPA (Records of Processing Activities), its own DPO engagement, and its own audit trail.
The result is predictable: 70–80% of the controls across these frameworks are substantively identical or overlapping, but they are documented, tested, and evidenced separately. The access control policy is reviewed once for ISO 27001 and again for SOC 2. The incident response procedure is updated for ISO 27001 and maintained in a separate document for NIS2. The vendor risk assessment is run twice — once by the compliance team for ISO 27001 and once by the legal team for GDPR.
This is not just inefficient. It creates inconsistency. When different teams document the same control differently, auditors find discrepancies. When the same policy is updated in one framework's folder and not another, you have a gap — not in the control, but in the documentation.
For a company managing four frameworks with four separate siloed programmes, the administrative overhead of multi-framework compliance can consume 60–70% of the compliance team's capacity, leaving 30–40% for actual programme improvement.
The cross-walk: why frameworks are more similar than they appear
ISO 27001:2022 Annex A contains 93 controls. SOC 2 TSC (Trust Services Criteria) contains 61 criteria. NIST CSF 2.0 contains 106 subcategories. NIS2 Article 21 specifies 10 security domains.
These numbers suggest four separate compliance programmes of substantial size. The cross-walk analysis tells a different story.
ISO 27001 to SOC 2: Approximately 85% of SOC 2 CC (Common Criteria) requirements are addressed by ISO 27001 Annex A controls. An organization with a functioning ISO 27001 ISMS can achieve SOC 2 Type I within 60–90 days and SOC 2 Type II within 12 months of operating the ISMS — not because SOC 2 is easy, but because most of the control work is already done.
ISO 27001 to NIS2: ENISA has published a formal cross-walk between ISO 27001:2022 and NIS2 Article 21. The mapping is extensive — organizations with a mature ISO 27001 programme satisfy 90%+ of NIS2 Article 21 requirements by virtue of existing controls. The incremental NIS2 work is primarily in supply chain security documentation and specific incident reporting procedures.
GDPR to ISO 27001: ISO 27001:2022 includes three new controls (A.5.34, A.8.11, A.8.12) specifically addressing privacy — information privacy and protection of PII. Organizations with ISO 27001 have the security infrastructure that GDPR requires; the additional GDPR-specific work is in data mapping, ROPA, data subject rights procedures, and DPA engagement.
DORA to ISO 27001 / NIS2: DORA is the most prescriptive of the current regulatory frameworks, with specific requirements for ICT risk management, incident classification, testing, and third-party risk. But its foundations are identical to ISO 27001 and NIS2 — organizations with mature programmes in either framework can leverage their existing work substantially.
The key insight is that a strong ISO 27001 ISMS is the best single investment for multi-framework compliance. It does not cover everything, but it provides the foundation that makes every other framework significantly cheaper and faster to achieve.
Designing a unified GRC programme: the shared control library
The alternative to siloed frameworks is a unified control library — a single set of controls that satisfies requirements across all active frameworks, with evidence collected once and mapped to all applicable framework requirements.
Here is how to build one:
Step 1: Define your master control set
Start with ISO 27001 Annex A as your master control set. It is the most comprehensive and widely recognized framework, and it maps well to everything else. Add any controls required by your other frameworks that are not covered by ISO 27001.
Step 2: Build the cross-walk mappings
For each control in your master set, document which requirements in each of your active frameworks it satisfies. This is the most labour-intensive step — but it is a one-time investment. A GRC platform pre-loads these mappings; doing it manually in a spreadsheet takes weeks.
Step 3: Assign controls to owners once
Each control has a single owner — the person responsible for implementing, testing, and evidencing that control. The owner does not need to know which frameworks the control serves. They need to know what the control requires and when evidence is due.
Step 4: Collect evidence once per control cycle
When a control owner submits evidence, it is attached to the control in the platform. The platform automatically associates that evidence with all framework requirements the control addresses. One upload, multiple frameworks satisfied.
Step 5: Generate framework-specific views
For audits and regulatory submissions, the platform generates framework-specific views of your control library — showing only the controls and evidence relevant to ISO 27001, or SOC 2, or DORA, formatted for that framework's terminology. The auditor sees an ISO 27001 audit pack. The evidence was collected once, for all frameworks simultaneously.
The CEO's case: what unified compliance costs versus siloed compliance
For a company managing four frameworks (ISO 27001, SOC 2, GDPR, NIS2):
| Approach | Annual compliance cost | Audit cycles per year | FTE required |
|---|---|---|---|
| Siloed (separate programmes) | €420,000–€580,000 | 4–5 | 3.5–4.5 |
| Unified (shared control library) | €200,000–€280,000 | 2–3 | 1.5–2.5 |
| Saving | €220,000–€300,000 | 2 fewer audit cycles | 2 fewer FTE |
The unified approach does not just save money. It produces a better compliance posture — because controls are tested consistently against all framework requirements, not selectively against the framework currently under audit.
Scaling from startup to enterprise
One of the advantages of a unified GRC programme designed on a shared control library is that it scales.
For a startup (Year 1): Start with ISO 27001 as your primary framework. Build a control library sized for your current scope — 50–70 controls for a cloud-native SaaS company. Implement the controls. Achieve ISO 27001 certification.
As you grow (Year 2–3): Add SOC 2 as a second framework. The platform shows immediately which of your 50–70 ISO 27001 controls cover SOC 2 TSC requirements. The gap — typically 8–12 additional controls for a SaaS company — is identified immediately and can be implemented in 60–90 days.
At enterprise scale (Year 4+): Add GDPR, NIS2, DORA, or any other framework as commercial and regulatory requirements demand. Each addition is incremental — 10–20% more work than the previous framework — not a complete rebuild. The control library grows; the evidence collection infrastructure does not.
The company that designs its GRC programme correctly at 50 employees has a compliance asset that serves it at 5,000 — without starting over.
Practical next steps
If you are currently managing multiple frameworks in silos, here is the transition path:
Month 1: Audit your current compliance state. How many frameworks are you managing? How many controls do you have in total (across all frameworks)? What percentage are duplicated?
Month 2: Build or import a master control library. If you have ISO 27001, start there. If not, NIST CSF is an effective starting point.
Month 3: Apply cross-walk mappings. A GRC platform will do this automatically; manual mapping takes 2–4 weeks per framework pair.
Month 4: Consolidate evidence collection. Identify which controls have redundant evidence requirements and consolidate to a single collection workflow.
Month 6: Run your first unified audit cycle. The efficiency gain will be visible immediately — and the compliance posture visible to your auditors will be more coherent than anything a siloed programme has ever produced.