Multi-framework Mapping

Flow supports multi-framework compliance mapping, enabling organizations to manage multiple regulatory and industry frameworks simultaneously. Map controls and requirements across frameworks to identify overlap, reduce duplication, and maintain a unified compliance posture.

Overview

Multi-framework mapping provides:

• Cross-Framework Visibility - See how one control satisfies requirements across multiple frameworks
• Duplication Reduction - Identify overlapping requirements and consolidate implementation efforts
• Gap Analysis - Discover unaddressed requirements across your framework portfolio
• Unified Compliance Register - Single view of all compliance items regardless of source framework
• Domain Scoping - Select specific framework domains relevant to your organization

Supported Frameworks

Flow ships with pre-built framework definitions including:

Framework	Category	Domains	Control Families
ISO 27001:2022	Information Security	5	12
NIST CSF 2.0	Cybersecurity	6	28
SOC 2 Type II	Operational Security	6	17
PCI DSS 4.0	Payment Security	6	14
ISO 22301	Business Continuity	4	8
COSO ERM	Enterprise Risk	5	20

Framework Selection

Adopting a Framework

1. Navigate to Compliance > Frameworks tab
2. Click Add Framework to open the selection dialog
3. Choose a framework from the available library
4. Configure framework-specific options:
   • Implementation Priority - Critical, High, Medium, or Low
   • Target Completion Date - Planned date for full implementation
   • Domain Scoping - Select only the domains applicable to your organization
   • Assessment Frequency - How often compliance is assessed
   • Lead Assessor - Primary person responsible for framework compliance
5. Enable Auto-create Compliance Items to populate your register automatically

Domain Scoping

Not all framework domains may apply to your organization. Domain scoping allows you to:

• Select specific domains relevant to your operations
• Exclude domains that don't apply (e.g., physical security for cloud-only organizations)
• Auto-generate compliance items only for selected domains
• Adjust scope as your organization evolves

Cross-Framework Mapping

How Mapping Works

When multiple frameworks are active, Flow identifies requirements that share common control objectives:

• Controls linked to one framework requirement can be mapped to equivalent requirements in other frameworks
• Compliance evidence collected for one framework can satisfy similar requirements elsewhere
• The compliance register shows which frameworks each control maps to

Mapping Controls

To map a control across frameworks:

1. Navigate to the control detail view
2. View existing framework associations
3. Add additional framework mappings where the control satisfies requirements
4. The control's compliance status reflects coverage across all mapped frameworks

Compliance Register Integration

Unified View

The compliance register aggregates items from all active frameworks:

• Filter by framework to focus on specific requirements
• View cross-framework coverage for individual controls
• Track compliance status per framework and overall
• Export compliance reports by framework or across all frameworks

Status Tracking

Each compliance item tracks:

• Status - Not Started, In Progress, Compliant, Non-Compliant
• Evidence - Linked documentation and artifacts
• Owner - Responsible team member
• Assessment Date - Last assessment and next scheduled assessment
• Framework - Source framework and requirement reference

Best Practices

• Start with Primary Framework - Implement your most critical framework first, then map additional frameworks
• Leverage Overlap - Use cross-framework mapping to reduce duplicate work
• Scope Appropriately - Only select domains that genuinely apply to your organization
• Regular Gap Reviews - Periodically check for unmapped requirements across frameworks
• Centralize Evidence - Use the documents module to maintain a single evidence repository linked across frameworks