Articles on: Compliance
This article is also available in:

Compliance Frameworks

πŸ“‘ Compliance Frameworks & Maturity Mapping

"From standards to action: track requirements, maturity, and evidence in one place."
Turn compliance obligations into measurable, auditable progress.


Compliance with a specific standard or regulation requirements is difficult to achieve without a way to organize, structure, and track it. Brainframe makes this easy by providing a central dashboard where you can manage your compliance easily, quickly, and almost automatically.


πŸ“Œ Note: The SOA module is only accessible to admin users and is not folder-hierarchy aware.


1️⃣ Creating a Compliance Set


From Compliance -> Frameworks, click Add Compliance framework.


This will open the following window:





You can configure:


  1. Name of the standard/regulation (e.g., ISO/IEC 27001:2022).
  2. Description β€” (optionally) add information as to what is the purpose and scope.
  3. Public URL β€” (optional) link to official reference.
  4. Supporting documents β€” (optional) upload of purchased standards or guidance.


Next, choose a setup method (each are described below):


  • Self configured β€” manually create categories and requirements.
  • Template β€” start from a pre-loaded requirement set.
  • Import Excel β€” import requirements using the template.



2️⃣ Self Configured Mode



  1. Select the self-configured setup mode
  2. Define categories of requirements.
  3. Remove categories.
  4. Add categories.


πŸ“Œ Once categories are set, you’ll start with an empty framework:




Overview Elements


  1. Frameworks Action Menu:
  • Edit the current framework (opens a screen that allows you to modify the framework description/guidance document/categories)
  • Delete the framework (all requirement maturity and linked documents will be lost, but the documents themselves will remain in the original folder)
  • Print simple compliance framework - Prints a list of all categories and requirements, with their applicability, requirement identifier and name, linked control names and names of evidence documents
  • Print detailed compliance framework - Prints the same information as the simple SOA, but adds the different radar graphs and related risks per requirement.
  • Export compliance framework - Exports the requirement identifier, name, description, status, linked control names, evidence names and related risk names into an excel (this can be imported using the "Import Excel" framework creation option as described below)
  1. These sections are empty until you configure them:
  • Maturity per category - Will show a radar chart with the different maturities per category



  • Applicability overview - Shows counts on how many of the requirements are applicable and implemented


  • Categories, requirements and applicability - This is where all the categories with their individual requirements will be listed (empty at the start). Per category you'll see a radar graph of the maturity for the requirements in that category

  1. By clicking "Add requirement", you can manually add new requirements from your standard/regulation to the category (this is described in more detail below)
  2. Here you can edit or delete the whole category (all requirements, their maturity and linked documents for this category will be lost, the documents themselves will remain in the folders)


3️⃣ Template mode


When selecting this option you will be able to select pre-configured templates of "Categories" and their "Requirements". Simply select the template and click save.



4️⃣ Import excel


This option opens a screen similar to the bulk document import screen, allowing you to download a template that can be filled in as per your needs, or allows you to import an Excel from a previous export as explained in (2) above


⚠️ Attention: Linked controls, evidences, risks and requirement notes are not imported.


5️⃣ Adding & Editing Requirements


When adding/editing a requirement:



  1. Identifier (e.g., A.5.1).
  2. Title (e.g., Policies for information security).
  3. Description/Guidance (implementation notes, e.g. ISO 27002).
  4. Maturity stage:
  • Not applicable
  • Applicable but not implemented
  • Applicable & implemented – Defined
  • Applicable & implemented – Managed
  • Applicable & implemented – Optimized
  1. Link controls (policies, procedures).
  2. Link evidence (records, logs).
  3. Link related risks (justify applicability).
  4. Move requirement to another category.
  5. Link requirement to multiple frameworks (e.g. GDPR + ISO27001).


When removing a requirement that is in multiple frameworks, it will only be removed in one framework at a time and details will not be lost


6️⃣ Managing Requirements


Each requirement lets you track maturity, link controls, evidence, and risks, and plan follow-ups.




