Articles on: Compliance
This article is also available in:

Compliance Frameworks

πŸ“‘ Compliance Frameworks & Maturity Mapping

"From standards to action: track requirements, maturity, and evidence in one place."
Turn compliance obligations into measurable, auditable progress.


Compliance with a specific standard or regulation requirements is difficult to achieve without a way to organize, structure, and track it. Brainframe makes this easy by providing a central dashboard where you can manage your compliance easily, quickly, and almost automatically.


πŸ“Œ Note: The SOA module is only accessible to admin users and is not folder-hierarchy aware.


1️⃣ Creating a Compliance Set


From Compliance -> Frameworks, click Add Compliance framework.



This will open the following window:



ou can configure:


  1. Name of the standard/regulation (e.g., ISO/IEC 27001:2022).
  2. Description β€” (optionally) add information as to what is the purpose and scope.
  3. Public URL β€” (optional) link to official reference.
  4. Supporting documents β€” (optional) upload of purchased standards or guidance.


Next, choose a setup method (each are described below):


  • Self configured β€” manually create categories and requirements.
  • Template β€” start from a pre-loaded requirement set.
  • Import Excel β€” import requirements using the template.



2️⃣ Self Configured Mode


  1. Select the self-configured setup mode
  2. Define categories of requirements.
  3. Remove categories.
  4. Add categories.


πŸ“Œ Once categories are set, you’ll start with an empty framework:




Overview Elements


  1. Frameworks Action Menu:
  • Edit the current framework (opens a screen that allows you to modify the framework description/guidance document/categories)
  • Delete the framework (all requirement maturity and linked documents will be lost, but the documents themselves will remain in the original folder)
  • Print simple compliance framework - Prints a list of all categories and requirements, with their applicability, requirement identifier and name, linked control names and names of evidence documents
  • Print detailed compliance framework - Prints the same information as the simple SOA, but adds the different radar graphs and related risks per requirement.
  • Export compliance framework - Exports the requirement identifier, name, description, status, linked control names, evidence names and related risk names into an excel (this can be imported using the "Import Excel" framework creation option as described below)
  1. These sections are empty until you configure them:
  • Maturity per category - Will show a radar chart with the different maturities per category


  1. By clicking "Add requirement", you can manually add new requirements from your standard/regulation to the category (this is described in more detail below)
  2. You can ask the AI chatbot for specific questions regarding this framework, it will take into account the requirements and the controls that you have linked to this framework.
  3. Start an auto-mapping process that will look through each of your existing controls, and map the relevant ones to the corresponding requirements of this framework.
  4. View the automatically generated Statement of Applicability


3️⃣ Import excel


This option opens a screen similar to the bulk document import screen, allowing you to download a template that can be filled in as per your needs, or allows you to import an Excel from a previous export as explained in (2) above


⚠️ Attention: Linked controls, evidences, risks and requirement notes are not imported.


4️⃣ Adding & Editing Requirements


When adding/editing a requirement:


  1. Identifier (e.g., A.5.1).
  2. Title (e.g., Policies for information security).
  3. Applicability - Check this box to ensure that this requirement is automatically included in the SoA
  4. Description/Guidance (implementation notes, e.g. ISO 27002).
  5. Tags
  6. Control maturity level: How efficient your existing controls are in meeting the requirement.
  7. Documentation maturity level (optional): How detailed is your documentation regarding the controls linked to this requirement.
  8. Justification Notes
  9. Link controls (policies, procedures).
  10. Link evidence (records, logs).
  11. Link related risks (justify applicability).
  12. Move requirement to another category.


When removing a requirement that is in multiple frameworks, it will only be removed in one framework at a time and details will not be lost


5️⃣ Managing Requirements


Each requirement lets you track maturity, link controls, evidence, and risks, and plan follow-ups.


  1. Requirement identifier and title (hovering over this will show the description/guidelines for implementation if configured).
  2. Define the maturity rating (reflected in graphs).
  3. Maturity from controls: See how your automated and manual controls are answering this requirement.
  4. Add general tasks linked to the requirement which will automatically appear in your tasks.
  5. List of linked control documents (with maturity tracking if enabled).
  6. Automated controls: For all requirements related to secure software development, Aikido security feeds compliance status per requirement to this section.
  7. List of linked evidence documents.
  8. List of related risks.
  9. Notes field β€” for auditor comments or internal improvements, or SoA justifications.



6️⃣ Statement of Applicability (SoA)


Brainframe automatically generates a Statement of Applicability (SoA) based on how requirements are configured in your compliance framework.
There is no separate SoA to maintain manually β€” applicability is driven directly from each requirement.


7.1 Requirement Applicability


When adding or editing a requirement, an β€œApplicable” checkbox is available at the top of the edit form.



  • The checkbox is enabled by default for new requirements.
  • Existing requirements are considered applicable by default.
  • Unchecking this box marks the requirement as Not applicable.


Behavior when a requirement is Not applicable:


  • The requirement is excluded from maturity tracking.
  • Maturity levels and progress indicators are hidden.
  • The requirement row cannot be expanded.
  • Linked controls, risks, evidence, and notes are not deleted β€” they are simply hidden.
  • The requirement will appear as Not applicable in the Statement of Applicability.


πŸ“Œ Important
Marking a requirement as Not applicable does not remove any data. All links and content are preserved and can be restored by re-enabling applicability.


Visual indicators in the framework view:


  • 🟒 Applicable β€” requirement is included in the SoA
  • πŸ”΄ Not applicable β€” requirement is excluded from scope


Clicking the Not applicable label opens the requirement edit view.



7.2 Accessing the Statement of Applicability


From Compliance β†’ Frameworks, select a framework.


A button labeled β€œShow Statement of Applicability” appears next to the framework name.


Clicking it opens the Statement of Applicability (SoA) view.



The navigation updates to:


7.3 SoA View


The SoA view replaces the framework graphs and requirement list with a structured, audit-ready table. All data in this view is read-only.


The SoA table contains the following columns:


  • Requirement ID: Unique identifier of the requirement
  • Requirement Name: Title of the requirement
  • Requirement Description: Description or guidance text of the requirement
  • Applicability Status: Indicates whether the requirement is applicable
  • Justification for Applicability: Justification notes for applicability
  • Implementation Status: Calculated status based on linked controls
  • References: Alphabetically sorted list of IDs of all linked controls and risks


Use this to document:

  • Scope exclusions
  • Regulatory interpretation
  • Contextual or organizational constraints


Exporting the SoA


The SoA can be exported for audit and reporting purposes:


  • πŸ“„ Print to PDF β€” formatted for auditors and management
  • πŸ“Š Export to Excel β€” structured data for analysis or reuse


8️⃣ Best Practices


  • πŸ“˜ Use Templates when possible β€” saves time by preloading categories & requirements.
  • πŸ”„ Keep requirements linked β€” controls, evidence, and risks should always connect to SOA items.
  • πŸ“Š Update maturity regularly β€” graphs reflect your actual compliance posture.
  • ⚠️ Be cautious with deletes β€” requirement maturity, notes, and links will be lost.
  • πŸ—‚ Use multiple SOAs β€” one requirement can serve across standards (e.g. GDPR + ISO27001).



🎯 Visual Checklist


Updated on: 12/07/2026

Was this article helpful?

Share your feedback

Cancel

Thank you!