Every compliance framework β ready on day one
GRCEye ships with 70+ pre-loaded frameworks, complete with controls, crosswalk mappings, and evidence requirements. Fork any framework to create your own editable copy, or build a completely custom one from scratch with the AI-powered builder.
70+
Built-in frameworks
4,000+
Pre-mapped controls
Day 1
Ready to assess
β
Custom frameworks you can create
The frameworks your auditors will ask for
The most common certifications and regulatory requirements β fully loaded, crosswalk-mapped, and audit-ready.
ISO 27001:2022
93 controls pre-loaded
The global ISMS standard. 93 Annex A controls, full SoA generation, cross-mapped to NIST and SOC 2.
SOC 2 Type II
64 controls pre-loaded
5 Trust Service Criteria. Audit-ready evidence collection, readiness checklist, and auditor portal.
GDPR
99 controls pre-loaded
All 99 articles mapped. ROPA tracking, DPA templates, breach notification workflow, DSR management.
DORA
78 controls pre-loaded
All 5 pillars: ICT risk, incident reporting, resilience testing, TPRM, and information sharing.
NIS2 Directive
52 controls pre-loaded
Risk management, incident reporting, supply chain security, and board accountability measures.
NIST CSF 2.0
106 controls pre-loaded
Updated 2024 version. 6 functions: Govern, Identify, Protect, Detect, Respond, Recover.
+ 64 more frameworks including HIPAA, CIS Controls v8, MITRE ATT&CK, NIST 800-53, PCI DSS, TISAX, NERC CIP, SOX, and more
The complete framework library
Organised by category. Every framework ships with full control sets, cross-walk mappings, and evidence templates.
ISO / IEC Certified
- ISO/IEC 27001:2022
- ISO/IEC 27002:2022
- ISO/IEC 27017
- ISO/IEC 27018
- ISO/IEC 27701
- ISO 22301
- ISO 9001:2015
Regulatory & Legal
- GDPR (EU)
- NIS2 Directive
- DORA
- EU AI Act
- CCPA (California)
- LGPD (Brazil)
- PIPEDA (Canada)
- PDPA (Thailand)
US Government & NIST
- NIST CSF 2.0
- NIST SP 800-53 Rev5
- NIST SP 800-171
- FedRAMP
- FISMA
- CMMC 2.0
- StateRAMP
Industry Standards
- SOC 2 Type II
- PCI DSS 4.0
- HIPAA
- HITRUST CSF
- CIS Controls v8
- SWIFT CSCF
- COBIT 2019
- ITIL 4
Threat & Security
- MITRE ATT&CK
- MITRE D3FEND
- OWASP Top 10
- CSA CCM v4
- Zero Trust Architecture (NIST SP 800-207)
Sector-Specific
- NERC CIP (Energy)
- IEC 62443 (OT/ICS)
- TISAX (Automotive)
- NHS DSPT (UK Health)
- ENISA Good Practice
- SOX (Sarbanes-Oxley)
Take any framework and make it yours
Every built-in framework is protected and shared across all organisations β so it stays accurate and up to date. But one click creates your own private, fully editable copy: a fork.
Fork with one click
Click Customize on any built-in framework card. GRCEye creates an exact copy β all controls, categories, cross-walk mappings, and parent/child relationships β owned entirely by your organisation.
Edit controls inline
Rename controls to match your internal terminology. Edit descriptions, assessment criteria, and evidence requirements. Delete controls that do not apply. Add new custom controls that are unique to your environment.
Add proprietary requirements
Your forked framework is fully independent. Add your company-specific security requirements, internal policies, or sector-specific obligations that no off-the-shelf framework covers.
Your fork, your data
The original built-in framework remains unchanged for all other organisations. Your fork is only visible to your team β no changes flow back to the shared library.
Framework Library
ISO/IEC 27001:2022
93 controls Β· Cross-mapped to SOC 2 & NIST CSF
ISO 27001 β Acme Corp (Custom)
93 controls + 7 custom Β· Forked from ISO 27001:2022
The original ISO 27001 remains unchanged for all other orgs
Custom Framework Builder
Identity & Access Management
Access Control
Privileged Access Review
Access Control
Incident Classification Policy
Incident Response
AI Model Risk Assessment
AI Governance
AI suggestion
Based on "AI Governance" category, consider adding: AI Training Data Management, Model Version Control, and Algorithmic Bias Assessment controls β aligned with EU AI Act Article 9β12.
Build any framework from scratch
No suitable framework exists? Build one. The custom framework builder lets you define any control set β for internal security standards, supplier requirements, or proprietary risk methodologies β and use it exactly like a built-in framework throughout GRCEye.
Define your control structure
Create categories, add controls with IDs, titles, descriptions, and evidence requirements. Organise them in any hierarchy you need.
AI helps you build it
Describe what the control should cover and the AI drafts the control language β tailored to your industry, jurisdiction, and regulatory context. You review, approve, and publish.
Map to built-in frameworks
Link your custom controls to ISO 27001, NIST, or any other framework you are running. Evidence uploaded to your custom control automatically satisfies the mapped built-in controls.
Run assessments and audits
Your custom framework works identically to any built-in one β gap analysis, compliance scoring, auditor portal, evidence collection, and board-ready reporting all work out of the box.
Multi-framework crosswalk β no duplicate work
GRCEye pre-maps controls across frameworks. Upload your Access Control Policy once and it satisfies ISO 27001 A.8.3, SOC 2 CC6.1, GDPR Art. 32, and NIST CSF PR.AC-1 simultaneously.
| Evidence / Control | ISO 27001 | SOC 2 | GDPR | NIST CSF |
|---|---|---|---|---|
| Access Control Policy | A.8.3 | CC6.1 | Art. 32 | PR.AC-1 |
| Encryption at Rest | A.8.24 | CC6.7 | Art. 32(1)(a) | PR.DS-1 |
| Incident Response Plan | A.5.26 | CC7.3 | Art. 33 | RS.RP-1 |
| Vulnerability Management | A.8.8 | CC7.1 | Rec. 2017/1584 | DE.CM-8 |
Upload evidence once
One document upload satisfies multiple framework controls automatically. No re-uploading, no copy-paste, no duplicate work for your team.
See coverage across all frameworks
The cross-framework view shows which controls are already covered, which are partially covered by another framework, and which still have gaps.
Add a second framework in days
Already certified for ISO 27001? Adding SOC 2 takes days, not months β 60β70% of controls are already satisfied by your existing evidence.
Three ways to use frameworks in GRCEye
Every path gives you the same audit-ready, crosswalk-mapped, evidence-linked programme.
01
Use built-in
Select from 70+ pre-loaded frameworks. Full control set, evidence templates, and crosswalk mappings ready instantly. No setup needed.
02
Fork & customise
One click creates your own private, fully editable copy of any built-in framework. Rename, edit, delete, or add controls without affecting the original.
03
Build from scratch
Use the custom framework builder to create any control set β internal security standards, supplier requirements, or proprietary risk methodologies β with AI assistance.
"We forked ISO 27001 and added our 14 internal controls in an afternoon. The whole framework was live and crosswalk-mapped to our existing evidence by end of day."
Alex F.
Head of Security, Enterprise SaaS β Berlin
"We built a custom DORA compliance framework specific to our ICT risk appetite. GRCEye treated it identically to any built-in framework β full audit trail, evidence collection, the works."
Marie D.
Chief Risk Officer, FinTech β Luxembourg
Start with 70+ frameworks β customise as you grow
Full framework library access from day one. Fork, customise, or build your own. Free 14-day trial β no credit card, no consultants, no setup fees.