📑 Compliance Requirements & Maturity Mapping

"From standards to action: track requirements, maturity, and evidence in one place."
Turn compliance obligations into measurable, auditable progress.

Compliance with a specific standard or regulation requirements is difficult to achieve without a way to organize, structure, and track it. Brainframe makes this easy by providing a central dashboard where you can manage your compliance easily, quickly, and almost automatically.

1️⃣ Creating a Compliance Set

From Compliance -> Frameworks, click Add Compliance framework.

This will open the following window:

You can configure:

1. Name of the standard/regulation (e.g., ISO/IEC 27001:2022).
2. Description — (optionally) add information as to what is the purpose and scope.
3. Public URL — (optional) link to official reference.
4. Supporting documents — (optional) upload of purchased standards or guidance.

Next, choose a setup method (each are described below):

• Self configured — manually create categories and requirements.
• Template — start from a pre-loaded requirement set.
• Import Excel — import requirements using the template.

2️⃣ Self Configured Mode

1. Select the self-configured setup mode
2. Define categories of requirements.
3. Remove categories.
4. Add categories.

📌 Once categories are set, you’ll start with an empty SOA:

SOA Overview Elements

1. Quick access to uploaded resources and URLs.
2. SOA Action Menu:

• Create a new SOA
• Edit the current SOA (opens a screen that allows you to modify the SOA description/guidance document/categories)
• Delete the SOA (all requirement maturity and linked documents will be lost, but the documents themselves will remain in the original folder)
• Print simple SOA - Prints a list of all categories and requirements, with their applicability, requirement identifier and name, linked control names and names of evidence documents
• Print detailed SOA - Prints the same information as the simple SOA, but adds the different radar graphs and related risks per requirement.
• Export SOA - Exports the requirement identifier, name, description, status, linked control names, evidence names and related risk names into an excel (this can be imported using the "Import Excel" SOA creation option as described below)

3. These sections are empty until you configure them:

• Maturity per SOA category - Will show a radar chart with the different maturities per category

• Applicability overview - Shows counts on how many of the requirements are applicable and implemented

• Categories, requirements and applicability - This is where all the SOA categories with their individual requirements will be listed (empty at the start). Per category you'll see a radar graph of the maturity for the requirements in that category

4. By clicking "Add requirement", you can manually add new requirements from your standard/regulation to the category (this is described in more detail below)
5. Here you can edit or delete the whole category (all requirements, their maturity and linked documents for this category will be lost, the documents themselves will remain in the folders)

3️⃣ Template mode

When selecting this option you will be able to select pre-configured templates of "Categories" and their "Requirements". Simply select the template and click save.

4️⃣ Import excel

This option opens a screen similar to the bulk document import screen, allowing you to download a template that can be filled in as per your needs, or allows you to import an Excel from a previous export as explained in (2) above

5️⃣ Adding & Editing Requirements

When adding/editing a requirement:

1. Identifier (e.g., A.5.1).
2. Title (e.g., Policies for information security).
3. Description/Guidance (implementation notes, e.g. ISO 27002).
4. Maturity stage:

• Not applicable
• Applicable but not implemented
• Applicable & implemented – Defined
• Applicable & implemented – Managed
• Applicable & implemented – Optimized

5. Link controls (policies, procedures).
6. Link evidence (records, logs).
7. Link related risks (justify applicability).
8. Move requirement to another category.
9. Link requirement to multiple SOAs (e.g. GDPR + ISO27001).

6️⃣ Managing Requirements

Each requirement lets you track maturity, link controls, evidence, and risks, and plan follow-ups.

1. Requirement identifier and title (hovering over this will show the description/guidelines for implementation if configured).
2. Define the maturity rating (reflected in graphs).
3. Action buttons: link control, link evidence, add risk, edit the requirement, delete the requirement.
4. Add general tasks linked to the requirement which will automatically appear in your tasks.
5. List of linked control documents (with maturity tracking if enabled).
6. List of linked evidence documents.
7. List of related risks.
8. List of linked tasks that you can interact with. You can mark them as completed or edit them directly. You can also unlink them from this requirement (the task will still exist), or delete them entirely.
9. Notes field — for auditor comments or internal improvements.

7️⃣ Best Practices

• 📘 Use Templates when possible — saves time by preloading categories & requirements.
• 🔄 Keep requirements linked — controls, evidence, and risks should always connect to SOA items.
• 📊 Update maturity regularly — graphs reflect your actual compliance posture.
• ⚠️ Be cautious with deletes — requirement maturity, notes, and links will be lost.
• 🗂 Use multiple SOAs — one requirement can serve across standards (e.g. GDPR + ISO27001).

🎯 Visual Checklist

• [x] Compliance framework created (SOA added).
• [x] Categories and requirements defined/imported.
• [ ] Documents linked as controls and evidence.
• [ ] Maturity evaluated and radar charts updated.
• [ ] Tasks assigned for gaps or improvements.

Updated on: 03/09/2025