Skip to content

Compliance Coverage

Mitch‑Risk maps assessment questions to compliance framework controls, enabling organisations to demonstrate vendor due diligence against industry standards. This page details what's covered and how the mapping works.

Frameworks Included

Four frameworks are seeded at installation — no manual setup required.

FrameworkVersionControlsCategory
ISO 27001202293 Annex A controlsInformation security management
SOC 2202051 Trust Services CriteriaService organisation controls
NIST CSF2.0129 subcategories (6 functions)Cybersecurity framework
Essential Eight202355 controls (8 strategies, 3 maturity levels)Australian Signals Directorate

Additional frameworks can be imported via CSV under Frameworks → Import. The CSV template includes fields for domain, control code, title, and guidance — mapping any compliance standard.

How Control Mapping Works

┌────────────┐     ┌───────────┐     ┌──────────────┐
│  Question  │────▶│ Question  │◀────│   Control     │
│  (in       │     │ Control   │     │   (in         │
│  template) │     │ (join)    │     │   framework)  │
└────────────┘     └───────────┘     └──────────────┘

Each question in a template can link to multiple controls across multiple frameworks simultaneously. When a vendor answers non-compliantly, the finding is tagged with all mapped control codes.

Example: A single question "Do you encrypt data at rest?" might map to:

  • ISO 27001 A.8.24 — Use of cryptography
  • SOC 2 CC6.1 — Logical and physical access controls
  • NIST CSF PR.DS-1 — Data-at-rest protection
  • Essential Eight — Maturity Level 2 (encryption strategy)

ISO 27001:2022 — Sample Control Coverage

All 93 Annex A controls from the 2022 revision are loaded. Below is a representative sample of controls commonly mapped to vendor assessment questions:

ControlTitleTypical Question Topics
A.5.1Policies for information securitySecurity policy existence, review frequency, management approval
A.5.5Contact with authoritiesIncident reporting procedures, regulatory contacts
A.5.7Threat intelligenceThreat monitoring, intelligence sources, feed integration
A.5.8Information security in project managementSDLC security gates, security requirements in projects
A.5.14Information transferSecure file transfer, email encryption, data exchange policies
A.5.17Authentication informationMFA, password policies, key management, credential rotation
A.5.24Information security incident managementIncident response plan, escalation procedures, post-mortem
A.5.29Information security during disruptionBusiness continuity plan, DR site, DR testing frequency
A.5.30ICT readiness for business continuityRTO/RPO, backup testing, failover procedures
A.6.3Information security awareness and trainingSecurity training program, phishing simulations, training frequency
A.7.2Physical entryPhysical access controls, badge systems, visitor management
A.7.4Physical security monitoringCCTV, alarm systems, 24/7 monitoring
A.8.1User endpoint devicesMDM, endpoint encryption, device policies
A.8.3Information access restrictionRBAC, least privilege, access review cadence
A.8.5Secure authenticationSSO, MFA, passwordless, session management
A.8.7Protection against malwareAntivirus, EDR, malware detection, response procedures
A.8.8Management of technical vulnerabilitiesPatching SLA, vulnerability scanning, CVE tracking
A.8.11Data maskingPII masking, test data anonymisation
A.8.12Data leakage preventionDLP tools, data classification, egress monitoring
A.8.16Monitoring activitiesLog aggregation, SIEM, alert thresholds
A.8.24Use of cryptographyEncryption at rest, encryption in transit, key management, algorithm selection

SOC 2 — Trust Services Criteria Coverage

All 51 TSC points map from the 2020 edition. Sample coverage of the five trust service criteria categories:

CategoryMapped ControlsFocus
Security (CC6.x)CC6.1–CC6.8Logical access, authentication, monitoring, firewall, malware, vulnerability management
Availability (CC7.x)CC7.1–CC7.5Capacity management, backup and recovery, incident response
Confidentiality (CC8.x)CC8.1Data classification, encryption, disposal
Processing Integrity (CC9.x)CC9.1–CC9.2Data processing accuracy, quality assurance
Privacy (CC10.x)CC10.1–CC10.3PII handling, consent management, data subject rights

NIST CSF 2.0 — Function Coverage

All 129 subcategories across 6 functions (Govern, Identify, Protect, Detect, Respond, Recover) are seeded:

FunctionSubcategoriesKey Controls Mapped
Govern (GV)6Security policy, risk appetite, roles and responsibilities, supply chain oversight
Identify (ID)7Asset management, risk assessment, vulnerability identification, business environment
Protect (PR)14Access control, awareness training, data security, maintenance, protective technology
Detect (DE)5Anomalies and events, continuous monitoring, detection processes
Respond (RS)5Response planning, communications, analysis, mitigation, improvements
Recover (RC)5Recovery planning, improvements, communications

Essential Eight — Strategy Coverage

All 55 controls across 8 mitigation strategies with Maturity Levels 0–3:

StrategyPurposeMaturity Levels Assessed
Application controlPrevent unapproved/malicious programs0–3
Patch applicationsClose known vulnerabilities in apps0–3
Configure Microsoft Office macrosBlock macros from the internet0–3
User application hardeningBlock Flash, ads, Java on the internet0–3
Restrict administrative privilegesLimit powerful accounts0–3
Patch operating systemsClose known OS vulnerabilities0–3
Multi-factor authenticationProtect against credential theft0–3
Regular backupsEnsure data recovery0–3

Custom Frameworks

Any compliance framework can be added via CSV import at Frameworks → Import. The CSV format is:

csv
domain,code,title,guidance
A,5.1,Policies for information security,Information security policy and topic-specific policies shall be defined...
A,5.2,Information security roles and responsibilities,Information security roles and responsibilities shall be defined...

The import runs in a single database transaction — either all controls are created or none are.

Frameworks can be deleted from the Frameworks list or via the API (DELETE /api/v1/frameworks/{id}). Deleting a framework permanently removes it and all its controls. Template questions mapped to these controls lose their assignments, but existing assessments and findings are not affected — the scoring engine handles missing control references gracefully. Requires frameworks:delete permission (Admin and Reviewer roles).

Coverage Limitations

  • Mapping is template-driven — question-to-control links must be configured by the admin building templates. The platform doesn't auto-suggest or auto-map
  • Assessment coverage depends on template quality — if a template doesn't ask about a control, that control won't be assessed
  • Manual review is the primary mechanism — unscorable question types (Free Text, File Upload) require reviewer judgment; the platform auto-scores only structured types (Yes/No, Multiple Choice, Numeric, etc.)
  • No framework gap analysis — the platform doesn't report which controls have no questions mapped to them. This is left to the admin's template design process

Open-source, self-hosted third party vendor risk management.