  1. Requirement identifier and title (hovering over this will show the description/guidelines for implementation if configured).
  2. Define the maturity rating (reflected in graphs).
  3. Action buttons: link control, link evidence, add risk, edit the requirement, delete the requirement.
  4. Add general tasks linked to the requirement which will automatically appear in your tasks.
  5. List of linked control documents (with maturity tracking if enabled).
  6. List of linked evidence documents.
  7. List of related risks.
  8. List of linked tasks that you can interact with. You can mark them as completed or edit them directly. You can also unlink them from this requirement (the task will still exist), or delete them entirely.
  9. Notes field β€” for auditor comments or internal improvements.



7️⃣ Statement of Applicability (SoA)


Brainframe automatically generates a Statement of Applicability (SoA) based on how requirements are configured in your compliance framework.

There is no separate SoA to maintain manually β€” applicability is driven directly from each requirement.


7.1 Requirement Applicability


When adding or editing a requirement, an β€œApplicable” checkbox is available at the top of the edit form.




  • The checkbox is enabled by default for new requirements.
  • Existing requirements are considered applicable by default.
  • Unchecking this box marks the requirement as Not applicable.


Behavior when a requirement is Not applicable:


  • The requirement is excluded from maturity tracking.
  • Maturity levels and progress indicators are hidden.
  • The requirement row cannot be expanded.
  • Linked controls, risks, evidence, and notes are not deleted β€” they are simply hidden.
  • The requirement will appear as Not applicable in the Statement of Applicability.


πŸ“Œ Important
Marking a requirement as Not applicable does not remove any data. All links and content are preserved and can be restored by re-enabling applicability.


Visual indicators in the framework view:


  • 🟒 Applicable β€” requirement is included in the SoA
  • πŸ”΄ Not applicable β€” requirement is excluded from scope


Clicking the Not applicable label opens the requirement edit view.




7.2 Accessing the Statement of Applicability


From Compliance β†’ Frameworks, select a framework.


A button labeled β€œShow Statement of Applicability” appears next to the framework name.


Clicking it opens the Statement of Applicability (SoA) view.




The navigation updates to:


7.3 SoA View


The SoA view replaces the framework graphs and requirement list with a structured, audit-ready table. All data in this view is read-only.


The SoA table contains the following columns:


  • Requirement ID: Unique identifier of the requirement
  • Requirement Name: Title of the requirement
  • Requirement Description: Description or guidance text of the requirement
  • Applicability Status: Indicates whether the requirement is applicable
  • Justification for Applicability: Justification notes for applicability
  • Implementation Status: Calculated status based on linked controls
  • References: Alphabetically sorted list of IDs of all linked controls and risks


Use this to document:

  • Scope exclusions
  • Regulatory interpretation
  • Contextual or organizational constraints


Exporting the SoA


The SoA can be exported for audit and reporting purposes:


  • πŸ“„ Print to PDF β€” formatted for auditors and management
  • πŸ“Š Export to Excel β€” structured data for analysis or reuse


8️⃣ Best Practices


  • πŸ“˜ Use Templates when possible β€” saves time by preloading categories & requirements.
  • πŸ”„ Keep requirements linked β€” controls, evidence, and risks should always connect to SOA items.
  • πŸ“Š Update maturity regularly β€” graphs reflect your actual compliance posture.
  • ⚠️ Be cautious with deletes β€” requirement maturity, notes, and links will be lost.
  • πŸ—‚ Use multiple SOAs β€” one requirement can serve across standards (e.g. GDPR + ISO27001).



🎯 Visual Checklist


  • [x] Compliance framework created (SOA added).
  • [x] Categories and requirements defined/imported.
  • [ ] Documents linked as controls and evidence.
  • [ ] Maturity evaluated and radar charts updated.
  • [ ] Tasks assigned for gaps or improvements.

Updated on: 29/12/2025

Was this article helpful?

Share your feedback

Cancel

Thank you!